Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Response to discussion paper “Strengthening the national security of Australia’s critical infrastructure” Thank you for the opportunity to comment on the discussion paper “Strengthening the national security of Australia’s critical infrastructure”, which was released publicly on https://www.ag.gov.au/Consultations/Pages/Strengthening-the-national-security-of-australiascritical-infrastructure.aspx Australia has been a thought leader in critical infrastructure protection since the launch of the Trusted Information Sharing Nnetrwork in 2002. We offer the following thoughts to assist government consideration on this important issue. A register of critical infrastructure will only be only useful if it provides a current and complete picture to assist national security decision-making. The identified threats from malicious actors has been clearly identified but there should be some additional reverences to the domain of natural and accidental hazards. Further we suggest that the complex network and interdependencies of transport systems should be considered. While raw material suppliers such as oil and gas may be considered a subset, they too should be part of the network of interrelated CI to be considered. Mapping these networks in detail may assist in an assessment of hierarchy and interdependency. Governments have considered the task at both state and federal level in the past and discounted it because the effort to maintain such a register is significant. CI Registers in other countries have also not been very successful. The Department of Defence which through the Defence Industry Security Program often struggles to maintain visibility of the defence infrastructure let alone maintain a detailed register. They have enhanced their approach by considering criticality of projects and sites on a risk assessed basis for rating for security and reporting but it does not address the network relationships. The assessment of criticality will need to be carefully considered from a resilience perspective. Fragility of complex societies such as ours is due to brittleness where seemingly small events or decisions cause larger problems because there is a lack of adaptability in the system as a whole. Reference could be made to the current standards work to provide some definitional guidance and elements around key characteristics of resilience. AGD should place significant effort to investigate a behavioural economy approach to the problem of ensuring records are current and complete. Creating legal penalties for compliance and enforcing them is expensive and time consuming and risks alienating critical infrastructure owners. AGD should consider how to create strong incentives for organisations to participate in the register. As a first step, AGD should consider what information could be obtained from other information sources such as ASIC or the state/territory governments to make participation easier. Ref: Main advantages and disadvantages of a register Depending on how the register is designed, it could become the ‘source of truth’ to identify critical infrastructure. We see that there are several issues that would need to be surmounted in the design and implementation of a register. - - - Cost of implementation and maintenance, both for government and the economy more generally. Balancing the needs for confidentiality of the information in its aggregated form with the need for the integrity/accuracy and timeliness of the information it contained and availability of the information for maximum utility. Whilst we think of critical infrastructure as buildings or plants, much of the critical infrastructure is in fact ‘systems’ such as the food distribution network. Efforts to create registers of critical infrastructure have in the past skewed towards physical infrastructure and buildings. Consideration should be given to a graphical network centric model of the interrelationships. I would consider something along the lines of the representations used in the WEA 2016 Threat Assessment paper. How will the register adapt to changes in the consideration of what is critical? The Register needs to be dynamic and up to date and structures in such a way that at the “backend” there will be automatically indications of changes that vary the risk assessment. Some identification of understanding of key points of failure in the network/s will be critical. Registration of foreign interests may require special relationships for governance and visibility of operations as risk arising, on one hand, from state ownership of all or some components of an enterprise, and on the other from global financial pressures on overseas owners whose primary consideration is profitability. Jason Brown International Chair of ISO TC262 Risk Management. Standards Australia Chair – MB 025 Security and Resilience. National Security Director Thales Australia Alex Webling International Rapporteur on Resilience for ISO TC 292 Security and Resilience Member of Standards Australia Board – MB 025 Security and Resilience Director, Resilience Outcomes Australia Pty Ltd www.resilienceoutcomes.com