Nobody with sensitive information is immune to espionage: ASIO chief
The nation’s top spy warns ‘nobody with sensitive information is immune’ to espionage, offering advice on how to protect your organisation – and the nation.
The nation’s top spy has asked for help from Australian individuals, businesses and organisations on cybersecurity, saying his agency is “not all-seeing and all-knowing”, and warning “nobody with sensitive information is immune”.
In a broader warning about espionage threats, Australian Security and Intelligence Organisation director-general Mike Burgess said that in the “prevailing threat environment, national security truly is national security – everybody’s business”.
“We cannot catch every spy,” he said. “We need your help.”
Mr Burgess said Russia, China and Iran were “very active” in Australia but also “many other countries are also targeting anyone and anything that could give them a strategic or tactical advantage”.
What businesses are spies targeting?
He said foreign intelligence agencies were “aggressively targeting” three key areas: science and technology, particularly advanced technology; public and private sector projects to gain a commercial advantage; and Antarctic research, green technology, critical minerals, and rare earths extraction and processing.
What information are spies taking?
Mr Burgess warned this meant “nobody with sensitive information is immune” and gave examples of recent operations investigated by ASIO.
“Spies successfully recruited a security clearance holder who handed over official documents on free trade negotiations,” he said. “Foreign companies connected to intelligence services have sought to buy access to sensitive personal data sets; sought to buy land near sensitive military sites; and sought to collaborate with researchers developing sensitive technologies.
“A foreign intelligence service tried to get an asset employed as a researcher at a media outlet, with the aim of shaping its reporting and receiving early warning of critical stories.
“Spies convinced a state bureaucrat to log into a database to obtain the names and addresses of individuals considered dissidents by a foreign regime.
“Nation-state hackers compromised the network of a peak industry body, stealing sensitive information about exports and foreign investment.
“In another case, they hacked into the systems of a law firm involved in sensitive government-related litigation.
“A foreign intelligence service directed multiple agents and their family members to apply for Australian government jobs – including with the national security community – to get access to classified information.”
How can you protect your business from foreign spies?
Mr Burgess urged “common sense” in cybersecurity safety measures. “Simple steps can make a major difference. The vast majority of cyber compromises involve a known vulnerability with a known fix – it just wasn’t addressed,” he said.
“And when we identify an individual as a security problem, almost always the person’s manager says they’re shocked but not surprised. The signs were there but, again, the vulnerability wasn’t addressed.”
He listed multiple “common sense” measures on cybersecurity.
“If you have sensitive information, common sense is a good place to start,” he said.
“Be alert to the threat. Don’t make yourself a target on social media. Don’t use PASSWORD as a password.
“Update your software. Follow the rules for handling classified information. If you are pressed for inside information, be discreet. If an approach seems suspicious, report it.
“If you work for the government or have a security clearance, you are obliged to report suspicious approaches. The easiest way is to get in touch with your security manager and fill out a contact report.
“Anyone else with concerns about potential espionage can call the National Security Hotline or use ASIO’s reporting portal at nitro.asio.gov.au.”
On an organisational level, he said the general character of espionage threat mitigation “shares a lot of DNA with an effective defence against other foreseeable organisational challenges like criminal theft, fraud, workplace accidents and equipment failures”.
“In the context of espionage, understanding the threat means acknowledging the threat is real, anyone with access to sensitive information can be a target, and the consequences for your bottom line, reputation and the national interest can be severe,” he said.
“Identifying the risk means knowing what is valuable and what is vulnerable in your organisation, whether it be data, assets or individuals.
“Managing the risk involves a coherent, connected security strategy across your whole enterprise – your people, places, technology and information.
“Building a high tech fence isn’t much help if you use PASSWORD as a password; and great cyber security isn’t much help if you can’t control access to your premises.
“The people piece is most often overlooked. I’m not suggesting managers need to conduct mass surveillance of their staff, but they do need to educate them and stay alert to anomalous behaviour.”
More Coverage
Add your comment to this story
Jail those who fail to act on pedophiles in their ranks
Childcare is deemed by state and federal governments as a universal right, yet little is changing to protect our dearest and most vulnerable.
‘Heart as big as the country’: Fr Chris Riley, Youth off The Streets founder, dies
Tributes are flowing in honour of revered Catholic priest, Father Chris Riley, who has died aged 70 in his Sydney home after battling long-term health concerns.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout