It’s time for a public–private partnership in national security
24 Jul 2019|

Corporations already protect their assets and functions. However, considering business capabilities as part of our national security capabilities isn’t normally a factor in corporate planning.

In a new report released today, From board room to situation room: why corporate security is national security, I and my co-authors, Donald Williams and Rhys De Wilde, argue that Australia’s approach to national security planning should now include the private sector. Our corporate sector should be understood as a key component of our deterrent posture against a range of threats.

Attacks on the private sector are a feature of what Elisabeth Braw, the director of the Modern Deterrence project at British think tank RUSI, calls blended aggression, which ranges from economic coercion to cyberattacks and irregular warfare by proxies designed to undermine trust in the state. As such attacks are likely to be directed towards private-sector assets, business owners and operators should be recognised as central to this country’s security.

Economic security is an essential element of national security and it is business that is the engine room for a strong economy. Corporations are making valiant efforts to protect their assets and capabilities from attacks in the physical and cyber environments. They do so for sound commercial reasons. But such attacks are not just matters of commercial concern to companies and their shareholders. They have significant potential to weaken national resilience.

A principal finding of the study was that there’s a void between business and national security agencies when it comes to understanding each other’s capabilities and limitations.

Corporations have great visibility of what is happening domestically and internationally that may impact on their commercial operations. Some of our corporate heavyweights have an in-house analytical capability or subscribe to specialist intelligence and analytical providers.

Most major companies have an operations or crisis centre. Corporations hold considerable data that may be of benefit to governments during and after incidents. But the private sector currently plays a limited role in national crisis exercises.

A phrase that has gained some usage among Australian corporate security professionals when talking about the desire for greater cooperation with the official national security community is ‘dare to share’, which refers to security officials being willing to provide information that is timely and of value in the prevention and mitigation of all risks faced by the nation.

It’s recognised that there are constraints relating to passing on certain national security information related to international agreements, perceptions of corporate advantage and potentially foreign ownership. But these restrictions should not be insurmountable barriers: they don’t affect the intent to share, although they can affect the depth and timeliness of the sensitive information to be shared.

‘Dare to share’ captures this issue well and is a sound principle upon which to build a mutual commitment by business and government to an improved security-information-sharing partnership.

There are already some mechanisms in place, established by both the Australian government and state governments, to ‘hook up’ with business on issues of national security. But the structures are fragmented between and within government departments and agencies and are often based on sector-specific silos.

Both national security agencies and corporate representatives indicated to the authors that sometimes the other party was intentionally or needlessly holding back essential information while expecting them to provide too much. This indicates a lack of understanding on both sides.

Several corporate security professionals observed that there isn’t much scope at the moment to discuss or even know what national security policy or legislation is coming down the pike.

Those corporations that are closely regulated by government (for example, aviation, telecommunications and finance/banking) tend to know how to find the relevant security official within government. However, companies that aren’t as closely regulated or integrated into the national security community have a difficult time identifying points of contact with the relevant agencies.

Developing a secure and resilient nation can only be ensured through mutual obligation whereby both governments and corporations understand and are committed to developing and maintaining the measures required to safeguard Australia.

When it comes to contributing to national security, we found that business is generally not seeking financial incentives from government—such as tax breaks, subsidies for corporate back-up plans or special government status—because resilient companies ‘do the right thing’ when it comes to national security.

Rather, business executives argued that of far greater value than government incentives were realistic and timely security-related information and an understanding of how their business fits within the overall concept of a resilient nation.

A key message in the report for national security agencies is that coordinating and cooperating with the private sector on national security may be inconvenient at times, but it’s a lot less inconvenient than being exposed unprepared to a range of security threats and challenges. Today, corporate security is national security.

Overall the report makes 16 recommendations on how to strengthen corporate and government cooperation in national security. These include:

  • creating a central hub in the Department of Home Affairs for ensuring information transfer on national security risks and support for industry in better understanding emerging security issues
  • establishing a chief security officer advisory group to work with such a hub, consisting of a small number of senior security, business continuity and resilience managers, as well as organisations representing the broader corporate sector
  • reinvigorating the industry consultation on national security to provide a forum for the prime minister and senior ministers to engage with CEOs on national security policy and issues
  • broadening the scope of state-based joint cybersecurity centres so they become converged centres for integrating national security interaction between business and government
  • ensuring that the Australian government and state and territory governments expand the involvement of business in exercises related to all aspects of national security
  • developing a secondment program of national security agency personnel into the corporate security and more general risk management environment
  • encouraging an awareness among major corporations that when selecting a chief security officer the ability to obtain a national security clearance will be of benefit.

The threats we face don’t recognise the walls that exist between Australian businesses and national security agencies. To safeguard Australia, we need to put more doors in those walls.