ASPI is proud to announce that Dr Tobias Feakin, Director: National Security Programs, has been nominated as Australia’s inaugural Ambassador for Cyber Affairs.

The Joint Media Release, issued by the Hon Julie Bishop MP, Minister for Foreign Affairs and the Hon Dan Tehan MP, Minister Assisting the Prime Minister for Cyber Security is available here.

Author: the Hon Malcolm Turnbull.
Washington DC. September 2016

No institution or infrastructure is more important to the future prosperity and freedom of our global community than the Internet.

It powers and punctuates our daily lives, supports our business transactions and joins our countries in what is truly a world wide web.

This is the modern world.

Yet, for all its ubiquity, it has—for the most part—remained free of government domination or control.

And this is how it should be.

A free and open internet supports our democratic rights of freedom—of speech, religious expression, political thought and choice.

However, governments cannot be completely hands off.

They have a clear role to play in cyberspace in the more traditional roles of a nation state: protecting citizens; advancing national interests; and encouraging neighbours into this exciting digital age.

Governments also have a role in helping secure the internet.

A secure internet is essential, not only in e-commerce, but also in maintaining the relationships that support our society.

Government leads on counter terrorism because these burdens can only be shouldered by nation-states.

Whereas a forward-thinking government knows it will always be intertwined with industry on cyber security.

That’s why we must work together—private sector and nation states—to secure the Internet. The challenges the Internet faces are greater than can be solved by any of us alone.

And this is what brings me here today.

To speak with you about how Australia and the United States can work to secure our cyber world.

I’d like to thank Toby Feakin from the Australian Strategic Policy Institute and Jim Lewis from the US Centre for Strategic and International Studies for jointly hosting this first 1.5. Track Cyber Security Dialogue.

I welcome academia and industry to this dialogue. For all my enthusiasm for government’s responsibilities in cyberspace, good cyber policy requires the cooperation and creativity of academia and industry.  

Indeed, government needs to be challenged by academia and industry.

The nature of global telecommunications infrastructure is such that cyber incidents inescapably engage the private sector.

The person on the front lines of a cyber incident is almost certainly a systems administrator in a private enterprise or a government department.

The intersection of IT security and national security means that we find ourselves aligned with a dual common purpose—to avoid the perils of cyber threats, and to realise the benefits of cyberspace.

When I launched Australia’s Cyber Security Strategy in April this year, I said that Australia will be more open about future compromises of government systems. 

While breaches damage reputations, in the long term only transparency can grow trust. K-mart Australia actively disclosed a data breach late last year, and that transparency helped insulate it from more serious economic loss. Government also intends to lead by example by initiating frank conversations about our success and also about failures.

Which is, of course, why this Dialogue has been termed ‘1.5’—that space between formal, ‘one track’ diplomatic interaction between nations and the more open ‘two track’ engagement. We want to be transparent, we want to cooperate and we want to be invigorated by the new ways of thinking and faster ways of achieving that the private sector and academia have to offer.

That thinking and doing is how we can change the cyber-world and set the future course for our societies.

And we are here today to ask for your help to achieve this.

The deal that I’m offering through Australia’s diplomacy is one of standing firm.

Australia is committed to standing firm on the values of an open and free internet.

We will champion a cyberspace in which state actors, businesses and individuals abide by international law and behave in accordance with agreed norms – because existing rules of behaviour should extend into the cyber world. [1]

This isn’t mere rhetoric.

I have committed Australia to promote the emerging norms of State behaviour in cyberspace—unilaterally with allies and partners and multilaterally through the United Nations, the G20 and elsewhere.[2]

In April this year, I announced for the first time that Australia possesses an offensive cyber capability.  A capacity to respond to state and non-state actors who attack us.  This option of offensive cyber response takes its place alongside options such as: diplomacy; law enforcement action; and sanctions amongst others.

Now, as governments, we don’t talk much about what this offensive capacity can do, nor how it can be carried out.  Much as we acknowledge we have warships, and submarines and fighter jets, we don’t detail the specific technical capabilities of each.  Merely acknowledging their existence forms part of our national deterrence.

In the short-term and in the absence of well-developed understandings about how to behave there is a risk that unexplained cyber incidents could escalate into conflict between states.[3]

That’s why Australia is supporting an emerging regional framework to raise awareness and reduce risks.

Jointly, with the United States, we are mapping our cyber incident response structures and mechanisms so that we can cooperate in the event of an incident affecting both our nations.

Online, incident response goes hand-in-hand with incident preparedness and with real world analysis of threats.

Our societies are increasingly reliant on faster telecommunications, secure data centres, satellite capability, and smart electricity networks.

That’s why fostering trust in infrastructure must be taken seriously.

Australia and the US have always been very clear that damaging critical infrastructure is unacceptable.  And we have maintained a strong line that cyber espionage for the purposes of commercial advantage is also unacceptable.

As well as countering any state-sponsored malicious cyber activity, we are working to ameliorate the damage caused by cyber-criminals.

Denial of service, hacking, phishing and malware, are disruptive to our economies, our social interactions, and—through their unwavering persistence—our sense of security.

This undermining of our online confidence means we are not fully leveraging the digital economy. 

So transparency, ‘norms promotion’ and maintaining a national capacity to counter cyber threats must be part of governments’ contribution to ensuring Australia and the US are secure and dynamic locations for business diversification and investment.

There is no point, however, simply being a digital stronghold in a network of insecurity.

Which is why countries like the US and Australia have both a moral obligation and clear economic benefit to engage in regional capacity building.

Consider Australia’s location in the Asia-Pacific and the forays into the online world that are being made on our doorstep.

New undersea cables have seen connectivity for our Pacific trading partners increase exponentially over the last decade. Their increase in connectivity has coincided with a doubling of mobile phone coverage and dramatically falling internet and phone prices—placing that connectivity in the hands of millions more people. 

It’s an exciting economic prospect for our region.

However, the Asia-Pacific region is also the most heavily affected by cybercrime—losing one third more business revenue to cybercrime than either the EU or North America.[4]

So, as well as being true to our view of ourselves as part of Asia, and a partner in the Pacific, Australia has an economic imperative to build regional capacity and to smooth the way for private sector involvement in self-sustaining economies.

It’s in our best interests.

It’s also in our best interests to be a good global citizen and to promote an open and secure internet.

Every ideology and every philosophy in every language is represented online.

I said at the launch of Australia’s National Cyber Security strategy that the ‘internet has change the world, has changed history and it has changed us. 

In addition to that, it has also changed how we communicate what we believe, and some suggest it is changing how we think and engage in conversation.[5]

If we truly believe, as I am sure everyone in this room does, in the merits of western liberal ideals, then we must prosecute our ideals online.

On the multi-faceted internet battlefield we are engaged in memetic warfare; a competition over the narrative and ideas that define our lives.[6]

It is because we abhor violence, racism and sexism, that we must promote conversations that are as inclusive and as unbounded as possible and not prohibit discussion. Violence begins where conversations end, so inclusive conversations and embracing an open Internet that fosters positive ideas are how we keep our societies safe.

We must, of course, be open minded enough to listen to evidence and logic and change our positions when we are on the wrong side of truth, but my central contention is that better ideas will win those conversations.[7]

Government and business must focus on the positive, because thinking about cyber only as a threat vector is missing the big picture.

Cyber is a catalyst for innovation and growth.

The cyber security sector could grow at faster than 10 per cent each year for at least the next 5 years—far exceeding expectations of the economy generally.[8]

My objective is for Australia to become even better placed to use home-grown cyber security expertise to solve challenges and develop new business opportunities of global significance.

Already Australia has announced an industry-led Cyber Security Growth Centre, based in Sydney. It will build on our expertise, promote greater collaboration and support our local cyber businesses to expand, to commercialise IP and to export innovative product.

I am here today to invite you and your expertise into the cyber-security frameworks of both our nations.

I want this dialogue to be more than just an annual gathering – I want it to be active and I ask three things of government, industry and academia between this dialogue and the next:

First, and most immediate, what early achievements are possible between now and the next dialogue?

Second, in the short to medium term, what barriers can government continue to remove, either through deregulation or positive action?

And third, articulate robust, long-term and innovative goals in cyber security we can agree at the next dialogue and then pursue with tenacity.

To commence the thinking on early gains and enabling real progress between this Dialogue and next, we must convince leaders, at Board and government levels, that cyber is one of their essential functions. That means people must be cyber ambassadors and carry that message.[9]

Many companies have Chief Technology Officers and Chief Information Security Officers. Both have the dual skills of technical-knowledge and business-acumen. As the business leaders in this room know, Chief Technology Officers drive the successful execution of the company’s strategy through technological innovation. Chief Information Security Officers quantify risk and ensure that their CTO’s urge to innovate is tempered by appropriate prudence.  

The most obvious reason to value the role of CISOs in board-level decision making is the risk of cyber threat to your budget bottom line. As we are all acutely aware, a cyber-attack or data leak from even a mundane business system—like e-mail—can have a dramatic impact on an enterprise.

In fact, it’s probably now more important that rather than CISOs we properly recognise the convergence of online and offline threats and consider the more appropriate title as being “Chief Security Officer”.

We can all name companies that have lost more than 10 per cent of their value overnight from a single cyber incident. 

Listening to the risk mitigation advice of your security staff is therefore good business. But it is better business to also think broadly about the benefits of information security. Security staff could use their skills to contribute new business models that take a company into new products and markets. On that basis, we should unleash security staff to focus on both sides of the risk-coin and to increase the value they add to their organisations.

Increasing the capacity for security staff to engage in conversations with senior decision makers is absolutely critical when it comes to responding to a cyber incident.

Many enterprises can effectively analyse attacks, build timelines of events, track data loss and restore systems, but without ongoing good communication and a working knowledge of the cyber space, your capacity to respond is hampered.

In one study 80 per cent of organisations say they don’t frequently communicate with executive management about potential cyber-attacks against their organisations.[11]

If a prudent decision is being made to keep a critical business system offline while a threat is properly diagnosed and addressed, how do security staff convince the final decision maker?

CEOs and boards want succinct information, which is not always easy when presented with IT security data. Undoubtedly, the IT security function needs to work on how it explains risks to management, but it is also incumbent on management to be well-versed in cyber security language and the realities of responding.

At the heart of any successful board-level incident response will be a lexicon.

How can consistent messaging travel from IT security to customers and the public when the IT professionals speak a different language and when the next spokespeople in the chain—the CEO, the board and the reporting media—can’t necessarily speak the languages of IT?

Improvements to cyber incident response are on our minds in Australia, thanks to a denial of service incident on our national census night.

Although it was nationally significant, it was technically predictable and not a unique situation for business and governments to be in. However, we struggled with the laden meaning of the word ‘attack’.

‘Distributed denial of service attack’ is language that has begun to permeate the public consciousness. However, if a nation state says that it has come under attack, the meaning, and therefore the act itself, is weighted with tremendous significance.

We need to be able to communicate an accurate level of significance.

We need to know collectively that a denial of service is equivalent to having a bus parked in your driveway so you can’t get your car out; that hacked data means someone broke into the garage and took the car; and that the solutions to these two things are very different.

Widely understood language in other fields has been hard fought for and won. If we hear of an air disaster involving a cabin fire or an engine fire on an aircraft, we understand the difference between, and different implications of those two scenarios. 

The general public also knows that a black box—that great Australian invention[12]—is important to aircraft investigation but that finding it can be difficult and takes time. If an air safety authority says that an investigation is focusing on locating the black box because it will yield vital clues about the aircraft’s final moments, the public accepts that.

The conversation about cyber incidents has not reached anything like that level of maturity. Those outside the cyber security world don’t readily understand the relative impact of different incidents, typical investigation timeframes, or likely response options—such as shutting down a site while investigating unusual traffic patterns.

On that basis, I call on academics to turn their minds to the problem of cyber lexicon. How can we communicate clearly with each other? How do we normalise cyber discussions so that they are held in the context of all threats, risks and opportunities?  I also ask the media present to involve itself in that conversation and to take care to understand what is being said by governments and businesses.   

Before I close, I’d like to talk briefly about fairness in relation to cyber security and how large companies can help themselves by helping others.

For each large enterprise, there are many small businesses putting a toe in the water of the online world. They are connected to you as suppliers, distributors and contractors.

Many are far less secure, far less savvy, far less resourced than governments and big business.

To widen the web of safety, the Australian Government is providing support for some 5000 of our small businesses to have their cyber security tested by certified practitioners.

Businesses, and indeed universities, can further widen the net by engaging with their own supply and distribution chains and with their social good programs.

The volunteer organisations that you support are human-based, not tech-based.

Some—like those assisting women who are victims of domestic violence—hold incredibly sensitive personal information and are acutely aware of the physical safety of those they are protecting.[13]

These organisations know their moral, and often legal, obligation to maintain personal information safely but, most likely, they are neither resourced nor skilled to be active, let alone, innovative online.

You would help secure the veracity of the Internet, if each of the organisations here with an established CSIO were to seek out a small or not-for-profit enterprise with which to share their knowledge.

By doing so, you will embody the social and national values of our nations.

In Australia and the US we are building cyber-smart nations through investment in education, centres of excellence and dialogues like this one. We are working to keep the net safe for our citizens and their businesses, to protect the infrastructure on which we all rely and to elevate the safe use of cyberspace in our trading partners.

Government, by necessity, has asked and will ask a lot from business to ensure cyber security, but it is because you have the imagination and the people, to create the confidence we are committed to building.

We are living in a world that needs the sort of dialogue and action that comes from working together in the 1.5 track diplomacy space.

This digital century is a time of remarkable opportunity.

Our response to those opportunities, and to the threat of people using it criminally and maliciously, will come to define the future course of our societies.

Thank you – and I urge you to use this Dialogue to guide the web we all comprise towards both ambitious and innovative ideas as well as practical solutions to secure the economic and social futures of both our countries.

I look forward to seeing you in Australia next year.

________________________________________

[1] Taken from the launch of the National Cyber Security Strategy

[2] Taken from the launch of the National Cyber Security Strategy

[3] Taken from the launch of the National Cyber Security Strategy

[4] $81b/$61b*100=132.8%

http://www.grantthornton.global/en/insights/articles/cyber-attacks-cost-global-business-over-$300bn-a-year/

[5] https://www.edge.org/responses/how-is-the-internet-changing-the-way-you-think

[6] https://www.democracyendowment.eu/we-support/institute-of-post-information-society/what-is-memetic-warfare-and-how-it-threats-democratic-values/

[7][7] From Cyber Security Strategy launch

[8] http://cybersecurityventures.com/cybersecurity-market-report/

[9] https://assets.kpmg.com/content/dam/kpmg/pdf/2016/06/Cyber-in-the-boardroom-3.pdf

[10] Prime Minister’s speech to IPAA in April 2016.

[11] http://www.securityweek.com/security-incident-response-teams-getting-short-end-budget-stick

http://www.securityweek.com/technical-management-challenges-facing-incident-response

[12] http://www.dst.defence.gov.au/innovation/black-box-flight-recorder/david-warren-inventor-black-box-flight-recorder

[13] https://securityintelligence.com/media/podcast-intersection-cybersecurity-victims-violence/

ASPI is proud to be ranked as one of the world’s best think tanks in the University of Pennsylvania’s 2014 Global Go To Think Tank Index (GGTTTI), the gold standard of excellence for think tanks around the world.

This year, ASPI increased its rank to 16th in the ‘top defense and national security think tanks’ category, making ASPI the number one defence and security think tank outside of the US and Europe.

ASPI also ranked 27th in the ‘top foreign policy and international affairs think tanks’ category, the highest ranking for any Australian-based think tank.

The 2014 GGTTTI also named ASPI as the number two ‘think tank to watch’ globally for the second year running, behind the BRICS Policy Centre in Brazil.

ASPI made inroads in other categories this year: Dr Mark Thomson’s annual publication, “The Cost of Defence: ASPI Defence Budget Brief 2014-2015”, was ranked the 16th best policy report produced by a think tank; and ASPI’s collaborative efforts with South Africa’s Brenthurst Foundation were recognised in the ‘best institutional collaboration involving two or more think tanks’ category.

ASPI was again commended for its excellent social media presence, ranking in the top 30 think tanks with the best of use of social media. ASPI has established presences on YouTube, Twitter, and Facebook. ASPI’s blog, The Strategist, plays an essential role in facilitating debate on Australian defence and strategic issues.

GGTTTI rankings rely on the votes of over 20,000 journalists, policymakers, public and private donors, think tank staff, and functional and regional area specialists.

To read the 2014 Global Go To Think Tank Index Report, click here (PDF). 

The ASPI International Cyber Policy Centre, with the help of Minister for Communications Malcolm Turnbull MP, today launches its inaugural examination of the Asia-Pacific cyberspace landscape and finds that Australia fairs well against its regional neighbours, ranking higher than China in terms of its overall national ‘cyber maturity’. You can download this report here.

The Asia-Pacific region has increasingly become a global point of strategic interest and competition. The region is both at the heart of global economic growth as well as simmering territorial disputes and political tensions between nations. The development of cyberspace and the information and communications technology (ICT) that powers it has proven to be an integral part of the region’s socioeconomic growth.

Although increasing connectivity has generated undeniable benefits, it has also created new vulnerabilities for governments and the private sector in the areas of national security and online crime. In an environment such as cyberspace where gains are high, the probability of capture is low and deniability rules, many different economic and political confrontations are playing out simultaneously.

To make considered, evidence-based cyber policy judgements in this regional context, there’s a need for better tools and information to assess the ‘cyber maturity’ of nations in the region. In response to this over the past twelve months the Australian Strategic Policy Institute’s International Cyber Policy Centre has developed a Cyber Maturity Metric which provides a guide to the regional picture.  The UK and the US were included in the study as a benchmark upon which to gauge how well other nations were developing their responses to the challenges and opportunities that cyberspace offers.

Nations’ cyber maturity was measured across four different topics, governance structures, military application, digital economies and business, and social engagement.  Scores were applied across research questions across those topics and then a total cyber maturity score was given out of 100.  The sixteen nations’ overall scores were:

Cambodia   20.1

United States   86.3

United Kingdom  81.2

Australia   75.8

South Korea   75.5

Japan    75.3

Singapore   74.7

China    58.4

Malaysia   57.9

India    45.9

Philippines   43.4

Indonesia   42.4

Thailand   41.6

Myanmar   29.7

Papua New Guinea  23.0

North Korea   20.7

ASPI releases ‘Special Report: A return on investment: the future of police cooperation between Australia and Indonesia’, by David Connery, Natalie Sambhi and Michael McKenzie. You can download a copy of this report here.

The relationship between Australia’s Federal Police and their Indonesian counterpart, the Indonesian National Police (POLRI), is a remarkable story of cooperation that has delivered benefits for both countries.

There’s a maturity in the relationship reached by the number of cooperative law enforcement initiatives, particularly since the Bali bombings. But there’s also a freeze in aspects of the security relationship between the two countries and so the police-to-police relationship now is at an inflection point. 

This Special Report examines the history of the AFP–POLRI relationship, articulates its many benefits, and then develops near- and long-term strategies for future police cooperation.
The key recommendations for consolidating the close police relationship include people-to-people activities. The 10-year anniversary of the highly-successful Jakarta Centre for Law Enforcement Cooperation (JCLEC) presents a good opportunity to highlight successful ties. Australia should also invite POLRI officers to Canberra to assist with the security arrangements for the November G20 meeting.

In the longer-term, Australia and Indonesia should leverage police cooperation as a way to add ballast to the bilateral relationship. This should include bringing more POLRI officers to Australia on long-duration secondments, creating a police alumni association, and making more extensive use of the JCLEC to train provincial-level police officers in Indonesia. New initiatives to share criminal threat information with business, particularly in Indonesia, would also be welcome. Regional conditions also provide great opportunities to work together to deliver police development training to the Myanmar Police. Such cooperation would not only leverage the substantial investment that’s already been made in the relationship—it would also add depth and demonstrate the practical value of Indonesian–Australian cooperation, now and in the future.