Security must be government priority
by Graeme Mickelberg
Governments around the world are increasingly the targets for sophisticated international criminal networks. The Australian Government is no exception to this trend. Graeme Mickelberg examines the reasons why governments are targets and what they should do to counter security threats.
The threat of terrorism and the strategies that have been taken by the Commonwealth, state/territory and local governments in Australia to counter terrorism have been the subject of considerable publicity.
However, there are a range of other security-related threats confronting governments. Many of these threats are far more likely to occur than terrorism and have the potential to expose people to risks to their safety.
Some security threats may also result in significant financial and political consequences. Regardless of the nature of these security threats governments have a duty of care to ensure that reasonable measures are taken to manage security and to mitigate associated risks.
The day to day interaction by governments with businesses and the community is necessary to ensure the provision of services required by government departments and to ensure compliance with legislation, which is facilitated by the collection of a range of taxes, including licensing fees and other charges.
Transactions are conducted via mail, electronically and over the counter at customer services centres located in major cities and larger regional cities and towns. Compounding factors include the complexity and diversity of stakeholders that governments have to deal with, the number and nature of financial transactions and the volume of data generated. There are also privacy and/or commercially sensitive implications that need to be considered.
The community and businesses have an expectation that governments will ensure the safe custody of monies, information and other data.
Security threats
The following general security threats are encountered by governments:
Fraud. A dishonest act with the objective of personal gain, including obtaining information, money, intellectual property, computer login passwords and commercial in confidence documents, which may be government property or in the safe-keeping of the Government
Theft. An act involving the dishonest removal of government property including citizen's personal information, identity documents, commercially sensitive information and intellectual property
Vandalism. The wanton and deliberate damage and destruction of government property, including graffiti and computer viruses
Sabotage. An act or threat, intended to cause serious harm to property that may result in serious risk of harm to the health and safety of the public, disruption of essential services and financial loss
Harassment of staff. An act or threat, oral or written, directed at government employees, resulting in physical assault and/or intimidation
Trespass. An act involving unauthorised entry to government premises
Extortion. An act or threat to obtain money, a favourable decision, confidential information or other outcome by the threat of intimidation and/or violence to government employees.
Security threats can arise that are diverse and include criminals as well as government employees, contractors and members of the public. Additionally, security threats are not limited to originating from within Australia as some security threats may originate from international locations. The increased dependence on information technology and transactions utilising web-based technologies have provided avenues for security threats.
Potential source of identification
Organised criminals regard government agencies as a potential source of identification. Such documents are invaluable in the process of establishing false identities necessary for criminals to implement schemes involving other illegal pursuits including fraud.
Government agencies responsible for the issuing of driving licenses are attractive targets for criminals, including outlaw motor-cycle gangs and other organised crime groups.
These criminal networks may also seek to gain access to such documents indirectly by threats with the objective of extorting documents from government employees. Alternatively, criminals may source identity documents obtained by members of the public involved in petty crime.
Customer service centres operated by government agencies may also be directly targeted by thieves to obtain machines and materials used to produce driversí licenses which can then be sold for large sums.
Increasingly, information has a high value not only to criminals but also to others, including issue motivated groups, persons seeking information for commercial advantage, journalists and other members of the public.
Issue motivated groups may access information via sympathetic government employees who are in a position to pass confidential information. Alternatively, sensitive information may also be leaked to journalists. Other potential sources of information include government contracted service providers who are able to access government buildings after hours.
Information may have very high commercial value to businesses competing for Government tenders. Some businesses may seek to source information about government requirements, competing tender submissions and the outcomes of tender evaluation processes. Such information may be sourced from government offices or via web-based sources accessed by hackers.
Considerable financial gain
Government facilities and depots are used to store machinery, building materials, motor vehicles and other equipment which can be sold, often for considerable financial gain. Depots may be located in regional and rural locations often with minimal after-hours observation, leaving such locations vulnerable to carefully planned operations by organised criminals and opportunity theft by petty criminals and members of the public. Other security threats involving Government damage to property include vandalism, graffiti and sabotage.
Sabotage may be regarded as an exotic threat limited to terrorists. However, it is more likely that sabotage will be undertaken by issue motivated groups or dissatisfied current or former employees or contractors.
Radical members of some issue motivated groups have demonstrated they are prepared to break the law to get their message across. Acts by groups such as those recently undertaken at the Loy Yang power station in Victoria which involved the illegal entry to the power station reflect an increased willingness to go beyond peaceful protest measures.
As the impact of global warming increases, issued motivated groups may be inclined to undertake increasingly more radical acts. Sabotage may also involve current or former employees who may have detailed knowledge of procedures necessary to access Government sites, including information systems, with the potential to seriously interfere with the business of Government.
A compounding issue that has exposed governments to vulnerabilities is associated with security threats, including theft, fraud and sabotage. Such threats may arise directly from contractorís employees or indirectly as a result of information provided to criminals.
The nature of security threats that may arise from the use of contractors may be further complicated as a result of services provided by foreign based contractors who present additional challenges to confirming their vulnerabilities.
Risks associated with security threats
The following are risks associated with security threats encountered by governments:
People. Government employees may be exposed to risks to their safety as a result of their dealings with the community, including at customer service centres, where dissatisfaction with an administrative decision may result in verbal or physical harassment
Financial loss. The cost of security threats to governments may be considerable and may include costs associated with damage to and theft of property, costs arising from loss of productivity, litigation and compensation
Interruption to essential services. The continuity of essential services may be at risk of interruption as a result of security threats, including those arising from the threats of terrorism and sabotage. The outcome of which may be such as to impact whole communities and businesses with significant political implications for governments
Adverse media. Security threats may lead to adverse media attention, particularly where a failure on the part of governments to take reasonable steps as part of their duty of care to employees and the community.
Strategies to protect government agencies
The following strategies should be considered to protect government agencies, their employees and the community from risks associated with security threats:
Security protocols. This strategy involves the implementation of relevant Australian and, where appropriate, international standards and benchmarks, security guidance and legislation. The objective is to encourage security as an enabling measure intended to facilitate the day to day business of government agencies. Protocols for physical security, including for CCTV, security fencing and other areas such as personnel security and information security are necessary. These protocols should be articulated in security policies and procedures that are uniformly applied across all government agencies
Integration. Effective security depends on the integrated implementation of standards, internally within respective departments and agencies and externally in relation to inputs provided by organisations and contractors external to government. Failure to take an integrated approach is likely to give rise to gaps that may exploited by criminals and others
Intelligence. Anticipating the potential for security threats and changes to trends in such threats depends on accessing credible intelligence that may be provided by the police and other sources
Security training. Effective security depends on employees and managers being given skills necessary to ensure the management of security threats. Such training should include security awareness training and specialist skills necessary for managers
Police criminal records checks. Governments should consider the provision of criminal records checks for employees and contractors. Such checks should be included as part of due diligence processes involving the vetting of tenderers and contractors
Security testing and auditing. Sustaining security requires regular testing using credible scenario-based contingencies and periodic auditing against well defined standards and benchmarks.
Effective security contributes as an enabling measure designed and implemented in such a way as to complement and support the work done by governments. The responsibility for security is an implicit part of the governance responsibilities of government ministers, public servants and contractors.
Facilitating this responsibility depends on the adoption of reasonable and considered measures undertaken in a proactive way. Careful application of counter measures is needed to meet the unique demands of security threats coupled with constraints imposed by the operating environment and the day to day business of governments.
First published in ASM Dec 2007-Jan 2008 edition.
About the author: Graeme Mickelberg is a security risk consultant. His business, Hydra Enterprises Pty Ltd, has national and international clients in the private and public sectors. Graeme can be contacted by email at hydraenterprises@telstra.com or on 0407 113 909.