Taking Australian diplomacy digital

What’s the problem?

Australia’s Department of Foreign Affairs and Trade (DFAT) now has a presence on the main digital platforms, but it is yet to master digital diplomacy: using these powerful new communication tools and platforms to better conduct its core mission of persuasion, influence and advocacy. There’s too much use of new media channels to transmit old media content, a tendency to duck rather than address difficult issues, and a failure to engage within the digital life cycle of a news story.

Data analytics and the integration of digital tools into mainstream diplomatic campaigns are both lacking. Beyond this, there’s a need to rethink how Australia does diplomacy in the digital age.

DFAT needs to find better ways to communicate with its stakeholders, using digital tools. It needs to recognise that increasingly statecraft is playing out in the cyber and information domains, and invest more in equipping itself to engage in those domains—even when such online engagement brings risk. 

DFAT must also reconceive its overseas presence and embrace some of the agility and nimbleness of the tech world in doing so.

What’s the solution?

DFAT needs to start treating digital diplomacy as core tradecraft, rather than optional add-on. It should provide compulsory digital training for all outgoing heads of mission and encourage healthy internal competition and innovation. It should pilot more sophisticated data analytics tools and integrate digital tools into regular diplomatic campaigns. It should develop and pilot a new stream of diplomatic reporting that’s punchier and timelier, and reaches a broader audience on hand-held devices.

DFAT should create new positions of ambassador to Silicon Valley and ambassador to the Chinese tech giants based in Beijing. It should experiment more with ‘pop-up’ diplomatic posts, pilot one-person posts and encourage innovation and experimentation in the conduct of digital diplomacy, conceiving of embassies as hubs and connectors for a broad set of interactions. 

Finally, DFAT needs to adopt some of the nimbleness and agility of the tech world in how it conducts Australia’s external policy. Failure to do so means the field is left to others.

Introduction

Australia’s DFAT has come a long way in a short time in its embrace of digital tools and technology.

DFAT, and most of our embassies around the world, now have a significant social media presence, often across several platforms (Figure 1). There has been an explosion of Twitter feeds, Facebook pages, Instagram accounts, and even blogs and YouTube channels,1 adding colour to what was (and remains) a rather lifeless website-only presence. In this, DFAT has been helped by political leaders who have embraced these tools as a means of modern-day communication.

After coming late to the game,2 DFAT now has a decent digital presence when benchmarked against other foreign ministries worldwide. It’s certainly not in the top 10, but it is credible.3

Figure 1: DFAT’s social media presence

Digital, but not yet doing digital diplomacy

However, in the rush to embrace digital media, there’s a danger that some of the bigger questions have gone begging, and that ends have been confused with means. Doing digital diplomacy well not only requires having the requisite digital platforms—it entails using them strategically and effectively to advance a diplomatic agenda.

This is where DFAT is struggling: it has gone digital, but it isn’t yet doing digital diplomacy. Having a large number of social media accounts and a growing crop of followers or friends isn’t sufficient. The test of success is whether those factors are being properly utilised to bring Australian diplomacy from the analogue into the digital age.

A changed operating environment

The essence of diplomacy hasn’t changed. Its main purpose remains the facilitation of communication between states and the exertion of influence (on other states or the international system) to protect and advance national interests. But what has changed vastly, almost beyond recognition, is the operating environment of diplomacy.

Even as recently as a decade or two ago—well within the professional lifespan of most of Australia’s senior diplomats—diplomacy as a profession, and hence DFAT as an institution, enjoyed several natural monopolies. First, there was the monopoly on information. It wasn’t that long ago that diplomats would fax press clippings or transcribe news articles and send them back to their capitals.

At a time when news on developments within other countries was scarce, and almost impossible to access remotely, diplomats stationed abroad were a vital—sometimes the only—source of information for capitals hungry for such intelligence.

Second, there was the monopoly on communication. In the era before modern modes of communication, the bulk of interactions between states took place through the medium of their diplomats. Leaders would meet or talk occasionally, but usually the challenge of making direct contact meant most communication was, of necessity, passed through ambassadors or envoys.

Third, there was the monopoly on representation. When communication with capitals was slow and difficult, and it could take several weeks to get an answer, diplomats abroad were expected to make decisions and improvise within a wide area of policy discretion.

These natural monopolies guaranteed relevance for foreign ministries, DFAT included, and sheltered them from competition. A government simply couldn’t run a foreign policy without a foreign ministry and its overseas diplomatic missions. Modern-day technology, however, has eroded most of these natural monopolies.

Diplomats no longer enjoy a monopoly on information. Leaders and decision-makers in capitals can readily access and follow most news from abroad, usually on demand, and from a variety of sources. Nor do diplomats enjoy a monopoly on communication. Today, leaders and senior officials are just as likely to communicate directly with their counterparts in another country—by phone, email, text message or, increasingly, an encrypted chat service—rather than through their diplomats.4

Finally, the monopoly on representation has ended. Diplomats are now expected to check nearly everything of significance with their capitals first, and modern communications mean they can (and are expected to) obtain revised instructions on how to handle an issue almost instantaneously.

Disruption, disintermediation and the digital pivot

The end result is that diplomacy has become a much more competitive space. Diplomats are being disintermediated by new technology and communication advances. States are increasingly able to understand, communicate and negotiate directly with other states, without the need for the intermediating service of diplomats. With the disruption of much of the traditional role of diplomats, the challenge for foreign ministries today is to pivot: to find new ways to generate value and ensure relevance in a much more contested field. And this is where digital tools can prove so important.

One of the main purposes of national security agencies is to deliver a strategic effect: to shape the behaviour and decision-making of foreign countries and their leaderships. Defence forces do this through alliances and partnerships, their force posture, deployments, joint exercises and military diplomacy (and, in extremis, through the threat or use of force). Development agencies do it through the direction and composition of their aid spending. Intelligence agencies do it through the collection of sensitive information, espionage and disruption.

In diplomacy, words are the bullets. A strategic effect is delivered through persuasion, influence, argument and advocacy directed towards a foreign population, nation or group of key actors or decision-makers. For this task, new communication tools—and especially social media—are a potential boon for diplomats.5 They allow diplomats to engage directly with the public or segments of the public in their country of posting, often in a targeted fashion. They provide the tools to deliver a message or engage in debate directly, rather than through traditional platforms.6 And they allow real-time interaction with a rapidly evolving media cycle, including the ability to rebut falsehoods, contest narratives, correct mistakes and provide the public with additional context to media reporting.

This is especially important now that political power is highly dispersed (partly the result of digital media giving each person a loudspeaker). To be an effective diplomat today requires more than just the formal engagement of your host government. If you want to be effective and shape the course of decision-making, then you need to be monitoring and engaging with those who shape the decision-making environment of political leaders within a society. That might include the media, business and industry groups, civil society, pressure and lobby groups, religious organisations, politically active diasporas and social media ‘influencers’. While this may be less true in autocratic countries, even there—thanks to social media and digital platforms—civil society has a voice that it previously lacked, and a means with which it can be directly engaged.7 Knowing and understanding the terrain of local opinion, and how to engage and shape it—the ‘last three feet’ of diplomacy8—is the unique value proposition of today’s diplomat and something that only a local, informed and networked presence can provide.

A credible but flawed digital presence

DFAT and the Australian network of embassies and high commissions abroad now have, on the whole, a credible digital presence—the tools needed to conduct those last three feet of diplomacy. This is necessary but not sufficient. The challenge is to fully utilise these platforms to conduct DFAT’s core business, which is diplomacy. And here, there’s still quite some way to go. There’s not yet a wholesale recognition and appreciation of how the advocacy landscape has changed. As a result, and with a few stand-out exceptions, most of DFAT’s digital channels suffer from the same three ailments.

First, there’s too much use of new media channels to transmit old media content. Digital media are a different format; they speak to a different audience, and require different—and more engaging—content. Good digital content is pithy, impactful and tailored, but too little of DFAT’s digital content meets that test. Using new media channels to transmit old media content (press releases and the like) ruins both.

Second, there’s a pronounced tendency for DFAT’s digital platforms to duck the difficult issues. There’s a place for building brand Australia, promoting tourism and spruiking soft news stories about Australia on digital platforms, but public and cultural diplomacy can’t be the sum total of our digital effort, or else we risk being (in the words of one insightful commentator) ‘all gums, no teeth’.9 Tempting as it is, there’s no point in running dead or lying low when a controversial issue is unfolding. This is exactly when digital platforms come to the fore and the credibility of your digital presence is tested. Too often, when a storm of controversy is raging all around them, DFAT’s digital channels bury their heads in the sand, go radio-silent, or promulgate the Panglossian fiction that all is well. If Australian nationals are set to be executed in a foreign country, or there are suggestions that the Chinese are building a military base in the southwest Pacific, or if a candidate for the Philippines presidency jokes about the sexual assault and murder of an Australian missionary, then we should expect that the relevant Australian digital diplomatic platform will have something worthwhile to say about it— to articulate our views and interests on an important issue.10 Likewise for major world events. The message must obviously reflect diplomatic realities, but to say nothing in such scenarios is simply not credible. It also lacks a prized trait of the digital age—authenticity—and so diminishes the value of the platform and treats readers as fools.

Figure 2: Twitter feed from selected foreign ministries on 12 June 2018, date of the US – North Korea summit in Singapore

Closely linked to this is a frequent failure to respond within the digital life cycle of a news story. Time differences and clearances may make this challenging, but our senior diplomats abroad have enough judgement and common sense to be trusted—indeed encouraged—to speak publicly on most issues within their patch without having every word approved by Canberra.11

Third, there’s a lack of personality in much of DFAT’s digital content. Part of the appeal of social media is its authenticity and directness—the idea that you get to know the person behind the message and can interact with them directly. But most of DFAT’s digital media content attempts to uphold the traditional division between public and private spheres. It’s stiff and aloof, and frequently non-responsive to attempts to engage. That’s an approach that may remain suitable to traditional diplomatic settings, but it jars in the flat, non-hierarchical, informal world of digital.

Operating in a new information domain: opportunities and threats

If used as part of a comprehensive strategy, the new digital world provides many opportunities to reinforce traditional diplomacy. The UK used digital tools to complement traditional diplomacy in its successful assembly of a broad coalition to respond to Russia’s apparent use of chemical weapons on UK territory, in Salisbury (Figure 3). Canada deployed a multifaceted digital campaign to support its objectives as G7 chair (notably, its initiative to tackle the problem of ocean plastics). Russia is an adept practitioner, frequently taking to digital channels to muddy the waters, promote alternative theories and create distractions when under international pressure (Figure 4). These countries have each integrated digital platforms into the prosecution of mainstream diplomatic priorities and campaigns, realising that digital tools can have a potentiating effect in support of a diplomatic campaign. In Australia, we’re yet to do this properly: we maintain an unhelpful separation between the digital realm and the mainstream diplomatic realm.

Figure 3: Part of the UK’s digital diplomatic effort to hold Russia accountable for Salisbury

Figure 4: Twitter feed from the Russian Embassy in London

Professional data analytics can be a powerful tool for this new diplomacy. Big data and network analyses can help identify online influencers and force amplifiers; track how narratives spread among online publics, and thus help to shape or combat them; allow communications that are tailored to the preferences and attributes of specific online communities; and support the rollout of sophisticated, multiphase campaigns. Most major corporate outfits use such tools, as do the diplomatic services of many foreign countries. The UK Foreign Office even has an internal ‘Head of Data Science’ position.12

Australia needs to get similarly professional and move beyond the simple counting of ‘likes’ and ‘followers’ as the metrics of digital impact.

Just as digital tools bring new opportunities to diplomacy, so they also bring new threats. They are changing the nature of statecraft, and the information domain is growing in importance as a theatre for contest between states. ‘Control of the narrative’—about what happened, about who’s at fault, about where justice lies, about what’s ‘real’ and what’s ‘fake’—is at the heart of this contest (Figure 5).

Diplomats have an important role to play here, in combating misrepresentations, squashing rumours and misinformation, and promoting their own country’s analysis and policy. Effective digital tools and good data analytics will be vital to this effort.13

Figure 5: The information domain is becoming a new theatre of state competition: textbook ‘trolling’ by two of its most capable practitioners

Similarly, today’s digital age means that disinformation, propaganda and rumours designed to influence or destabilise another country’s political system can be launched almost instantaneously, from across the globe, timed for maximum impact, and targeted towards a narrow audience (Figure 6). Unlike overt steps or traditional covert action, such measures are low-cost, low-risk and highly deniable. Russian state interference in the 2016 US presidential elections is likely to be just the tip of this iceberg.14 Although defending against such attacks is primarily the work of intelligence and cybersecurity agencies, we should expect our diplomats to be alert to the risk of such attacks and attuned to the tell-tale fingerprints. But they need to have the tools and the digital literacy to recognise, understand and engage with such information-warfare and ‘active measures’ campaigns.

Figure 6: Content identified by Twitter as originating from and spread by the Russian Internet Research Agency during the 2016 US presidential election.
Source: Update on Twitter’s review of the 2016 US election, 31 January 2018, Twitter, online.

Moving beyond social media

DFAT’s use of digital tools needs to extend far beyond social media, however. In the consular sphere, the department now does a good job in engaging with the travelling public through the digital Smartraveller platforms, but it is yet to modernise how it communicates with some of its main clients within the government. 

The Australian diplomatic network’s main form of communication remains the classified diplomatic cable or telegram. This was once one of the best—indeed one of the only—ways of communicating information and analysis from abroad in a timely and secure fashion. But while modern technology has since moved on, and the pace of events with it, the cable system has remained frozen in time. For the demands of the modern ship of state, it’s too slow, too cumbersome and too difficult to access to be of much operational use. It’s thoroughly analogue, is largely internally focused and has a steadily shrinking readership and impact.

DFAT’s continued reliance on this system as its primary means of communication needlessly restricts its audience and increasingly deals it out of policy influence in Canberra, where many of the national security agencies don’t access or don’t bother to read DFAT’s cables. The department is completely out of sync with the working habits and preferences of today’s governing class, and how they wish to receive information. It doesn’t connect easily or widely to other agencies. Consequently, DFAT’s analysis and advice from its overseas network—one of its main value propositions—is underutilised and undervalued, with implications for policy influence, credibility and the contest for finite government resources.

DFAT must create and foster new methods of communication that are timelier, more accessible and more relevant. There should be different information products for different purposes and different audiences, and the cable system should be only one of several ways in which our diplomats convey information and analysis. As just one suggestion, why not create the equivalent of an encrypted Telegram group or closed Twitter feed that allows non-sensitive but time-critical reporting from across the diplomatic network, with a smattering of judgement and analysis, to be accessed by decision-makers in news-feed style from their handheld devices? Figure 7 shows what it could look like: daily headline take-outs from across our diplomatic network, designed for decision-makers without the time, ability or appetite to wade through the cable system (but with links to more comprehensive analysis). There would still be a place for more detailed reporting and analysis (perhaps accessed via links to a secure cloud-based site), but that, too, should be in a form that reflects the habits and preferences of the readership. Newspapers have made the painful transition away from print and towards new media. DFAT should walk the same path.

Figure 7: Illustrative example of a sample DiploFeed from 2018 (fictional infographic only—does not represent the views of DFAT or its posts)

Rethinking diplomacy

We need to rethink how we do diplomacy in the digital age. A diplomatic presence shouldn’t always have to mean an embassy or a chancery, with all the expense and infrastructure and security overlay that entails. Modern-day communication tools are so powerful that we should rightly expect our diplomats to operate more self-sufficiently, just as foreign correspondents do. There are many parts of the world where Australia would benefit from greater diplomatic representation—we have one of the smallest diplomatic footprints of any country in the OECD, after all 15 —but where we have none because the entry costs to establish a full embassy are so high. Digital tools have brought those barriers to entry down. There should no longer be a minimum viable size for an embassy. We should consider an ‘embassy-lite’ or one-person post in countries where we could do with a presence but can’t justify a fully fledged embassy. With DFAT’s ‘pop-up embassy’ in Estonia, Australia has made a small start down this path. We should continue.16

Similarly, we must assess whether states and international organisations are the only external actors that are worthy of a dedicated diplomatic presence. We should look at creating dedicated ambassadors to the tech giants of Silicon Valley, as France and Denmark have done.17 The FAANGs— Facebook, Apple, Amazon, Netflix and Google—are now immensely important international actors in their own right. Together, their market capitalisation is US$3 trillion, but it’s their business model and ubiquity as much as their size that make them key actors for states. We have issues at stake with each of them—from privacy to taxation, from counterterrorism to cyber-interference and national security capabilities. Similarly for the major Chinese tech giants, the BATs (Baidu, Alibaba and Tencent), whose enduring influence might prove to be greater and about which we know and understand far too little.

Why not have ambassadors dedicated to building and managing these critical relationships, which are surely as important as our relationships with some of the smaller countries where we maintain a diplomatic presence?

In order to modernise diplomacy, Australia needs to begin envisaging the diplomatic network in a different way. Whereas in the past the government provided the network and infrastructure for traditional diplomatic interactions, the erosion of that monopoly means this network is at risk of becoming an underutilised asset. The flag and the chancery, the titles and the flummery, still count for a lot, as do the local networks, contacts and expertise, but how do we get more out of those assets?

The answer lies in broadening our conception of an embassy. We should be using our overseas presence as a platform and enabler to advance our interests across a much broader spectrum, and for a much broader set of stakeholders. Trade, economic and commercial diplomacy have always been traditional partners in this respect, but we need to look much further afield. How can we use the overseas network to support collaboration in innovation and research? How can we use our embassies to keep Australia on the cutting edge of public policy? What value or perspectives from overseas can be brought to bear on some of the major challenges in Australian domestic policy? These areas will depend on the complementarities and opportunities that exist, but they shouldn’t be treated as the poor cousins of traditional diplomatic work. The challenge is to conceive of the embassy as a facilitator of productive interaction and a broker of relationships—a creative hub of networks—and to find creative, non-traditional ways to use the overseas network to advance Australian national interests across the full spectrum.

Finally, DFAT needs to adopt some of the nimbleness and agility of the tech world. The bureaucracy is still far too slow to adopt reform and changes, partly because it insists on any changes happening wholesale, only after painstaking deliberation, and in a culture that focuses debilitatingly on downside risk and punishes failure. Why not encourage internal innovation, meaning different ways of delivering the same product? Promote experimentation and differential approaches. Test new platforms and business models. Run some pilots, iterate and adjust, gather the evidence, and see what works best. Don’t insist on homogeneity. Tolerate some screw-ups and failures and learn from them.18 This is the secret to innovation and continuous improvement, and it’s essential if our diplomatic services are to keep pace with the modern world.

Recommendations

  1. Commission an independent review of DFAT’s digital diplomacy efforts.19 The review should examine the department’s digital capabilities, assess the digital operating environment for Australian diplomacy, and make recommendations to improve Australia’s digital diplomacy effort.
  2. Treat digital diplomacy as core tradecraft, rather than optional add-on. Provide compulsory digital platform training for all outgoing heads of mission.
  3. Encourage healthy internal competition and innovation. Generate a monthly scorecard highlighting the best digital performers and posts. Promote and celebrate the successes.
  4. Pilot more sophisticated data analytics tools to analyse and measure impact, reach and engagement—and adjust tactics accordingly. Appoint a Chief Data Scientist to harness and employ data in the service of diplomacy.
  5. Develop and pilot a new stream of diplomatic reporting that’s punchier and timelier and reaches a broader audience on hand-held devices.
  6. Create new positions of ambassador to Silicon Valley (based in San Francisco) and ambassador to China’s tech giants (based in Beijing).
  7. Increase avenues to engage the Chinese public via Chinese social media platforms. This expansion should include dedicated Weibo accounts for the positions of Prime Minister and Foreign Minister.20
  8. Run a pilot of ‘embassy-lite’ or one-person posts. They’ll be more substantial and enduring than the ‘pop-up embassy’ in Estonia but still substantially lighter in footprint than a fully fledged diplomatic mission.
  9. Encourage innovation and experimentation in the conduct of digital diplomacy. Highlight and champion successes. Learn from (but don’t punish) the inevitable failures. Use DFAT’s Innovation XChange in this task, but broaden its focus beyond the aid program and extend its remit into mainstream diplomacy.
  10. Recognise that our overseas network is an underutilised asset. Find creative but non-traditional ways to use it to advance Australian national interests. Conceive of embassies as hubs and connectors for a broad set of interactions. Highlight and promote the strong performers (sending the cultural signal to others).
  11. Create a Twitter account for the Secretary of DFAT to internally signal the importance of digital diplomacy, to provide a further mouthpiece for Australian interests, and to give the public insight into the important work that Australia’s diplomatic service does every day.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society.

It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

We thank all of those who contribute to the ICPC with their time, intellect and passion for the subject matter. The work of the ICPC would be impossible without the financial support of our various sponsors.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. Department of Foreign Affairs and Trade (DFAT), Social media, Australian Government, no date, online. ↩︎
  2. See, for instance, Fergus Hanson, ‘DFAT the dinosaur needs to find Facebook friends’, The Australian, 23 November 2010, online. ↩︎
  3. See twiplomacy, online, for rankings across a number of dimensions. ↩︎

Huawei and Telefunken: Communications enterprises and rising power strategies

This Strategic Insight, examines Huawei through a historical lens. It identifies strong parallels between the industrial policy adopted by Germany in the early twentieth century to cultivate a ‘national champion’ in communications – Telefunken – and the Chinese party-state’s support for Huawei since its formation in 1987.

It demonstrates that Huawei and Telefunken both benefitted from guaranteed government orders for their hardware, protected domestic markets, long-term backing from national financial institutions, and diplomatic support for overseas expansion. These policies increased the firm’s competitiveness on the world market, facilitating the development of national capacity in advanced communications. The development of capacity in communications brings strategic benefits for a rising power – allowing it to escape dependence on the outside world for vital infrastructure, build capabilities with potential military applications, and build geostrategic influence in key regions.

18 years and counting

This report provides a general overview of what successive Australian governments have done since 9/11 to counter the threat posed by Salafi-jihadi to the maintenance of international peace and security, to regional security and to domestic security.

Since 2014, the threat level in Australia has been assessed as ‘Probable’, which means that credible intelligence exists to indicate that individuals or groups continue to possess the intent and capability to conduct a terrorist attack in Australia. Both Melbourne and Sydney have featured in jihadist videos and publications.

Jemaah Islamiyah: An uncertain future

The reappearance of JI has major relevance for Australia given that Indonesia is a large and important strategic partner; any threats to Jakarta’s internal stability must therefore occupy a central place in Canberra’s foreign, defence and security calculations.

This is especially true at a time when Australia is seeking to court a closer relationship with Indonesia in response to Beijing’s increased assertiveness in the region and its uncompromising stance on territorial disputes in the South China Sea. At the same time, Australia has been directly caught in the cross-hairs of JI’s past violent activities, with the 2002 bombings in Bali remaining the largest loss of life to a terrorist attack in the nation’s history. 

Australia could do several things to help Indonesia in dealing with the re-emergent JI threat:

  • First, the scope of support that Canberra is currently providing for Jakarta’s evolving strategy of countering violent extremism could be further expanded, particularly by better leveraging civil society organisations in program design and implementation.
  • Second, advice could be rendered on how best to ensure that kinetic counterterrorist responses don’t boost the JI missive that Jakarta’s secular order is inherently biased against the country’s Muslim interests.
  • Third, assistance could be provided to support reform of the national penal system, which in many respects continues to act as an important incubator for terrorist indoctrination and recruitment.
  • Fourth, best practices for restricting online vectors for disseminating extremist propaganda could be shared. Assisting with the development of the nascent Bandan Siber dan Sandi Negara (National Cyber and Encryption Agency) would be useful in this regard.
  • Finally, Australia could serve as an intermediary between Jakarta and Manila for determining whether there are any concrete indications that JI is seeking to reconsolidate its logistical presence in Mindanao. One potential mechanism that could be leveraged to promote this dialogue is the existing trilateral commission supporting Malaysia–Philippines–Indonesia (MALPHINDO) naval patrols in the Sulu and Celebes seas.

Preparing for the Era of Disasters

Preparing for the Era of Disasters, a new ASPI Special Report by Dr Robert Glasser, warns that we are entering a new era in the security of Australia, not because of terrorism, the rise of China or even the cybersecurity threat, but because of climate change.

As the world warms beyond 2°C, as now seems increasingly likely, an era of disasters will be upon us with profound implications for how we organise ourselves to protect Australian lives, property and economic interests and our way of life.

The Report surveys the features of this emerging era of disasters including an increase in concurrent extreme weather events and in events that follow in closer succession. Communities may manage the first few but, in their weakened state, be overwhelmed by those following. Large parts of the country that are currently marginally viable for agriculture are increasingly likely to be in chronic crisis from the compounding impacts of the steady rise of temperature, floods, drought and bushfires. Dr Glasser contends that the scale of those impacts will be unprecedented, and the patterns that the hazards take will change in ways that will be difficult to anticipate.

He notes that this emerging Era of Disasters will not only increasingly stretch emergency services, undermine community resilience and escalate economic costs and losses of life, but also have profound implications for food security in our immediate region, with cascading impacts that will undermine Australia’s national security.

Dr Glasser outlines a number of steps the Australian Government and the state and local governments should begin taking now to prepare for the unprecedented scale of these emerging challenges, including:

  1. scale-up Australia’s efforts to prevent the effects from natural hazards, such as from extreme weather, from becoming disasters through greater investment in disaster risk reduction.
  2. increased planning for financial support to States for economic recovery following disasters and “fodder banks” and “land banks” to address the needs of communities in chronic crisis and the permanently displaced.
  3. strengthening disaster response capacity and planning at all levels, including in the military which will play an increasingly important role in transporting firefighters and equipment, fodder drops from helicopters and the provision of shelters, etc.  Joint task forces to coordinate the defence contribution, like the one established during the Black Saturday Victorian bushfires, will become increasingly necessary.
  4. ensure that flood and bushfire risk maps, building codes, planning schemes, infrastructure delivery and the supporting legislation fully embed consideration of climate change effects.

Counterterrorism Yearbook 2019

The Counterterrorism Yearbook is ASPI’s annual flagship publication curated by the Counter-terrorism Policy Centre, now in its third year of publication.

It is a comprehensive resource for academics and policymakers to build on their knowledge of counterterrorism developments in countries and regions around the world.

Each chapter in the yearbook is written by an internationally renowned subject-matter and regional expert who provides their insight and commentary on counterterrorism policy, legislation, operations and strategy for a specific country or region, looking at both the year in review and the challenges for the year ahead.

Publication launch

Agenda for change – 2019

In 2018, many commentators pronounced the rules-based global order to be out for the count. This presents serious challenges for a country such as Australia, which has been an active contributor and clear beneficiary of that order. The government that we elect in 2019’s federal election will be faced with difficult strategic policy choices unlike any we’ve confronted in the past 50 years.

This volume contains 30 short essays that cover a vast range of subjects, from the big geostrategic challenges of our times, through to defence strategy; border, cyber and human security; and key emergent technologies.

The essays provide busy policymakers with policy recommendations to navigate this new world, including proposals that ‘break the rules’ of traditional policy settings. Each of the essays is easily readable in one sitting—but their insightful and ambitious policy recommendations may take a little longer to digest.

Previous Agenda for change publications are also available here: 2016 and 2013.

Launch Event

Australia’s cybersecurity future(s)

It’s January 2024. Does Australia still have the internet?

Introduction

Australia wants to create a future for cyberspace that’s open, free and secure, but that future is not assured. According to Dr Tobias Feakin, the Ambassador for Cyber Affairs, ‘Australia’s vision … and our ambitions across the broad spectrum of cyber affairs are impossible to achieve alone.’1 Key drivers are outside of the country’s control. The government can—and should—advance a positive vision, but Australia might not get its way.

What if the future of cybersecurity looks different from what we hope or expect? This is a hard question to answer. Day-to-day concerns demand our immediate attention, and, when we think about the future, we tend to extrapolate from current trends. As a result, we’re shocked or surprised by discontinuous change, and woefully unprepared to face new realities. The risk is particularly acute in cybersecurity, in which rapidly changing technologies combine with diverse social and political forces to create unexpected consequences. Therefore, as difficult as it is to rethink our assumptions about the future, failing to do so could be dangerous.

This report uses scenario analysis to examine one such future: a world where cyberspace is fragmented in the year 2024. Contrary to the ambition of Australia’s International Cyber Engagement Strategy, cyberspace is neither open nor free in this scenario. We analyse what that implies for cybersecurity. In particular, we examine the challenges and opportunities that Australian policymakers may face in the future and wish they had planned for in our present.

We conclude that Australia will be caught in the fray if the internet breaks apart. While this scenario isn’t all bad, Australia could be forced to fend for itself in an increasingly dangerous neighbourhood. The scenario isn’t a forecast or prediction. It’s a compelling narrative to provoke new thinking and critical discussion about what Australia must do now to prepare for different cybersecurity futures.

Our approach is as follows. First, we explain the methodology. Second, we identify the forces of change that drive this scenario. Third, we interact these drivers to describe one possible world in 2024. Finally, we highlight the strategic choices and challenges that this scenario raises for Australia.

Scenario analysis

Scenario analysis is a methodology for critical thinking about alternative futures. It was pioneered at RAND in the 1950s by Herman Kahn in his attempt to ‘think the unthinkable’ about thermonuclear war. The method was further developed by Pierre Wack and Ted Newland at Royal Dutch Shell, where scenario analysis was credited with anticipating the possibility of oil shocks during the 1970s.2 It’s now commonly used in industry and government. For instance, scenario analysis informs the US National Intelligence Council’s quadrennial Global trends report.3 It’s also applied by the Center for Long-Term Cybersecurity at the University of California, Berkeley, in reports on Cybersecurity futures 2020 and Asian cybersecurity futures.4

The goal of scenario analysis is to ask and, ideally, answer ‘what if’ questions about how different drivers of change—social, political, economic, technological—could combine to produce discontinuities and thus different possible worlds. This approach is forward looking. We apply it to imagine Australia’s cybersecurity environment circa 2024. It may be unsettling. Following best practice, we sought to simplify and then exaggerate the drivers of change in order to throw an alternative and perhaps undesirable future into sharp relief. Nevertheless, scenario analysis is still rooted in reality.

The propositions behind this qualitative analysis are plausible, the narrative is internally consistent, and the results reflect expert consultation.

This report breaks from the norm of scenario analysis by focusing on one of many possible futures.

Our focus is not predictive, however. We do not argue that internet fragmentation is probable or likely to play out as per this scenario. We do suggest that this kind of future is significant because it challenges Australia’s preferred vision for an open, free and secure cyberspace. Fragmentation is also a significant concern in internet policy.5 Furthermore, while it may be a single scenario, a fragmented world contains different environments or ecosystems, and analysing that diversity helps compensate for our focus on only one potential future. The challenges and opportunities of such a future therefore warrant special consideration (just as other scenarios warrant further research). Rather than fight the scenario, we encourage you to ask: What would Australia need to decide and do differently for cybersecurity if it confronts this world in 2024?

Drivers of change

Our scenario depicts the interplay or interaction effects of three hypothetical drivers for change: Asia online, tech giants, and great-power conflict. While none is certain, each premise is plausible. More importantly, the resulting scenario is not a linear extrapolation or forecast based on any single trend. It’s the combination of drivers that could contribute to internet fragmentation and result in a cybersecurity environment markedly different from today’s.

Asia online

First, the number of users, devices and applications in Asia grows substantially over the next five years. We imagine that internet penetration in the region grows faster than expected, jumping from less than 50% today to more than 80%, so that more than 3.5 billion people are online in Asia. As a result, there are as many people online in this region come 2024 as the total number of internet users around the world in 2019. By 2024, Asia is also home to more than 15 billion connected devices.

We assume that this rapid expansion of connectivity is unrivalled in other regions. It roughly correlates to Asia’s youthful and growing population, as well as its economic power as the new centre of the global economy. However, economic and political opportunities remain unevenly distributed over the next five years, as is the region’s digital transformation. Most web traffic in Asia is mobile, but connection speeds vary greatly across the urban–rural divide, and economic growth hasn’t reduced economic inequality.

Tech giants

Second, we posit large and locked-in technology platforms as another driver for change. Although new applications flourish over the next five years, we assume that the underlying technology stacks, layers or platforms upon which those applications are built resemble a few large tectonic plates. And those platforms are increasingly dominated by a handful of huge corporations.

Tech giants dominate the user experience, software development and hardware. For most people in 2024, ‘cyberspace’ is difficult to distinguish from megabrands such as Google, Apple, Facebook, Amazon and Microsoft, or, similarly, Alibaba, Tencent, Baidu, Sina Weibo and Huawei. These companies also dominate the marketplace for talent. Regardless of where they work, most software developers work with toolkits and application program interfaces that plug into a dominant platform. Proprietary software developed by tech giants enjoys a home-field advantage over apps built by third-party providers. Industry concentration shapes hardware and telecommunications infrastructure as well, including the ‘internet of things’ (IoT). On the one hand, we imagine that connected devices are ubiquitous and produced by a plethora of manufacturers in 2024. On the other hand, in many markets, many of these connections are mediated by platforms, hubs and bridges dominated by the ‘Big 10’ tech giants.

Great-power conflict

The third driver is strategic competition and conflict between great powers. We posit a multipolar world in 2024. No great-power concert has emerged to manage territorial conflicts or the myriad state and non-state cyber operations. The US remains the only superpower with global reach, but that reach is rivalled by China’s, especially in the Pacific and Indian oceans. US power projection into the region is further limited by budget constraints (accentuated by an ongoing recession), as well as costly commitments to fighting in the Middle East and deterring a weak but assertive Russia. While NATO endures, nationalism and populism have fuelled extreme swings in American and European politics, fraying the alliance. ANZUS endures as well, but the US lacks a coherent strategy towards Asia in 2024. As a result, the US military posture isn’t supported by consistent political and economic policies.

Meanwhile, China has continued to rise. The Middle Kingdom is a middle-income country in 2024, with a nearly $15 trillion economy. Its One Belt, One Road and Digital Silk Road initiatives have established Chinese infrastructure, standards and platforms in several neighbouring economies. However, this economic and strategic agenda is resisted by India in the south and Russia in the north, along with European and American interests in Africa and Oceania. We posit that the Chinese economy has not dipped into recession, although its officially reported growth rate of 3% in the last quarter of 2023 is viewed with considerable scepticism. In China, as elsewhere, economic angst and nationalism have increased variability in foreign policy and contributed to competition and conflict in the region.

2024: Fragmented world, fragmented internet

In this scenario, Asia comes online but cyberspace fragments by 2024. Years of mounting tensions between the US, China, Russia and Western Europe have combined with entrenched platform technologies to result in a world where the internet—singular—is a thing of the past. The ‘World Wide Web’ is anachronistic. Instead, there are several weakly connected internets, each of which contains content and services that are largely inaccessible from outside the same country, region or bloc. There are tunnels through these walled gardens, but few users beyond specialists, spies and criminals have the skill or inclination to use them. Most users’ online access and experience is mediated and monitored by whichever tech giants enjoy official sanction in their local market. In most places, ‘social media’ are just media, and the IoT is just things.

The world’s largest internets are American and Chinese. Access to each correlates with physical proximity to the US or China, coupled with the broader user base of their respective tech giants. In particular, the American internet is accessible in most of the Western Hemisphere (corresponding to the American and Latin American regional internet registries). It’s also accessible in Western Europe, but tensions across the Atlantic have combined with divergent data protection and antitrust regulations, fuelling the emergence of a continental internet in the remnants of the European Union. Russia’s national internet is effectively cordoned off by internal information controls (heightened following the death of Vladimir Putin), combined with external blocking of untrusted traffic (Russian IP addresses being equated with criminal or intelligence operations and rejected by most border routers). National networks have also emerged in North Korea, Saudi Arabia and Venezuela. In addition to indigenous applications, the governments that regulate these and similar shards of cyberspace typically contract with Chinese or American firms to build platforms that are closed and customised for local censorship and surveillance.

Figure 1: Internets of the region, 2024

Enter the dragon

Like the Belt and Road Initiative, or the Nine-Dash Line, geography is a notable feature of the Chinese internet in 2024, which is portrayed as several concentric circles. Domestic services and content sit at the centre, behind the Great Firewall. China’s ‘Social Credit’ system hasn’t proved particularly effective in regulating behaviour offline; a goth-like fashion trend dubbed ‘false negative’ has even emerged to frustrate facial recognition. Nevertheless, China has become a nearly cashless society, and both big data and artificial intelligence are used to effectively monitor most online activity. The incidence of malware has decreased dramatically, and domestic cyber incident response is well coordinated.

Some cybersecurity experts worry that foreign intelligence services are exploiting the backdoor access required by China’s regulation of commercial encryption, yet the government denies any such allegation.

Outside the Great Firewall, similar services and content are available to those individuals, organisations and countries that use the platforms provided by China’s tech giants (or their local affiliates). Many do, particularly in Asia. By default, users in this second ring give their data to Chinese service providers.

Most of that information is stored on servers inside China. The outermost ring consists of custom networks that China has built but for which—purportedly—it has handed information controls over to the client, such as for the heavily restricted mobile apps recently launched in North Korea.

The Western Front

For many users in the US, the American internet in 2024 appears similar to the World Wide Web in 2019. A similar set of tech giants from Silicon Valley and Seattle dominate the market. Their proprietary platforms seem to seamlessly integrate users’ digital lives. Toddlers are frequently reported to perceive voices such as Google Home and Amazon Echo as disembodied members of their families. Data breaches of personally identifiable information are so common as to rarely make news; occasionally, car fleets and wired housing developments that have been bricked by cyberattacks make headlines. Net neutrality remains contentious and partisan. Demands from law enforcement for data collected by bystanders’ wearable tech during the Denver bombing in 2022 have ignited another round of debate over encryption (a debate joined by lobbyists for fintech and cryptocurrencies).

Lobbying by tech giants, fractious domestic politics and anti-statist ideology limit US federal regulations on cybersecurity. One exception is wireless broadband. A government-sponsored, industry-led consortium has rolled out a mobile network called US5G. Chinese companies are banned from building this infrastructure. Likewise, Chinese and Russian cybersecurity software is banned from use on US Government computers. The Security and Exchange Commission has also imposed reporting requirements on cryptocurrencies and initial coin offerings. Domestic information sharing has improved modestly after years of concerted attacks against critical infrastructure, but individual users still have little recourse, and the quality of cyber insurance is variable. US diplomats pay lip service to ideas such as ‘internet freedom’ and ‘cyber norms’ when they criticise authoritarian regimes, but the promotion and practice of the American internet abroad is largely determined by the commercial strategies of its tech giants.

Figure 2: The US5G logo

Fault lines

Asia is a contested zone in 2024. The US and China vie for power in the region while Chinese and American firms compete for market share. Unfortunately, the US and China appear caught in the ‘Thucydides trap’, as the rising and ruling powers jostle near the brink of armed conflict.6 War was narrowly averted in 2022 following a naval skirmish in the South China Sea that killed 65 sailors and marines aboard American and Chinese warships. Patriotic hacking—both state-sanctioned and self-radicalised—during this incident was intense and occasionally destructive. Since then, submarines have been reported patrolling undersea cables in the Pacific. In addition, real and imagined instances of Chinese and American firms facilitating offensive cyber operations by military and intelligence agencies have driven yet another wedge between their rival internets.

On the one hand, countries in the Indo-Pacific enjoy more choice than those in the Western Hemisphere, since the American and Chinese internets are both viable options in this region. Some countries are choosing to bandwagon with China. In 2024, Alibaba, Tencent, Baidu, Sina Weibo and Huawei are providing a bundle of telecommunication, media, IoT and financial services called WeConnect. This bundle has proved remarkably popular in Malaysia, for instance, and among the Chinese diaspora across Asia. WeConnect has also increased internet access in Myanmar and Cambodia by an order of magnitude: millions of their people have leapfrogged from having no phones to using Chinese smartphones overnight. In contrast, Japan uses the American internet as a matter of policy, and most users in Indonesia and the Philippines remain locked into Facebook and Google. India is non-aligned (despite the prevalence of American platforms), and Pakistan is hedging its bets (despite widespread adoption of WeConnect). Competition and choice between American and Chinese internets are fuelling digital innovation across the region.

On the other hand, innovation in this scenario is not improving global integration. Choosing one internet increasingly means forgoing access to others. Chinese and American cybersecurity standards are not compatible. Nor is compatibility of much interest to the tech giants. Years of national tariffs, investment restrictions, divergent regulations and export controls have limited their sales in the others’ domestic markets. Combined with the US5G network, these policies have forced American firms to shift away from Chinese suppliers. Similarly, the ‘Made in China 2025’ initiative has made Chinese tech giants more self-sufficient. The US–China skirmish in 2022 accelerated the disintegration of once highly integrated supply lines and manufacturing. When competing for customers in Asia, the tech giants are incentivised to collude within their own internet and exclude foreign rivals.

Moreover, the range of choice in this region comes at considerable cost. While some aspects of cybersecurity have improved inside Chinese and American internets, those improvements are lost in the mixing zones between them. Cheap, outdated and counterfeit technologies are most vulnerable, enabling cybercrime in 2024 to cost Asia as much as $3 trillion per year. Ransomware, DDoS by IoT botnets, cryptocurrency fraud, industrial espionage, election interference—all are common, especially at the local level. Diverse technology limits the spread or scale of most attacks, but it also provides criminals with many smaller targets of opportunity outside the Great Firewall. Jumbled laws across different jurisdictions also provide safe haven for state and non-state actors to launch attacks and hide ill-gotten gains. In this scenario, data protection isn’t imagined to be a top priority for hundreds of
millions of people who are coming online for the first time. Even more than the American internet, the Chinese internet in 2024 owes its success to users willing to forgo privacy in exchange for access and convenience. The appetite for adopting digital technologies in this contested environment is a recipe for legal and illegal innovation alike.

Moving forward: strategic choices and challenges for Australia

The world that we describe would have serious implications for Australian cybersecurity. At least three lessons stand out in our analysis.

Australia will be caught in the fray

In this scenario, China remains the primary pillar of the Australian economy and the US remains Australia’s security guarantor. Australia won’t want to take sides, and with good reason. But the digital economy may prove more sensitive to geopolitical tension than other markets, in which case Australia could face tough choices in cyberspace sooner rather than later.

The costs of choosing either an American or a Chinese internet could be significant, though not equal. Not choosing could be costly as well. While a mediating, brokering or hedging strategy may prove the lesser evil, it may also make Australia the target of intense pressure. Domestic affairs could become a microcosm of fierce regional competition. Potential outcomes include foreign surveillance, censorship and the manipulation of Australian markets, networks and politics. Chinese platforms are particularly suspect, but American technologies aren’t above reproach. How will federal, state and local governments respond in March 2024, for example, if mass student protests in Melbourne are manipulated through WeConnect? How much more difficult will whole-of-government policies and operations be, even at the federal level, if the tensions between cybersecurity and economics become increasingly pronounced?

29 November 2023

Australian Fintech Firm Shuttered:
US Alleges Data Manipulated by China

The Sydney-based cryptocurrency exchange TransPacific Ledger (TPL) was forced to shut down last night, less than a day after the discovery of data irregularities in trading worth more than $1.5 billion.

TPL suspended operations after the firm was implicated in the crash of blockchain backed indexes in the United States. Trading data brokered by TPL may have been manipulated in high-speed transactions between the US and China.

A darling of the Sydney start-up scene, TPL had been seen as a trusted and profitable intermediary between American and Chinese financial markets. ‘We have a sales office in Hong Kong, we’re fully licensed in Australia, and we comply with all US regulations,’ said TransPacific CEO Ed Jones in an interview last month.

However, US cryptocurrency exchanges crashed on Monday when irreconcilable discrepancies were reported across several ledgers. ‘TPL appears to be the common link,’ according to the White House press secretary, ‘but China is behind the bad data.’ US intelligence officials point to recent advancements in Chinese quantum computing, claiming that these computers could hack the authentication protocols behind blockchain. ‘Maybe this was an experiment that got out of hand,’ said one anonymous source.

Beijing brusquely rejected these claims. ‘False accusations accomplish nothing,’ according to one government spokeswoman. Prominent voices in Chinese media are now blaming unnamed criminals in Australia and demanded their immediate extradition.

The Australian Securities and Investments Commission is working with the Australian Signals Directorate in its investigation. Neither agency was available for comment. The ASX lost 5% after news about TPL broke on Tuesday.

Please note: the above is a fictional article created by the authors for the purpose of this report.

By straddling both internets, both networks could be used to push and pull divisions in Australian government and society. Moreover, even if Australia tries to straddle the US and China, other countries in Oceania may decide differently. For instance, how will Canberra respond if Papua New Guinea, Bougainville and Solomon Islands bargain to adopt the Chinese internet in 2024 unless Australia increases development assistance to expand and maintain their undersea cables? In this scenario, Australia will have to decide how much it’s willing to pay for its preferred strategy, both at home and around the neighbourhood.

Internet fragmentation isn’t all bad everywhere

As costly as straddling or choosing between American and Chinese internets would be for Australia, this isn’t a doomsday scenario. Some aspects of cybersecurity stand to improve inside each network. Harmonised standards and coordination across like-minded jurisdictions could improve incident response, information sharing (including vulnerability disclosure), patching and attribution. Technological diversity may increase at the regional and global levels, limiting the scale of any given platform and thus the extent to which attacks spread beyond any given country, region or bloc. Trust inside these networks may improve as well. For example, this scenario imagines that the average American in 2024 is relatively confident about US5G (despite expert debate about whether this network is demonstrably more secure than the Chinese alternative). Real or imagined, these security gains may make joining one club or another an attractive prospect for Australia.

Granted, the security gains inside each network are offset by friction between them. Australian policymakers will also bristle at claims by China, Russia and other authoritarian regimes that strict censorship and surveillance improve the security of their respective internets. Nevertheless, fragmentation or disintegration need be neither chaotic nor absolute. For better or worse, cross-fertilisation and ideological hypocrisy will occur as well, with American companies mirroring some of the practices used by their Chinese counterparts and vice versa.

Thursday, January 4, 2024

Mastercard and Walmart introduce a Social Credit System

Dismissing comparison to China, Walmart claims new system will help its consumers “live better” and “save money” during the US recession.

Please note: the above is a fictional article created by the authors for the purpose of this report.

Australia lives in a dangerous neighbourhood

The concurrent great-power transition and digital transformation of the region could be more turbulent than in any period in recent history. Tech giants will shape this transformation, but their commercial interests diverge from the public interest in Australian cybersecurity. In contrast to powerful corporations, international organisations such as the International Telecommunication Union appear even less impactful than usual in this scenario. Even multi-stakeholder organisations such as ICANN could be coopted or captured by commercial and geopolitical interests.

Tough Choices

Australia isn’t helpless in this environment, but it should prepare to help itself. Looking back, policymakers in 2024 may wish that preparation had started in 2019. Options include redoubling Australian efforts to champion an open, free and secure cyberspace in order to avoid the future imagined here. Advancing regional leadership, investing in capacity building and taking assertive action on shared interests may prove helpful. At the same time, however, policymakers should consider tough choices about cybersecurity in a less benign environment: 

  • Is Australia prepared to play hardball, not only with the US and China, but also with commercial tech giants, in order to advance its national interest?
  • If forced to take sides or straddle the great powers, how should Australia choose, and how can it mitigate the costs of doing so?
  • Even if there’s no defining moment (for example, President Trump or President Xi declaring ‘You’re either with us, or against us’), is muddling through on issues such as encryption in Australia’s national interest, especially if incremental decisions aggregate into a decisive choice?
  • What, if anything, can Australia do to help the next billion users in Asia come online in ways that improve rather than undermine critical aspects of cybersecurity?
  • And will a laissez-faire or, alternatively, compliance-driven approach to domestic cybersecurity suffice or prove lamentable in the years ahead?

These are important questions to answer, regardless of whether or not the scenario that we describe comes to pass. Scenario analysis doesn’t need to provide accurate predictions in order to provoke strategic thinking about the future of Australian cybersecurity.


Acknowledgements

This report was produced in collaboration between the Sydney Cyber Security Network and ASPI’s International Cyber Policy Centre. It was made possible thanks to a research grant provided by the Sydney Policy Lab. We also thank our research assistant Bryce Pereira, as well as the other experts and visionaries who provided helpful comments and feedback.

@SydneyCyber – https://sydney.edu.au/arts/our-research/centres-institutes-and-groups/sydney-cybersecurity-network.html

ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society. It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

We thank all of those who contribute to the ICPC with their time, intellect and passion for the subject matter. The work of the ICPC would be impossible without the financial support of our various sponsors.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. Department of Foreign Affairs and Trade, Australia’s International Cyber Engagement Strategy, Australian Government, October 2017, 7. ↩︎
  2. For background, see Pierre Wack, ‘Scenarios: Shooting the Rapids – How Medium-Term Analysis Illuminated the Power of Scenarios for Shell Management,’ Harvard Business Review (1985), 139-150; Peter Schwartz, The Art of the Long View: Planning for the Future in an Uncertain World, Doubleday, New Your 1991; Naazneen H. Barma, Brent Durbin, Eric Lorber, and Rachel E. Whitlark, ‘“Imagine a World in Which”: Using Scenarios in Political Science’, International Studies Perspectives 17 (2016), 117-135. ↩︎
  3. For example, see National Intelligence Council, Global trends: paradox of progress, January 2017 ↩︎
  4. Center for Long-Term Cybersecurity, Cybersecurity futures 2020, online; Jonathan Reiber, Arun M Sukumar, Asian cybersecurity futures: opportunities and risk in the rising digital world, Center for Long-term Cybersecurity ↩︎
  5. Among others, see William J Drake, Vinton G Cerf, Wolfgang Kleinwachter, Internet fragmentation: an overview, Future of the Internet Initiative White Paper, World Economic Forum, January 2016, online; Scott Malcomson, Splinternet: how geopolitics and commerce are fragmenting the World Wide Web, OR Books, New York, 2016; Davey Alba, ‘The world may be heading for a fragmented “splinternet”’, WIRED, 7 June 2017 ↩︎
  6. Graham Allison, ‘The Thucydides trap: are the US and China headed for war?’, The Atlantic, 24 September 2015 ↩︎

Identity of a nation

Protecting the digital evidence of who we are

Foreword

By far the greatest part of Australia’s discourse on cybersecurity is focused on the protection of systems: the software, the hardware and the communications networks that provide the access, storage and carriage of sensitive information. Without doubt, this is vitally important. After all, it is within the systems of information management that cyber vulnerabilities exist, and it is through understanding the capabilities of adversaries and vulnerabilities of systems that security can be strengthened.

But the thorough analysis of security threats requires more than just ‘capability’. We also need to assess ‘intent’. And more often than not, the intent that motivates a cyberattack is access to data. It’s the data that needs to be protected from exfiltration, manipulation or destruction, because it’s the data that holds information critical to Australia’s agency and success as a sovereign nation. To date, however, there has been very little serious analysis of Australia’s critical data assets or the national policy settings required for the proper recognition and management of this important national resource.

This ASPI report fills that gap, and comes at a crucial time as all Australian Government agencies continue on the path of digital transformation. Anne Lyons has reminded us all that our national identity assets form the heart of who we are as a nation, and her recommendations provide a sharply focused action plan for a whole-of-government policy framework that looks beyond the temporary, technology-driven threats and vulnerabilities affecting the current generation of government ICT and addresses instead the very foundation of Australia’s digital future—the precious data that defines us.

David Fricker
Director-General National Archives of Australia,
President International Council on Archives

2 minute highlights! Anne Lyons discusses her report.

Impact

Throughout history, warfare has damaged and destroyed assets vital to nations’ cultural heritage and national identity. While physical damage is often clear and immediate, cyberattacks targeting a nation’s identity—its way of life, history, culture and memory— wouldn’t have the same physical visibility, but have the potential to cause more enduring and potentially irreparable harm.

In our increasingly digital world, it isn’t difficult to imagine the types of cyberattacks we’ll be likely to face and the degree of impact on irreplaceable national identity assets.

Consider the following:

  • The discovery that digital reference legal documents had been altered could bring the court system to a halt while the integrity of the entire system is reviewed.
  • The deletion, encryption or corruption of information relating to landholdings or births, deaths and marriages would cause widespread societal disruption, stopping everything from property sales to weddings.
  • A synchronised attack on half a dozen key historical archives—such as our entire newspaper archives, historical photo databases, war records and Indigenous archives—would cause an irreplaceable loss that would be likely to cause public outrage and a great collective sense of loss.
  • Because we haven’t anticipated sophisticated attacks against the organisations holding these assets and because they’re generally undervalued, the protections in place are inadequate. And it isn’t just nation-states, but cybercriminals and hacktivists who may cause serious damage.

This isn’t just an Australian problem. Institutions and governments internationally face the same issue as truth becomes a victim of information warfare, fabricated news, and increasing and evolving cyberattacks.

Our national identity assets are the evidence of who we are as a nation—our resources, our people, our culture, our way of life, our land, our freedom, our democracy. What if we had no evidence of who we are, what we own, who governs us, where we have come from?

What’s the problem?

Like other countries, Australia is focused on protecting its critical infrastructure from cyber threats; however, there’s a serious gap in how we approach the protection of our valuable digital national identity assets.

A cyberattack targeting national identity assets has the potential to cause major disruption and collective psychological damage. Such an attack would almost certainly lead to the further erosion of public trust in Australia’s democratic institutions and our reputation internationally. Our vitally important national identity assets aren’t adequately protected, and a long-term plan to protect them is lacking. The damage that their loss would cause makes them a tempting target for the next wave of cyber-enabled political and foreign interference.1

What’s the solution?

Gaps in our protection of national infrastructure and information security need to be addressed.

Australian governments—state and federal—need to begin a systematic effort to identify and value national identity data. A closer alignment between the professional fields of digital preservation and information security is required, and a stronger focus on information governance. Australian governments need to ensure that our critical government-held national identity assets are protected and that memory institutions charged with their care are adequately funded to do so.

Until these issues are addressed, this increasingly ‘invisible’ vulnerability means that the potential loss of the digital evidence of who we are as a nation remains a sleeping, but urgent, national security priority.

Introduction

Imagine this. You wake up in 2022 to discover that the Australian financial system’s in crisis. Digital land titles have been altered, and it’s impossible for people and companies to prove ownership of their assets. The stock market moves into freefall as confidence in the financial sector evaporates when the essential underpinning of Australia’s multitrillion-dollar housing market—ownership—is thrown into question. There’s a rush to try to prove ownership, but nowhere to turn. Banks cease all property lending and business lending that has property as collateral. The real estate market, insurance market and ancillary industries come to a halt. The economy begins to lurch.

At the same time, a judge’s clerk notices an error in an online reference version of an Act. It quickly emerges that a foreign actor has cleverly tampered with the text, but it’s unclear what other parts of the Act have changed or whether other laws have been altered. The whole court system is shut down as the entire legal code is checked against hardcopy and other records and digital forensics continue. Meanwhile, a ransomware attack has locked up the digital archives of Australia’s major media organisations and parallel archival institutions. Over 200 years of stories about the nation are suddenly inaccessible and potentially lost.

As the Australian public and media are demanding answers, the government is struggling to deal with the crisis. Hard paper copies of many key documents simply don’t exist.
National identity assets are the evidence of who we are as a nation—from our electronic land titles and biometric immigration data, to the outcomes of our courts and electoral processes and the digital images, stories and national conversations we’re having right now.

Increasingly, our national footprint and interactions are digital only, including both digitally born and digitalised material, all of which is increasingly being relied on as a primary source of truth—the legal and historical evidence we rely on now and into the future.

As companies, governments and individuals scramble to protect important data and critical systems such as telecommunications and power supplies from cyber threats, we overlook datasets that are perhaps even more valuable. They’re a prime and obvious target for adversaries looking to destabilise and corrode public trust in Australia.

With 47,000 cyber incidents occurring in Australia each year2 and a permissive global environment for cyber adversaries, information manipulation and grey-zone cyber conflict aimed at disrupting nations and in particular Western democracies, the threat to our national identity assets is real. Both state and non-state adversaries have the capabilities to disrupt, distort and expropriate national identity data. What’s been lacking to date is the intent to use them this way, and intent can change fast.

Keeping national identity assets safe and accessible is vital not only for chronicling Australia’s past, but for supporting government transparency, accountability, the rights and entitlements of all Australians and our engagement with the rest of the world.

This report explores the value of Australia’s digital national identity assets and the consequences of not protecting them. The need to protect them from theft, manipulation, destruction or unlawful action may seem a given, but this review has found that our vitally important sovereign national identity data and information isn’t being adequately protected and lacks a long-term protection or preservation strategy.

Report methodology

Many national data assets are held in government digital holdings, and those assets are the main focus of this report.

More than 20 organisations across government, academia and the corporate sector were consulted and surveyed as a part of this research. In addition, 70 experts on critical infrastructure, information security, cybersecurity, digital preservation, risk management, information governance, archives and data management were interviewed. Roundtable discussions were held to explore national identity data as critical infrastructure and the international experience, as well as two workshops exploring possible scenarios and consequences.

National Identity

Defining national identity

Australia’s national identity is difficult to define. It’s a complex, ever-changing, dynamic collective of Australians and our environment, history, geography, culture and outlook.

For some, it’s the feeling shared with a group of people about a nation, expressed through patriotism, national pride and a positive emotion of love for one’s country.3 It’s a construct of common points—national symbols, language, images, history, culture, music, cuisine, radio, television, landforms—and it’s expanding. It’s the collective experience of who we are as a nation, and, while it crosses public, private and personal information, this report primarily focuses on national identity assets in government digital holdings as a key ingredient in identity and in the functioning of our nation.

Digital national identity assets are the evidence of our national identity

National identity assets are the evidence of who we are, how we see ourselves and how we relate to the rest of the world. They include high-value personal, social, legal, democratic and historical data, such as records of births, deaths and marriages; immigration records; land titles; the decisions of our courts and parliaments; and the many stories told on our screens and airwaves through social and electronic media.

Digital assets include data, digital information, multimedia, imagery and sound. They’re both digitally born (created digitally) and digitalised (analogue material digitised and available electronically). It’s our digital heritage, being created now, that defines our unique Australian identity and is essential for the functioning of our democracy, our society, our culture and our legal system.4

This report doesn’t set out to define or describe all of Australia’s national identity data and digital information, but it does recommend developing a way of identifying and valuing those assets to enable appropriate protection.

Some examples of digital national identity assets include:

  • Digitally born identity assets
    • Hansard (Department of Parliamentary Services, Parliamentary Library)
    • Indigenous War Service Project (Australian National University, Australian Institute of Aboriginal and Torres Strait Islander Studies)
    • evidence and findings from royal commissions (National Archives of Australia)
    • Australian Web Archive (National Library of Australia)
    • ABC Digital Library
    • Lindt Café siege social media collection (State Library of NSW)
    • passport biometrics and passenger arrivals (Department of Foreign Affairs and Trade, Department of Home Affairs, Border Force).
  • Digitalised assets
    • convict records (NSW and Tasmanian archives)
    • Australian Institute of Aboriginal and Torres Strait Islander Studies photographic collection
    • newspaper collections (National Library of Australia and state libraries)
    • World War I records (National Archives, Australian War Memorial, NSW State Library)
  • Hybrid analogue/digital assets
    • Fairfax photographic collection (Fairfax Media)
    • High Court decisions (High Court of Australia)
    • births, deaths and marriages records (state and territory government agencies and archives)
    • parliamentary papers and decisions (federal, state and territory parliamentary departments
    • immigration records (Department of Home Affairs, National Archives of Australia)
    • property ownership records (state and territory government agencies and archives)

Failure to protect national identity assets

Yesterday, the Australian Electoral Commission, the Department of Home Affairs and the NSW Lands Department discovered discrepancies in their election results databases, the public electoral roll, electronic land title registrations and citizenship data. Investigations haven’t identified when the problems occurred. The discrepancies make it difficult to rely on the validity of their data holdings. 

At the same time, the Department of Parliamentary Services received an anonymous report that over the past 12 months changes have been made to Hansard report proofs online. They have five days to remedy the issue before the source goes public, while public complaints, mainly through social media, have already started about digital images and material previously on the website that’s no longer available, particularly Hansard reports of new parliamentarians’ maiden speeches in the Senate and House of Representatives.

A few days ago, the daughter of a World War II veteran was interviewed on ABC Radio’s morning program in the Northern Territory. She had written to the Attorney-General complaining that her father’s war service record is no longer available. An investigation by the National Archives of Australia found that all the digitised service records for World War II on its website have been removed from the database holding and displaying them, and been replaced with images of Donald Trump, Xi Jinping, Angela Merkel and other world leaders.

Today, a major story was leaked to The Australian newspaper that implicated Australian companies involved in the 2006 royal commission into the Iraq oil-for-food program. The leaked documents were released to the public by Wikileaks. Those records are held by the National Archives. Wikileaks also announces that it will shortly be following up the leak with a release of the 2016 Census, which is supposed to be held by the National Archives and not released until 2115.

This is a fictional scenario created by the author.

Issues

A sleeping giant

The increasing vulnerability, invisibility and online exposure of our digital identity is an underappreciated national security issue.

In a global environment of increasing cyberattacks, capable state and non-state actors, information espionage and grey-zone cyber conflict aimed at disrupting nations, the threat to our national identity assets is real.

States such as Russia have demonstrated their intention to disrupt and undermine Western democracies,5 and obvious future targets for such attacks are national identity assets that are poorly protected and offer high-impact results if disrupted, corrupted or destroyed. With more than 30 countries known to possess offensive cyber capabilities,6 and cyber capabilities being in reach of non-state actors from individuals to cybercrime organisations, the number of potential adversaries able to target our national identity assets is significant and increasing.

We’ve bought into the fiction that all of the information we could possibly want to access is there, all of the time—and for all time. But the truth is that the access of future generations to our recent history is more precarious than ever.

—Kylie Walker, Chair, Australian National Commission for UNESCO

Because we’re a liberal democracy, Australian society relies at its deepest level on the trust of the citizen in the state.7

National and state government archives play the role of ‘impartial witnesses’, identifying and holding this information and holding the government to account under the rule of law and in the ‘court’ of history. Many other institutions have additional holdings that collectively form our national identity assets. We need to trust that these impartial witnesses can identify, keep and preserve this evidence. This is a matter of national security and is at the heart of our society.

Previously, victors rewrote history. Now, in the digital age, our adversaries could rewrite our present. If we aren’t vigilant, we run the risk that adversaries could destroy or manipulate our national identity assets, compromising the digital pillars of our society and culture.

If our land titles or our citizenship records were altered, what would be the result? If we lost our immigration and births, deaths and marriages data, how could you prove your citizenship? And what if that information were compromised and unreliable? What would be the authoritative source of information about Australians and their citizenship?

Public trust and perceptions

If you can’t trust the truth holders, then who can you trust?

—Rachel Botsman8

The biggest impact from an attack on national identity assets would be the resulting corrosion of trust in public institutions. As Russian interference in other countries’ elections has demonstrated, the erosion of trust is more corrosive to democracy than the win or loss of any particular candidate. Attacks on truth and trust affect individuals and nations and, while just one breach can erode trust, a concerted campaign can do much more. As US academic and commentator Zeynep Tufekci so accurately describes, ‘we are in an era where misinformation thrives and even true information can confuse and paralyse rather than inform and illuminate.’9

When more than 600 fake Facebook accounts were uncovered, linked to Russian and Iranian influence campaigns, a false and disingenuous dialogue and history were created.10 We’ve already seen the manipulation of video become a reality,11 and, as Peter Singer describes in his latest book, Like war, propaganda has been weaponised en masse and is now threatening democracies.12 Fraud and fakery aren’t new—they’re just happening in a new hi-tech domain, with the potential to do much greater damage at scale. It’s inevitable that they’ll expand into historical data and information. 

For example, in 2008 a British historian added 29 fake documents over five years to write a fake history of members of the British royal family collaborating with the Nazis during World War II.13 Closer to home, between 2007 and 2015 the Western Australian Registrar of Births, Deaths and Marriages removed vital information about Aboriginality and illegitimacy from birth certificates because the registrar deemed it too distressing for people.14 While not fraud, or an external attack, it was an intentional changing of evidence that could have major repercussions personally, socially and historically.

Cybercriminals have already taken individuals’ and organisations’ data ‘hostage’ by encrypting it and demanding ransom to decrypt it. The good news is that this has yet to happen to national identity holdings.

As the physical world meets the digital world, protecting and securing authentic data has become an ongoing challenge. So, who will hold the source of truth, and how will people know whether they can trust the source?

Vulnerability and invisibility

Recent studies by the University of NSW and University of Canberra identified examples of Russian targeting of Australian voters in 2017.15 Our universities, businesses and governments are under a constant attack in which 400 Australian companies were targeted in 2017.16 Countries such as Israel,17 Iran,18 North Korea, China19 and the US20 are also known to have publicly used malicious cyber actions against other nations, including Australia.21

A future frontier for these attacks is likely to be national identity assets, but despite this there’s a lack of engagement and awareness in government and the community about the safety and security of those assets and the government institutions that hold them, and a lack of care about data and information security more generally.22

Our critical infrastructure, defence, border security, privacy, personal information and economic assets attract the headlines, the attention and ultimately the dollars. There’s no strong narrative about the need to protect holdings of digital national identity assets nationally or internationally. Many memory institutions find it difficult to be heard and secure funding, except when the need involves Australia’s military history, or when a tragedy occurs, such as this year’s devastating fire at Brazil’s National Museum.23

The ravages of time

Digital assets aren’t as resilient as most analogue or paper forms and decay over time, including through degradation, obsolescence or the breakdown of computerised information. All digital material is prone to some sort of decay (sometimes known as ‘data rot’).24 This doesn’t take long, particularly with the current speed of technological change and growth in the quantity of data.

All organisations need to be aware of potential decay that can make their information and data unusable.

Resourcing and capability of institutions

Australia’s ultimate information and data custodians— the memory institutions, such as national and state archives, records organisations, libraries and other cultural institutions—struggle to keep even their basic services afloat, let alone to protect and preserve digital heritage and national identity data.

The current parliamentary review of national institutions in Canberra is evidence of that.25

The committee has received numerous submissions and testimonials from the heads of cultural institutions decrying the consequences of continued funding cuts.26 Although a handful of agencies have recently received one-off funding for digital initiatives, the National Archives of Australia, which holds some of the government’s most valuable and sensitive information, unsuccessfully sought funding to build a secure digital archive five times over the past 10 years. Recently, it received an adverse finding in the Australian National Audit Office’s latest cyber resilience audit for not meeting all essential information security requirements.27

Fair funding

A great deal of effort, funding and focus is placed on protecting critical infrastructure such as roads, communications and ports, as well as classified and sensitive information, but the same can’t be said of our national identity data, or of the national and state institutions that protect and provide access to those digital assets.

Digitalisation of information is only going to increase; most Australian governments are committed to being fully digital within the next few years. As custodians of the bulk of national identity data, government agencies have a responsibility to protect it from birth over its life. And, with the creation and retention of fewer paper traces, accessing and preserving this information is becoming more complicated.

Of the 20 government agencies and universities surveyed as part of this project, the rate of change, scale, complexity and resourcing were identified as the biggest problems facing them in their quest to protect our digital information and assets.

Figure 1: Some survey results

A crowded ungoverned space

The plethora of information, data, cyber and security protocols, strategies, policies, frameworks, legislation and agencies involved at the federal and state levels in Australia is confusing and inconsistent. At least 20 organisations are involved in information and data policy, protection and management in the Australian Government space alone. 

In 2015, when it released its Digital Continuity 2020 policy,28 the National Archives of Australia had already recognised the urgent need for information governance, and this was reiterated in the Open Data Initiative as part of Australia’s first Open Government Partnership National Action Plan in 2016.29 The Digital Continuity 2020 policy required agencies to have information governance frameworks and information governance committees in place by June 2016. By September 2017, only 64% of Australian Government agencies had achieved the latter.30

This policy needs to be extended to include governance and coordination at the whole-of-government level to ensure the robust and reliable management of national identity data.

The way forward

Include national identity assets within the critical infrastructure framework

Government archive material, must be considered as equivalent to any critical national infrastructure, given its value to national identity, values, history.

—David Irvine, Chair, Foreign Investment Review Board

Critical infrastructure is firmly in the sights of those conducting cyberwarfare and industrial sabotage.31 Cyberweapons can turn off power grids, derail trains, cause offshore oil rigs to list, turn petrochemical plants into bombs and shut down factories.32

Attacks are increasingly common and becoming more sophisticated. Ukraine’s energy sector was the target of a Russian cyberattack in 2015 that caused power outages that affected more than 200,000 citizens,33 and in 2017 there was an alleged Russian state hack of US electricity companies.34 Both Iran and Russia have been linked to an attack on a petrochemical plant in Saudi Arabia in 2017 that was described as a new kind of cyber assault designed to trigger an explosion.35

Like other countries, Australia is focused on protecting its critical infrastructure. However, there’s a serious gap in our approach, which currently doesn’t include the protection of national identity assets.

Digital national identity assets underpin our democracy

Australia’s Critical Infrastructure Centre describes critical infrastructure as underpinning the functioning of Australia’s society and economy and integral to the prosperity of the nation.36 National identity assets do all that and more—they also underpin our democracy—and should be considered as part of the nation’s critical infrastructure.

Attacks on governments show that we must recognise the threat posed by cyberattacks not only to critical infrastructure services, but also to democratic functioning and government continuity.37

Data and information don’t fit within the traditional conception of critical infrastructure. In Australia, ‘critical infrastructure’ is taken to mean the supply chains, information technologies and communication networks, the destruction, degradation or lengthy unavailability of which would significantly damage the social or economic wellbeing of the nation or affect our ability to conduct national defence and ensure national security.38

Australia has eight critical infrastructure sectors: banking and finance; the Australian Government; communications; energy; food and groceries; health; transport; and water.

There’s an argument that, if national identity assets were included, the existence of digital and analogue information would require differing control measures and consequential tighter controls, making it harder to access, or measures to replicate data holdings so that disruption and manipulation can be dealt with by turning to authoritative alternative holdings. Also, if whole systems—hardware, software, personnel, data and information—are considered critical, that could lessen the meaning and idea of ‘critical’.39

While defining the strict parameters of national identity assets might be problematic, that can be broadly overcome by focusing instead on the organisations that create, keep and preserve them. The intrinsic value of Australian Government national identity assets, such as those held by the National Archives and National Library, should be recognised as part of the Australian Government critical infrastructure sector. Consideration should also be given to how similar assets of state governments should be protected.

Estonia, a country recognised for e-government, has acknowledged the vulnerability of its data and information and is replicating its critical government data in Luxembourg in what’s been called a ‘virtual embassy’ to protect it and ensure that government and services will be uninterrupted in the case of an attack on Estonia.40

The closest Australia has come to officially considering data and digital information as critical infrastructure was the 2017 public consultation on the Security of Critical Infrastructure Bill, which asked whether data centre assets should be included.41 They weren’t. 

Increased focus on data security

Despite this, during 2018 there’s been an increased focus on data security and engagement by the Australian Critical Infrastructure Centre, which is working with the Australian Cyber Security Centre and the Digital Transformation Agency on whole-of-government infrastructure.42 But this isn’t just about systems, security and services. We need to go one step further and consider the data held within them. 

The Australian Productivity Commission’s 2017 Data availability and use report noted that data is an asset, and that there are plenty of datasets and collections the degradation or unavailability of which ‘would significantly impact the social or economic wellbeing’ of Australia.43 

Australia’s electoral roll and Census data are two such cases. The latter not only guides the allocation of much government funding, but also helps to determine electoral boundaries—a key component of our democratic process. As noted by the Productivity Commission, if it were to be compromised that would jeopardise public trust.

There’s valid evidence of a pressing need to review what critical national identity assets are and to include national identity and high-value data within Australia’s critical infrastructure framework.44 We also need to investigate a legislative response to how they should be managed and evaluated nationally, supported by the Australian Trusted Information Sharing Network and focusing on those assets in the critical infrastructure sectors and the states and territories.

We protect what we value

If Australia were a person, and her digital house was on fire, what would she grab and load in her car to save? What would be ready and in a convenient location, so that she could pick it up and run?

Sometimes it takes a disaster before a new or upgraded system is funded.

There’s a disconnect between how we value and how we protect our data and digital information. Currently, more focus and value are placed on the security of classified, national security and personally identifiable information. As a result, the systems that hold and manage that information are prioritised.

The volume of digital information and data is increasing at a rapid rate, and the percentage that needs to be kept for business, legal, evidentiary and archival purposes is also growing.45

Valuing digital identity assets

There’s also no standard, guidance or formula for valuing digital information and data, or any requirement to report data assets in financial reports. In the case of digital national identity assets, there’s no long-term view on their value or their protection, although many memory institutions do include them in financial reporting.

While there’s an accounting standard for valuing cultural and scientific collections, that’s primarily for physical collections. Valuing digital assets is proving more difficult. The valuation industry has developed varied approaches and methodologies and, depending on the volume and complexity, such valuations can come at a significant cost.

What’s being done

The NSW Government is currently valuing its digital collections, and the Australian Bureau of Statistics is valuing its Census data. In 2014, the New Zealand Bureau of Statistics valued its 2013 census data at $1 billion,46 and in 2016 the Australian Bureau of Communications Research estimated that Australia’s open data was worth $25 billion per year, or 1.5% of Australia’s GDP.47

We need to do more about standardising the way we value our national identity assets.

The inability to access, understand and adequately discriminate between what’s valuable and what isn’t is a key challenge, as is maintaining appropriately skilled people to ensure quality, accuracy and analytics, including privacy and ethics considerations.

In 2016, American historian Abby Rumsey argued that we’re now so far ahead of ourselves in the accumulation of data that we may never catch up or truly understand its significance.48 And data is only valuable if it can be explored and we can get insights and information from it.49 We may have a future in which a generation of history is lost because it doesn’t exist or is inaccessible.

A simple way to identify, assess and value national identity data and information needs to be developed, along with a consequence framework to assess the impact should it or its provenance be lost or damaged.

Security, preservation and governance

We have to value our government data holdings as a national asset and within government we have to adjust our behaviours and our policies accordingly.50

—David Fricker, Director-General, National Archives of Australia, President International Council on Archives

Protection of national identity assets is far more than information and cybersecurity.

Internationally, there’s a large ‘infosec’ industry, which continues to grow. Governments and a swag of organisations and agencies are dealing in cybersecurity, information security, big data, privacy and information policy.

The glaring omissions are digital preservation and governance—not just for digital national identity  assets, but for all business-critical information and data. This includes assets relied upon by the public and business for planning, redundancy and technology that can read the data in 10 or 100 years from now.

This crowded landscape calls for a strategic and coordinated approach and stronger focus to address a major vulnerability that all organisations face—the integrity, reliability, authenticity and accessibility of digital assets now and into future, whether it’s three years, thirty-three or forever, as with national identity assets.

Earlier adoption of digital asset preservation

Digital preservation isn’t widely understood or practised except by organisations with dedicated preservation functions. Even then, digital preservation usually involves work streams and professions separate from information security functions. Digital preservation is essential for digital authenticity, reliability and access over time, and is far more than just creating a backup. It ensures the accurate rendering of authentic content over time, including protection from medium failures and software and hardware obsolescence.51

The 2017 edition of Australian Government’s Information security manual includes no digital preservation requirements, other than backup for business continuity and disaster recovery.52 The 2018 manual will expand backup requirements to ensure that information can’t be manipulated or changed, and the author understands that, based on the recommendations of this report, digital preservation is being considered for inclusion from 2018 onwards to guide those Australian Government agencies with national identity and high-value assets.

Increasingly, blockchain technology is being used by industry and government to assure transactions and services, the most recent such use being the pilot rollout of NSW digital drivers’ licences.53 This should continue to be explored to ensure the integrity of national identity assets. We need to start the conversation about digital preservation earlier, at the beginning and not at the end of digital asset creation. Along with information management, digital preservation must be considered by all organisations before they build or upgrade systems that create, use and keep valuable information and data for any length of time. This is for governance, discovery and access, and to ensure that the evidence remains authentic, can be migrated to and managed by memory institutions into the future, and be accessed and read whenever it’s needed.54

Information security reporting and audits

Currently the ‘confidentiality, integrity and availability’ security model is heavily weighted towards confidentiality. This imbalance is a vulnerability, and, despite improvements in cybersecurity,55 many organisations aren’t meeting this base-level security requirement. A recent audit by the Australian National Audit Office (ANAO) found that, out of three Australian government agencies, only one was cyber resilient.56

While the Australian Cyber Security Centre (ACSC) surveys the status of information security in the public and private sectors,57 it’s difficult to assess just how safe Australian organisations are and what they’re doing to ensure that their systems and data are safe. Further work is needed in this space to audit data authenticity and to check for evidence of manipulation or change. This would require new methodology and practices—possibly drawing on digital preservation skills and approaches—that should eventually become business as usual.

There’s no independent or public reporting of the state of cybersecurity within individual organisations, or a ‘state of the nation’ report on how agencies and businesses are managing and protecting data.

Public self-reporting is needed, and more transparency is one of several recommendations made by the ANAO in its 2018 cyber resilience audit.58 A snapshot or dashboard showing how Australian organisations are performing in cybersecurity should also be developed as part of the ACSC’s annual survey.

Lack of coordination and information governance

Immediate business needs tend to overshadow the way information is governed and managed.

Many government and private-sector organisations are easy prey to cyberattack, not just because of weak cybersecurity, but because of the absence of a comprehensive whole-of-organisation view on how all information and data assets are to be managed and protected.

There’s an urgent need to implement better information governance across the public and private sectors in order to protect Australia’s digital national identity assets.

Policy recommendations

  1. Australia’s national identity and high-value data and information, the destruction or corruption of which would have a serious impact on our sovereignty, should be recognised as part of our critical infrastructure framework.
  2. The Trusted Information Sharing Network should examine existing coverage of vulnerabilities and establish a dedicated forum on that data and information.
  3. The Australian Government should explore a legislative response to managing and evaluating that data on a coherent national basis.
  4. National security agencies should engage with the National Archives of Australia to undertake a risk assessment of the archives’ digital national identity assets and jointly develop proposals to defend them from future attack.
  5. The National Archives of Australia should use its legislated powers to prescribe what government information and data constitutes national identity assets and set mandatory management and governance standards to ensure, protect and maintain their long-term integrity and reliability of those assets.
  6. The Australian Productivity Commission should explore the value of digital national identity assets to Australia, defining the parameters to be considered in identifying and valuing them and the cost should they be destroyed or manipulated, or should trust in their authenticity and reliability be eroded.
  7. The Australian Government, through the Department of Finance, should investigate and provide guidance and standards for agencies to assess the value of their information and data assets.
  8. The Australian Government, through the Department of Finance, should develop a tool to assist organisations to assess the value of their data and digital information, to assist in developing strong business cases for protection.
  9. A new funding model for memory institutions should be explored by Australian governments to help protect digital national identity material.
  10. Digital preservation principles should be built into information security requirements, such as those in the Australian Government’s Information security manual.
  11. The Digital Transformation Agency, in conjunction with CSIRO’s Data 61, should explore the use of blockchain technology to track, record and ensure the provenance of national identity and high-value data.
  12. The ACSC should produce a ‘state of the nation’ report on cybersecurity health and readiness.
  13. All public, private and community sector organisations holding national identity assets should be encouraged to publicly report their annual cyber resilience status.
  14. The ANAO, in conjunction with the ACSC, should explore the creation of an authenticity audit, so that internal and external auditors can assess digital assets on a scheduled, regular basis, employing a standardised methodology.
  15. All Australian governments (federal and state) should better coordinate their information, data and related cyber policy agencies and strengthen information governance as the overarching requirement, incorporating all elements of information management, security, privacy and data management.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

Images: ‘Faces of Australia’ from the National Archives of Australia. Design by Lora Maricic. 
Cover animation by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons License Attribution-Share Alike. Users of the image should use this sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by ASPI’s International Cyber Policy Centre’.

  1. Kelsey Munro, ‘Foreign interference in elections “will be repeated”: former US cyber tsar’, SBS News, 22 February 2018, online; ‘Five Country Ministerial 2018’, Department of Home Affairs, 29 August 2018 ↩︎
  2. Dan Tehan, ‘Silent dangers: launch of the Australian Cyber Security Centre’s 2017 threat report’, National Press Club address, 10 October 2017 ↩︎
  3. JC Turner, ‘Some current issues in research on social identity and self-categorization theories’, in N Ellemers, R Spears, B Dossje (eds.), Social identity: context, commitment, content (6–34), Blackwell, Oxford, UK, 1999. ↩︎
  4. Eliza Chapman, ‘Should data be considered critical infrastructure?’, The Strategist, 18 April 2018 ↩︎
  5. Jeremy Herb, Lauren Fox, Manu Raju, ‘Senate committee agrees with intelligence community assessment of election meddling, breaking with GOP House investigation’, CNN, 16 May 2018, online; Culture, Media and Sport Select Committee, Russian influence in political campaigns, UK Parliament, 29 July 2018 ↩︎
  6. Steve Ranger, ‘US intelligence: 30 countries building cyber attack capabilities’, ZDNet, 5 January 2017, online; James R Clapper, Marcel Lettre, Michael S Rogers, ‘Joint statement for the record to the Senate Armed Services Committee: foreign cyber threats to the United States’, 5 January 2017 ↩︎
  7. Tim Gollins, ‘The national archives, big data and security: why dusty documents really matter’, in Jennifer Cole (ed.), Big data for security and resilience: challenges and opportunities for the next generation of policy-makers, proceedings of the Big Data for Security and Resilience Conference, March 2014 ↩︎
  8. Rachel Botsman, Who can you trust? How technology brought us together and why it might drive us apart, Penguin, 2017. ↩︎
  9. Zeynep Tufekci, ‘How social media took us from Tahrir Square to Donald Trump’, MIT Technology Review, 14 August 2018 ↩︎
  10. Sheera Frenkel, Nicholas Fandos, ‘Facebook identifies new influence operations spanning globe’, New York Times, 21 August 2018, Ben Nimmo, Graham Brookie, ‘#TrollTracker: Facebook uncovers active influence operation’, @DFRLab, 31 July 2018 ↩︎
  11. Tim Leslie, Nathan Hoad, Ben Spraggon, ‘Can you tell a fake video from a real one?’, ABC News, 3 October 2018 ↩︎
  12. PW Singer, Emerson T Brooking, Like war: the weaponization of social media, Houghton Mifflin Harcourt, New York, 2018. ↩︎
  13. Paul Lewis, ‘The 29 fakes behind a rewriting of history’, The Guardian, 5 May 2008 ↩︎
  14. Rebecca Turner, ‘“Aboriginal” redacted from birth, death, marriage certificates after being deemed an offensive term’, ABC News, 17 May 2018 ↩︎
  15. Tom Sear, Michael Jensen, ‘Russian trolls targeted Australian voters on Twitter via #auspol and #MH17’, The Conversation, 22 August 2018 ↩︎
  16. Stephanie Borys, ‘Russian hacking: up to 400 Australian companies caught up in cyber attacks blamed on Moscow’, ABC News, 17 April 2018 ↩︎
  17. Ellen Nakashima, Joby Warrick, ‘Stuxnet was work of US and Israeli experts, officials say’, Washington Post, 2 June 2012 ↩︎
  18. Patrick Howell O’Neill, ‘Cobalt Dickens threat group looks to be similar to indicted hackers’, Cyberscoop, 24 August 2018 ↩︎
  19. Jonathan Landay, ‘US intel chief warns of devastating cyber threat to US infrastructure’, Reuters, 14 July 2018 ↩︎
  20. Nakashima & Warrick, ‘Stuxnet was work of US and Israeli experts, officials say’. ↩︎
  21. Nick McKenzie, Angus Grigg, Chris Uhlmann, ‘China uses the cloud to step up spying on Australian business’, Sydney Morning Herald, 20 November 2018 ↩︎
  22. David Donaldson, ‘Password123: public servants risk cyber attacks with weak security’, The Mandarin, 22 August 2018 ↩︎
  23. John McCormack, ‘Think the museum fire in Brazil can’t happen here? Think again’, Los Angeles Times, 9 September 2018 ↩︎
  24. Angela Stringfellow, ‘Digital decay: understanding digital decay, its impacts on modern business, and best practices for preserving digital assets and data’, MerlinOne, 5 March 2018 ↩︎
  25. Joint Standing Committee on the National Capital and External Territories, ‘Inquiry into Canberra’s national institutions’, Australian Parliament, no date. ↩︎
  26. Sally Whyte, ‘More cuts will put national institutions’ “core purposes” at risk’, Canberra Times, 13 May 2018 ↩︎
  27. Australian National Audit Office (ANAO), Cyber resilience, report no. 53 of 2018–18, ANAO, Canberra ↩︎
  28. National Archives of Australia (NAA), Digital Continuity 2020 policy, NAA, Canberra, 5 April 2018 ↩︎
  29. Department of the Prime Minister and Cabinet, Open Government Partnership Australia, ‘3.3—Improve the discoverability and accessibility of government data and information’ ↩︎
  30. NAA, ‘2017 digital continuity statement: whole-of-government snapshot’, NAA, Canberra, 2017 ↩︎
  31. Stephen Cobb, ‘Trends 2018: critical infrastructure attacks on the rise’, WeLiveSecurity, 30 May 2018 ↩︎
  32. Tim Johnson, ‘“Preparing the battlefield”: Hackers implant digital grenades in industrial networks’, McClatchy, 27 June 2018 ↩︎
  33. Donghui Park, Julia Summers, Michael Walstrom, ‘Cyberattack on critical infrastructure: Russia and the Ukrainian power grid attacks’, Henry M Jackson School of International Studies, 11 October 2017 ↩︎
  34. Kanishka Singh, ‘Russian hackers penetrated networks of US electric utilities: WSJ’, Reuters, 24 July 2018, online; US Computer Emergency Readiness Team, ‘Alert (TA18-074A): Russian Government cyber activity targeting energy and other critical infrastructure sectors’, 15 March 2018 ↩︎
  35. Nicole Perlroth, Clifford Krauss, ‘Cyberattack in Saudi Arabia had a deadly goal. Experts fear another try’, New York Times, 15 March 2018, online; David E Sanger, ‘Hack of Saudi petrochemical plant was coordinated from Russian institute’, New York Times, 23 October 2018 ↩︎
  36. ‘What is the Critical Infrastructure Centre’, Department of Home Affairs, no date ↩︎
  37. Dante Disparte, ‘Cities held for ransom: lessons from Atlanta’s cyber extortion’, Forbes, 2 April 2018 ↩︎
  38. Trusted Information Sharing Network, ‘Critical infrastructure’, no date ↩︎
  39. Chapman, ‘Should data be considered critical infrastructure?’. ↩︎
  40. Daniel Cooper, ‘Estonia will back up its government in a “digital embassy”’, engadget, 22 June 2017 ↩︎
  41. Security of Critical Infrastructure Bill 2017, Australian Parliament ↩︎
  42. Asha McLean, ‘Canberra to deliver platform and hosting strategies by November’, ZDNet, 7 May 2018 ↩︎
  43. Productivity Commission, Data availability and use, ‘Overview and recommendations’, report no. 82, 31 March 2017 ↩︎
  44. Chapman, ‘Should data be considered critical infrastructure?’. ↩︎
  45. IDC, The digital universe of opportunities: rich data and the increasing value of the internet of things, ‘Executive summary: Data growth, business opportunities, and the IT imperatives’, April 2014 ↩︎
  46. Statistics New Zealand, Valuing the Census, New Zealand Government, April 2013 ↩︎
  47. Bureau of Communications and Research, ‘Open government and why it matters’, Department of Communications and the Arts, Australian Government, 8 February 2016 ↩︎
  48. Abby Smith Rumsey, When we are no more: how digital memory is shaping our future, Bloomsbury Press, 2015. ↩︎
  49. Susan Bennett, What is information governance and how does it differ from data governance?, Sibenco Legal and Advisory, 2017 ↩︎
  50. David Fricker, ‘Government–citizen engagement in the digital age’, Senate Occasional Lecture, NAA, 28 April 2017 ↩︎
  51. Digital Preservation Coalition, Digital preservation handbook, ‘Glossary’, no date ↩︎
  52. Department of Defence, Australian Government information security manual: controls, Australian Government, 2017 ↩︎
  53. Rohan Pearce, ‘NSW digital licence rollout driven by blockchain’, Computerworld, 10 September 2018 ↩︎
  54. NAA, Digital Continuity 2020 Policy ↩︎
  55. Australian Cyber Security Centre (ACSC), 2017 threat report, Australian Government, 2017 ↩︎
  56. ANAO, Cyber resilience. ↩︎
  57. ACSC, ‘Publications’ ↩︎
  58. Stephen Easton, ‘Auditor-General still waiting on cyber resilience in the Commonwealth’, The Mandarin, 25 July 2018, online; ANAO, Cyber resilience ↩︎

Mapping Xinjiang’s ‘re-education’ camps

This report by ASPI’s International Cyber Policy Centre collates and adds to the current open-source research into China’s growing network of extrajudicial ‘re-education’ camps in Xinjiang province.

The report contributes new research, while also bringing together much of the existing research into a single database. This work has included cross-referencing multiple points of evidence to corroborate claims that the listed facilities are punitive in nature and more akin to prison camps than what the Chinese authorities call ‘transformation through education centres’.

By matching various pieces of documentary evidence with satellite imagery of the precise locations of various camps, this report helps consolidate, confirm and add to evidence already compiled by other researchers.

Key takeaways

  • This ASPI ICPC report covers 28 locations, a small sample of the total network of re-education camps in Xinjiang. Estimates of the total number vary, but recent media reports have identified roughly 180 facilities and some estimates range as high as 1,200 across the region.
  • Since early 2016 there has been a 465% growth in the size of the 28 camps identified in this report.1 2
  • As of late September 2018—across the 28 camps analysed—this report has measured a total of 2,700,000 m2 of floor space, which is the equivalent of 43 Melbourne Cricket Ground stadiums.
  • The greatest growth over this period occurred across the most recent quarter analysed (July, August and September 2018), which saw 700,000 m2 of floor space being added across the 28 camps.
  • Some individual facilities have experienced exponential growth in size since they were repurposed and/or constructed. For example, a facility in Hotan that the New York Times reported on in September 20183 expanded from 7,000 m2 in early 2016 to 172,850 m2 by September 2018—a 2469.29% increase over an approximately 18-month period.
  • The growth in construction has increased at a considerably faster pace in the summer months, with a spike in construction during the third quarters of both 2017 and 2018.

Introduction

China’s censors have been expunging evidence of the country’s vast network of extrajudicial ‘re-education’ camps in Xinjiang province from the internet just as fast as researchers have been finding it.

From first-hand testimony to satellite imagery, researchers have now provided empirical data that authoritatively paints a picture of the extent of China’s biggest human rights abuse since the 1989 post-Tiananmen purge.

Word of this rapidly growing network of ‘re-education’ camps first started to spread with interviews of the relatives of detainees.4 Further research drew on information in public construction and service tenders which documented and detailed the sizes and security features of these re-education camps.5

Other documents such as public recruitment notices, government budget reports, government work reports and Chinese articles in local media and social media have helped to reveal details of how Chinese authorities are rapidly expanding this network of camps.

The cumulative effect of this onslaught of evidence, as well as condemnation from US lawmakers6 and the UN,7 has forced Chinese authorities to move from outright denial of the camps’ existence to a public relations offensive in which they present the camps as places for ‘free vocational training’8 rather than anything punitive.

This ASPI ICPC report contributes new research, while also bringing together much of the existing research into a single database. This work has included cross-referencing multiple points of evidence to corroborate claims that the listed facilities are punitive in nature and more akin to prison camps than what the CCP calls ‘transformation through education centres’.

The report matches the plethora of documentary evidence already uncovered with satellite imagery of this sprawling network of camps. The report takes a conservative approach in deciding what the likely use of each facility is. Each potential camp is assigned a red, orange or green tag representing our level of confidence based on the available open-source data.

The data

This report collects and collates a huge amount of data and it attempted to include as much of that as possible into a database. Some subsets of the database are new—for example, our data on the growth in the size of these 28 facilities. Others have been identified by other researchers, NGOs or media outlets. Where possible, data from these sources has been included in the database, with citations and hyperlinks to the original work.

Brief summaries of the collected data are presented and tabulated in this report; however, using the accompanying database, it is possible to explore all data points in more depth and draw individual conclusions. 

The database is by no means an exhaustive list and it will continue to develop and grow as additional datasets are added.9 It is hoped it will provide media outlets, researchers and governments with current and useful information, and become a resource to which they can potentially contribute.

Camps that have multiple points of strong evidence are deemed to be internment camps and were marked green using the traffic light system. These points of evidence include, for example, facilities that are described as ‘transformation through education’ facilities in official documents, that this research has geo-located from tender documents, or that contain physical features captured in satellite imagery such as barbed wire, reinforced walls and watchtowers. 

Orange tags on other camps denote a comparatively smaller amount of publicly available evidence necessary to conclude the ultimate use of the facilities. Red camps denote minimal or incomplete evidence. Because of that lack of evidence, they have not been included in the public database.

This is not meant to suggest that the scope and scale of the system is small. Agence France-Presse (AFP) estimates there are at least 181 such facilities in Xinjiang,10 while research by German-based academic Adrian Zenz suggests there may be as many as 1,200 facilities.11

Instead, this report and its underlying database aim to create a repository of existing research into the Xinjiang camps in order to save for posterity the information that China’s censors are rapidly deleting from the public record.

Figure 1: Heat map showing the distribution and size of the 28 camps across Xinjiang province. The larger the combined size of facilities in an area, the darker the shade on the map. Kashgar City and its surrounds feature the highest density of facility floor space and are therefore likely where the greatest numbers of re-education detainees are held.

Figure 2: The cumulative floor area in the analysed facilities. Following the second quarter of 2017, many already-constructed buildings were converted into re-education facilities (separated into camps tagged green and orange). 

Figure 3: The rate of quarterly additional construction. Spikes can be seen during the summer months (third quarters) of 2017 and 2018. Growth so far in 2018 (1.169 million square metres) has already outpaced growth in the entirety of 2017 (918,000 m2).

Case studies

The devil is in the detail: The Kashgar City Vocational Technical Education Training Center12

Coordinates: 39°27’9.59″N, 76°6’34.24″E

Last month, Global Times editor Hu Xijin visited what he referred to as a ‘vocational training center’ in Kashgar. He posted a two-minute video of the trip on his Twitter account.13

Hu visited Middle School No. 4 located to the east of Kashgar City. This school, as well as Middle Schools 5 and 6, were under construction across the first half of 2017. Over the summer break, ovals at Middle Schools 5 and 6 were turfed with grass. These schools were being built adjacent to two other schools—the Kashgar City High School and the Huka Experimental Middle School (沪喀实验中学).

But by July 2017, when construction was complete, every ‘school’ building in the southwest of the facility (previously Middle School No. 5) was surrounded by tall fencing that had been painted green and topped with razor wire. By August, much of School No. 6 was enclosed with similar fencing. Upon completion in around November 2017, School No. 4 was also highly securitised and a tender was released calling for bidders to oversee and install new equipment, including a new surveillance camera system.14

In March 2018, one of the previously turfed sports ovals was demolished and replaced by four large six-storey buildings, totalling roughly 50,000 m2 of floor space. Each was surrounded by six 10-by-18 m fenced yards for detainees.

Kashgar City High School and Huka Experimental Middle School, only 50 m to the north of Kashgar Middle School No. 4, paint a dramatically different picture. Basketball courts are filled with students playing outside, and people can be seen in satellite imagery walking between buildings in the schools and on the large sports fields. 

The video posted by Hu Xijin of Middle School No. 4 on 24 October shows detainees dancing and playing table-tennis and basketball. However, this visit—and the footage shared on social media—may not reflect the regular daily experiences of the detainees.

Through satellite and imagery analysis—including imagery updated daily—we can determine that these courts are coloured mats that are recent additions to the camp. The mats were placed on a concrete-covered area that is normally bare and appears inaccessible to detainees.

Lifted edge of the basketball mat suggests that these courts are likely not permanent.

Across 25 satellite images between August 2017 and August 2018, which show the facility since its construction, not a single image featured these outdoor courts. But these coloured mats do appear in satellite imagery available from 10 October. Global Times editor Hu Xijin posted about his visit to these facilities on Twitter and Weibo on 24 October.15

The location filmed by Hu Xijin in Kashgar City Vocational Technical Education Training Center. Features outlined in the panorama produced from Global Times reporting correspond to outlines in the same colour in the satellite imagery.

Checking in with the Shule County Chengnan Training Center since the Economist’s May 2018 coverage16

Coordinates: 39°21’27.64″N, 76°3’2.39″E

On 31 May 2018 the Economist included satellite footage of the ‘Shule County Chengnan Training Center’ in a lengthy article it published on China’s ‘apartheid with Chinese characteristics’.17

We have tracked this camp’s enormous growth since the Economist article featured satellite imagery of the camp. Since March 2018—which was the date the satellite image was taken from—the facility has more than doubled in size.

Across the 2.5-year time period covered in this report,18 the facility has grown from 5 to 24 buildings or wings. Its total floor size has increased during that period from 12,200 m2 to 129,600 m2. This represents an increase in size of 1062.3%.

The camp is described in official documents as a ‘transformation through education’ facility, and a tender shows the involvement of the Shule County Justice Bureau.19 Through satellite and imagery analysis, the camp’s physical features—including barricaded facilities, watchtowers, and enclosures surrounded by barbed-wire fencing—can be clearly seen.

But the evidence base for this facility goes beyond satellite imagery, tenders and floor sizes. In addition, we have matched our satellite images to the first-hand accounts, street-view imagery and video footage published by religious freedom advocacy group Bitter Winter in September 2018.20

Bitter Winter’s evidence highlights several key features of the facility. Footage from newly constructed buildings shows the scale of the camp. The reporting detailed the structure of these facilities. Each floor consists of 28 rooms, and each room is monitored by two security cameras.

Footage acquired by Bitter Winter of the Chengnan Training Centre. Features outlined in the photos correspond to outlines in the same colour in the satellite imagery.

Methodology

This report provides a quantifiable picture of the spread and growth of China’s large network of camps throughout the Xinjiang region. These camps were located through various means, including via unique satellite signatures and physical features; official construction bidding tenders from the Chinese government; and media collected from official sources, local and international NGOs, academics and digital activists. Considerable information was drawn from the analysis of freely available or commercial satellite imagery. 

Satellite imagery of these camps shows highly securitised facilities with features such as significant fencing to heavily restrict the movement of individuals, consistent coverage by watchtowers, and strategic barricades with only small numbers of entry points. Often the perimeter around these camps is multi-layered and consists of large walls with tall razor-wire fencing on both the inside and outside. These features allowed us to pinpoint the location of camps mentioned in official construction tenders. 

Locating camps was aided significantly by engaging and sharing information with Shawn Zhang, a student at the University of British Columbia.21 In addition, official media and reporting by NGOs and activists were vital. These sources provided media from some facilities which allowed us to match the features shown—such as buildings and fencing—with the available satellite imagery.

The floor area of every facility was measured. 

The growth in floor area of these facilities was calculated for every quarter from the beginning of 2016 to September 2018. In most cases, this process involved measuring the roof area of every building using Google Earth imagery and other commercial satellite imagery collected by Digital Globe. Floor area was then calculated by multiplying roof area by the number of storeys in each building. The number of storeys was estimated from satellite imagery by either counting the externally visible windows when the building’s facade was shown or, when the facade was not prominently featured, by analysing the length of the shadows cast by the building. Where footage of these buildings from the ground existed, this was used as the primary source for the number of storeys. 

Some facilities contained additional buildings that were constructed after the most recently available Digital Globe imagery. For these cases, the floor area was calculated from lower resolution (3 m pixels as opposed to 30–50 cm pixels) imagery provided by Planet Labs.

No attempt was made in this analysis to differentiate between buildings used for different purposes, and the total area of each facility includes teaching buildings, administrative buildings and dormitories that house detainees. 

In addition, no attempt was made to determine the date of a facility’s first use as a re-education facility. For facilities such as schools or government-built residential housing that have been converted to re-education centres, our measurements represent the total building area within the current facility’s boundaries. 

These measurements were translated into chronological growth by cross-referencing building measurements with monthly satellite imagery accessed through Planet Labs’ Explorer portal to determine the period of time over which each building was constructed or completed. Some buildings that were too small to register in Planet Lab’s lower resolution imagery, such as single-storey utility buildings or sheds, were not included in this analysis. This data can be found in the database accompanying this report.

Facilities were then matched to publicly available construction tenders released by local governments using Chinese-language web-searching and links collected by other researchers (chiefly, Adrian Zenz, a China security expert at Germany’s European School of Culture and Theology). Saving this information often involved a race against time to gather the data before the documents were removed by those censoring China’s cyberspace. Every important document discovered and included in our database was permanently archived online.

Finally, the report drew on media reporting in local, national and international outlets. This media collection—including photographs, videos and geographical data—was used to further confirm key details such as the location, use or purpose, and physical features of each facility.

Conclusion

The speed with which China has built its sprawling network of indoctrination centres in Xinjiang is reminiscent of Beijing’s efforts in the South China Sea. Similar to the pace with which it has created new ‘islands’ where none existed before, the Chinese state has changed the facts on the ground in Xinjiang so dramatically that it has allowed little time for other countries to meaningfully react.

This report clearly shows the speed with which this build-out of internment camps is taking place. Moreover, the structures being built appear intended for permanent use. Chillingly, stories of detainees being released from these camps are few and far between.

Without any concerted international pressure, it seems likely the Chinese state will continue to perpetrate these human rights violations on a massive scale with impunity.
 

Acknowledgments

ASPI ICPC would like to thank Dr Samantha Hoffman and Alex Joske for their contributions to this research.

This project would not have been possible without the crucial ongoing work of Shawn Zhang, Adrian Zenz, journalists and civil society groups.


Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.


© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. The centre featured on state broadcaster CCTV last week is one of at least 181 such facilities in Xinjiang, according to data collected by AFP, online. ↩︎
  2. tandfonline.com ↩︎
  3. Listed as Camp 5 in the ICPC public database, online. ↩︎
  4. hrw.org ↩︎
  5. jamestown.org ↩︎
  6. cecc.gov ↩︎
  7. theguardian.com ↩︎
  8. globaltimes.cn ↩︎
  9. If you would like to highlight new or missing information that you think should be added to the database, please contact icpc@aspi.org.au ↩︎
  10. hongkongfp.com ↩︎
  11. washingtonpost.com ↩︎
  12. Camp 15 in the ICPC public database. ↩︎
  13. twitter.com ↩︎
  14. jzbnet.com ↩︎
  15. twitter.com ↩︎
  16. Camp 3 in the ICPC public database. ↩︎
  17. economist.com ↩︎
  18. January 2016 to September 2018. ↩︎
  19. archive.org ↩︎
  20. bitterwinter.org ↩︎
  21. Shawn Zhang’s Medium blog can be found here: medium.com ↩︎