The security situation in Northeast Asia has dominated much of international reporting over the last 1.5 years, culminating in the recent historic inter-Korean summit as well as a potential Kim-Trump meeting.
This Strategic Insights paper offers an analysis of what remains an often overlooked and underestimated connection: Russia’s interests on and around the Korean Peninsula. ASPI Researcher, Jacqueline Westermann, argues that it would be fatal to underestimate the Kremlin’s interests in the region, as ‘Russia is a permanent member of the UN Security Council, a stakeholder in the region, a partner to Pyongyang and a party to the previous Six-Party Talks’.
While it isn’t a top priority for the Kremlin, Russian involvement could play a handy part in Putin’s greater strategy to expand Russia’s engagement in the world. To illustrate Moscow’s specific motivations for being involved, the analysis is based on statements given by Russian government officials during 2017, as well as insights from Russian North Korea experts.
The paper portrays the geopolitical, strategic, economic and national policy interests that are driving the Russian government’s attentiveness towards the peninsula and Northeast Asia, and provides an outlook on potential Russian involvement, as well as options for the international community on what to expect from that.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/13172032/Putin-NK_banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2018-05-09 06:00:002024-12-13 17:23:43Putin and North Korea: Exploring Russian interests around the peninsula
The reality of the world we live in today is one in which cyber operations are now the norm. Battlefields no longer exist solely as physical theatres of operation, but now also as virtual ones. Soldiers today can be armed not just with weapons, but also with keyboards. That in the modern world we have woven digital technology so intricately into our businesses, our infrastructure and our lives makes it possible for a nation-state to launch a cyberattack against another and cause immense damage — without ever firing a shot.
ACS’s aim in participating in this policy brief is to improve clarity of communication in this area. For Australia, both defensive and offensive cyber capabilities are now an essential component of our nation’s military arsenal, and a necessary step to ensure that we keep up with global players. The cyber arms race moves fast, so continued investment in cyber capability is pivotal to keep ahead of and defend against the latest threats, while being able to deploy our own capabilities when and where we choose.
So, too, is ensuring that we have the skills and the talent to drive cyber capabilities in Australia. This means attracting and keeping the brightest young minds, the sharpest skilled local talent and the most experienced technology veterans to drive and grow a pipeline of cyber specialists, and in turn help protect and serve Australia’s military and economic interests.
Yohan Ramasundara President, Australian Computer Society
What’s the problem?
In April 2016, Prime Minister Turnbull confirmed that Australia has an offensive cyber capability. A series of official disclosures have provided further detail, including that Australia will use this capability against offshore cybercriminals.
This was the first time any state has announced such a policy.
However, this commendably transparent approach to telegraphing our capability and intentions hasn’t been without challenges. In some cases, these communications have created confusion and misperceptions. There’s a disconnect between popular perceptions, typified by phrases like ‘cyber Pearl Harbor’, and the reality of offensive cyber operations, and reporting has at times misrepresented how these tools will be used. Public disclosures and the release of the report of the Independent Intelligence Review have also raised questions about how Australia will build and maintain this capability.
What’s the solution?
To reduce the risk of misunderstanding and misperception and to ensure a more informed debate, this policy brief seeks to further clarify the nature of Australia’s offensive cyber capability. It recommends improving communications, using innovative staff recruitment and retention options, deepening industry engagement and reviewing classification levels in some areas. Looking forward, the government could consider increasing its investment in our offensive capability to create an asymmetric capability; that is, a capability that won’t easily be countered by many militaries in our region.
Introduction
Governments routinely engage in a wide spectrum of cyber operations, and researchers have identified more than 100 states with military and intelligence cyber units.1
The cyber units range considerably in both their capability and their compliance with international law. Leaks have highlighted the US unit’s advanced capability, and public documents reveal its size. US Cyber Command’s action arm, the Cyber Mission Force, is building to 6,200 military and civilian personnel, or about 10% of the ADF, and for the 2018 financial year requested a US$647 million budget allocation.2 China has been widely accused of stealing enormous quantities of intellectual property. North Korea has used cyber tools to steal money, including in a US$81 million heist on the Bangladesh central bank. Russia is accused of using a range of online methods to influence the 2016 US presidential election and has engaged in a wide spectrum of actions against its neighbours, such as turning off power stations in Ukraine and bringing down government websites in Georgia and Estonia. Israel is suspected of using a cyber operation in conjunction with its bombing raid on a Syrian nuclear reactor in 2007 by temporarily ‘tricking’ a part of Syria’s air defence system to allow its fighter jets to enter Syria undetected.3
In Australia, the government has been remarkably transparent in declaring the existence of its offensive cyber capability and its applications: to respond to serious cyberattacks, to support military operations, and to counter offshore cybercriminals. It has also established robust structures to ensure its compliance with international law. Three additional disclosures about Australia’s offensive cyber capability have followed the Prime Minister’s initial April 2016 announcement. In November 2016, he announced that the capability was being used to target Islamic State,4 and on 30 June 2017 Australia became the first country to openly admit that its cyber offensive capabilities would be directed at ‘organised offshore cyber criminals’.5 The same day, the then Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, announced the formation of an Information Warfare Division within the ADF.
While these disclosures have raised awareness of Australia’s offensive cyber capability, the limited accompanying detail has meant that the ensuing public debate has often been inaccurate or misleading. One major news site, for example, led a report with the title ‘Australia launches new military information unit to target criminal hackers’.6 Using the ADF to target criminals would have been a radical departure from established protocols.
This policy brief seeks to clarify some of the misunderstandings arising from sensationalist reporting.
The report has the following parts: 1. What’s an offensive cyber operation? 2. Organisation, command and approvals 3. Operations against declared targets 4. Risks 5. Checks, balances and compliance with international law 6. Strengths and weaknesses 7. Future challenges and recommendations.
Tom Uren and Fergus Hanson on Offensive Cyber
1. What’s an offensive cyber operation?
For the purposes of this policy brief, we use a draft definition that’s being developed as part of the Department of the Prime Minister and Cabinet’s Cyber Lexicon project. It defines offensive cyber operations as ‘activities in cyberspace that manipulate, deny, disrupt, degrade or destroy targeted computers, information systems, or networks’.7 Given the range of countries with varying capabilities and using examples from open sources, offensive cyber operations could range from the subtle to the destructive: removing computer accounts or changing passwords; altering databases either subtly or destructively; defacing web pages; encrypting or deleting data; or even attacks that affect critical infrastructure, such as electricity networks.
Even though it may use the same tools and techniques, cyber espionage, by contrast, is explicitly designed to gather intelligence without having an effect—ideally without detection. The Global Commission on the Stability of Cyberspace has commissioned ASPI’s International Cyber Policy Centre to do further work on defining offensive cyber capabilities.
2. Organisation, Command and Approvals
Australia’s offensive cyber capability resides within the Australian Signals Directorate (ASD).8 It can be employed directly in military operations, in support of Australian law enforcement activities, or to deter and respond to serious cyber incidents against Australian networks. While physically housed within ASD, the military and law enforcement applications have different chains of command and approvals processes.
MILITARY
The Information Warfare Division within the Department of Defence was formed in July 2017 and is headed by the Deputy Chief Information Warfare, Major General Marcus Thompson.
Major General Thompson has presented the ADF approach to cyber capabilities as two distinct functions: cybersecurity (consisting of self-defence and passive defence 9), and cyber operations (consisting of active defence and offence 10).
The Australian Government’s offensive cyber capability sits within ASD and works closely with each of the three services, which embed staff assigned to ASD from the ADF’s Joint Cyber Unit. Offensive cyber in support of military operations is a civil–military partnership. The workforce to conduct offensive cyber operations resides within ASD and is largely civilian. Advice from Defence is that the laws of armed conflict are considered during the development and execution of operations, and that ASD personnel will act in accordance with legally approved instructions. There’s no reason to doubt that, and the Inspector-General of Intelligence and Security has noted in the context of cyber operations in support of the ADF operations in Iraq and Syria that ‘guidance in place at the time was appropriate and followed by staff, and no issues of legality or propriety were noted’.
The ability to conduct an operational planning process that takes into account the desired outcome, situational awareness and the possible range of effects is a military discipline that resides in the ADF. This arrangement is expected to continue under proposals from the 2017 Intelligence Review to make ASD a statutory authority within the Defence portfolio.
As clarified in Australia’s International Cyber Engagement Strategy, ‘Offensive cyber operations in support of [ADF] operations are planned and executed by ASD and Joint Operations Command under direction of the Chief of Joint Operations.’11 Targeting for offensive cyber operations occurs in the same manner as for kinetic ADF operations. Any offensive cyber operation in support of the ADF is planned and executed under the direction of the Chief of Joint Operations and, as with any other military capability, is governed by ADF rules of engagement.
The announcement that Australia would be using its offensive cyber capability against offshore cybercriminals created considerable confusion. Public messaging was one contributing factor: the announcement about the ADF’s Information Warfare Division bled into the same-day announcement that the government would also be using its offensive cyber capability to deter offshore cybercriminals, making them appear one and the same thing.14
While some media outlets characterised the announcement as Australia potentially attacking the whole suite of ‘organised offshore criminals’, the announcement focused only on offshore actors who commit cybercrimes affecting Australia.
Decisions on which cybercriminal networks to target follow a similar process to those for military operations, including that particularly sensitive operations could require additional approvals, although the exact processes haven’t been disclosed. Again, these operations would have to comply with domestic law and be consistent with Australia’s obligations under international law.
3. Operations against declared targets
Australia has declared that it will use its offensive cyber capabilities to deter and respond to serious cyber incidents against Australian networks; to support military operations, including coalition operations against Daesh in Iraq and Syria; and to counter offshore cybercriminals. Given ASD’s role in intelligence gathering, operations can integrate intelligence with cyber operations—a mission critical element.
…will use its offensive cyber capabilities to deter and respond to serious cyber incidents against Australian networks…
4. Risks
Offensive cyber operations carry several risks that need to be carefully considered. For cyber operations in support of the ADF, as with conventional capabilities, the commander must weigh up the potential for achieving operational goals against the risk of collateral effects and damage.
When offensive cyber capabilities are used, there’s a high chance that future effectiveness might be compromised. Unlike defending against kinetic weapons, an information system might be protected from cyberattack through relatively simple measures, such as upgrades, patches or configuration changes.
Another risk is that, despite extensive efforts to disguise the origin of the attack, the Australian Government could lose plausible deniability or be identified (including contextually) as the source and face embarrassment or retaliation.
5. Checks, balances and compliance with international law
When the first public disclosure of Australia’s offensive cyber capability was made, the Prime Minister emphasised Australia’s compliance with international law: ‘The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.’15
Interviews for this policy brief suggest that the users of the capability take compliance with domestic and international law extremely seriously. The core principles are as follows:
Necessity: ensuring the operation is necessary to accomplish a legitimate military / law enforcement purpose.
Specificity: ensuring the operation is not indiscriminate in who and what it targets.
Proportionality: ensuring the operation is proportionate to the advantage gained.
Harm: considering whether an act causes greater harm than is required to achieve the legitimate military objective.
These capabilities are subject to ASD’s existing legislative and oversight framework, including independent oversight by the Inspector-General of Intelligence and Security. However, there seems to be room for updating these provisions to account for technological developments. Section 7(e) of the Intelligence Services Act 2001, for example, authorises ASD ‘to provide assistance to Commonwealth and State authorities in relation to … (ii) other specialised technologies’—a foundation that could be strengthened for 21st-century technological applications.
When seeking approval for operations from the Minister for Defence, ASD seeks legal, foreign policy and national security advice from sources external to Defence. Every offensive cyber operation is planned and conducted in accordance with domestic law and is consistent with Australia’s obligations under international law
6. Strengths and weaknesses
Offensive cyber capabilities have both strengths and weaknesses.
STRENGTHS
For military tasks, they can be integrated with ADF operations, adding a new capability and creating a force multiplier.
They can engage targets that can’t be reached with conventional capabilities without causing unacceptable collateral damage or overt acknowledgement.
They provide global reach.
They provide an asymmetric advantage against an adversary for a relatively modest cost.
They can be overt or clandestine, depending on the intended effect.
WEAKNESSES
Capabilities need to be highly tailored to be effective (such as the Stuxnet worm that targeted Iran’s nuclear centrifuges), meaning that they can be expensive to develop and lack flexibility.
When used in isolation, they are unlikely to be decisive.
Major, blunt attacks (such as Wannacry or NotPetya) are relatively cheap and easy, but are unusable by responsible state actors such as Australia. Achieving the appropriate specificity and proportionality requires investment of time and effort.
The capability requires constant, costly investment as cybersecurity evolves.
Government must compete for top-tier talent with private industry.
For operations short of ‘cyber attacks’,16 the effects can be relatively short-lasting and limited.
Capability can’t be showcased as a deterrent in the same way that conventional capability can, because revealing specific capability renders it redundant as defences are repaired.
Target development can require intensive intelligence support and can take a very long time.
7. Future challenges and recommendations
Offensive cyber operations are relatively new and developing in a fast-moving environment. Below are issues and recommendations stemming from research for this report.
RECOMMENDATION 1: CAREFULLY STRUCTURE COMMUNICATIONS TO REASSURE NATION-STATES AND ENFORCE NORMS
As Australia’s offensive cyber capability has only recently been publicly acknowledged and is subject to sensationalist reporting, careful communication is required. When he first acknowledged the capability, the Prime Minister said doing so ‘adds to our credibility as we promote norms of good behaviour on the international stage’.17 Poor communications, however, can have the opposite effect. The limited detail and mixed reporting of the announcement that Australia would use offensive cyber capability against offshore cybercriminals inadvertently sent the message that it was acceptable for states to launch cyberattacks against people overseas whom they considered to be criminals. This might encourage some states to use crime as a pretext to launch cyber operations against individuals in Australia.
To address this, the Australian Government should be careful when publicly discussing the offensive capability, particularly to distinguish the military and law enforcement roles. One option to do this would be to have the Attorney-General, the Minister for Justice or the new Home Affairs Minister discuss operations related to law enforcement aspects of the capability and to have the Minister for Defence discuss those related to military capabilities.
RECOMMENDATION 2: USE INNOVATIVE STAFF RECRUITMENT AND RETENTION OPTIONS
Recruiting and retaining Australia’s top technical talent is a major hurdle. In the medium term, ASD will have to continue to invest heavily in training, raise salaries (ASD becoming a statutory authority will help it address this) and develop an alumni network and culture that allow former staff to return in new roles after a stint in private industry. A pool of alumni working as cleared reservists could also be used as an additional workforce without the significant investment required in conducting entirely new clearances.
RECOMMENDATION 3: DEEPEN INDUSTRY ENGAGEMENT
ASD capability being deployed against cybercriminals is likely to generate increased interest from corporate Australia. There’s a policy question about whether or not Australia’s offensive cyber capability should be used in support of Australian corporate interests. Given the finite resources and the tricky situations that could arise, government should consider useful ways industry could engage, clarify the limits of industry engagement and assess how to handle industry requests to use the offensive cyber capability against actors targeting its operations.
RECOMMENDATION 4: CLASSIFY INFORMATION AT LOWER LEVELS
It has long been argued that over-classification of material, such as threat intelligence, by governments prevents easy information exchange with the outside world, including key partners such as industry. The government has recognised this and is positioning ‘Australian Cyber Security Centre (ACSC) 2.0’ to facilitate a more cooperative and informed relationship with the private sector. Similarly, the government should continue to scope the potential benefits from lowering the classification of information associated with offensive cyber operations. In particular, there are benefits in operating at the SECRET level for workforce generation and training, and providing a ‘halfway house’ to usefully employ incoming staff as they wait during vetting procedures. More broadly, excessive classification slows potentially valuable two-way information exchange with the information security community.
RECOMMENDATION 5: INVEST TO CREATE AN ASYMMETRIC CAPABILITY
The 2016 Defence White Paper noted that ‘enhancements in intelligence, space and cyber security will require around 900 ADF positions’.18 Those positions were part of the $400 million 19 in spending announced in the White Paper and will be spread across the ADF. While this is significant, given the limits of what can be achieved with current spending on conventional kit, the Australian Government should consider conducting a cost–benefit analysis on the relative value of substantial further spending on cyber to provide it with an asymmetric capability against future adversaries. This would need to include a considerable investment in training.
RECOMMENDATION 6: CONSIDER UPDATING THE POLICY AND LEGISLATIVE FRAMEWORK
There appears to be sufficient legislation, policy and oversight to ensure that ASD and the ADF work together in a lawful, collaborative and cooperative manner to support military operations. The 2017 Independent Intelligence Review noted that ASD’s support to military operations is indispensable, and will remain so.
While those oversight arrangements may be sufficient for now, the ADF will inevitably need to incorporate offensive cyber on the battlefield as a way to create local effects, including force protection measures and to deliver effects currently generated by electronic warfare (such as jamming communications technology). It should not always be necessary to reach back to the national authorities for clear-cut and time critical battlefield decisions. There appears to be scope to update the existing policy and legislative framework that governs the employment of offensive cyber in deployed operations to support those kinds of activities.
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.
Noah Shachtman, Peter W Singer, The wrong war: the insistence on applying Cold War metaphors to cybersecurity is misplaced and counterproductive, Brookings Institution, Washington DC, 15 August 2011, online. ↩︎
Michael S Rogers, Statement of Admiral Michael S Rogers, Commander, United States Cyber Command, before the House Committee on Armed Services Subcommittee on Emerging Threats and Capabilities, 23 May 2017, p. 1, online; Laura Criste, ‘Where’s the cyber money for fiscal 2018?’, Bloomberg Government, 19 July 2017, online. ↩︎
Thomas Rid, Cyber war will not take place, Oxford University Press, 2013, p. 42. ↩︎
Malcolm Turnbull, ‘Address to parliament: national security update on counter terrorism’, 23 November 2016, transcript, online. ↩︎
Malcolm Turnbull, ‘Offensive cyber capability to fight cyber criminals’, media release, 30 June 2017, online. ↩︎
‘Cyber warfare: Australia launches new military information unit to target criminal hackers’, The Australian, 30 June 2017, online. ↩︎
The Counter Terrorism Yearbook is ASPI’s annual flagship publication curated by the Counter Terrorism Policy Centre, now in its second year of publication.
It is a comprehensive resource for academics and policymakers to build on their knowledge of counterterrorism developments in countries and regions around world.
Each chapter in the Yearbook is written by internationally renowned subject matter and regional experts, who provide their insight and commentary on counterterrorism policy, legislation, operations and strategy for a specific country/region, concerning the year in review, and looking at challenges for the year ahead.
Australia’s strategic situation is deteriorating—is it time to revisit the Defence White Paper?
Australia’s strategic situation is deteriorating. The 2016 Defence White Paper set out six drivers that shape our security environment. None has improved since the White Paper appeared, and most have worsened significantly.
The existing rules-based global order is under threat. China simply ignores it when it chooses, for example with its de facto annexation and subsequent militarisation of the South China Sea, and is embarking on creating a new regional order that it seeks to define alone. The current leadership of the US appears unable to decide whether it wants to support the existing order, ignore it, or tear it down. Meanwhile, the relative power gap between the two continues to decrease, as China’s economy and military grows.
The development of emergent technologies such as cyber, space-based capabilities, artificial intelligence and hypersonics continues apace. We’re also seeing clear Islamic State links into terrorist attacks in Southeast Asia, some involving returned fighters. All of these developments, taken together, suggest that the ADF will be confronted with an increasingly broad spectrum of threats. The question is whether Defence can be stretched even further to cover them all, or whether it should focus on addressing particular ones.
Unfortunately, the 2016 Defence White Paper doesn’t provide clear guidance on prioritisation. It might be time for the government to revisit some of the White Paper’s assumptions, either to confirm that it does set out the right path, or, as we believe it should, make some changes to the plan.
Marcus Hellyer discusses key findings with Michael Shoebridge
Funding
With $36.4 billion in funding, Defence is heading towards 2% of GDP
Against that strategic background, the 2018–19 defence budget continues to deliver the vision set out in the White Paper. In 2018–19, the government is increasing the defence budget towards its commitment of 2% of GDP by 2020–21. Based on the Defence Portfolio Budget Statements (PBS) and GDP predictions in the budget papers, we calculate that it will fall just short, at 1.98%, but that’s essentially a $400-million rounding error. And, based on forward estimates predictions, the Defence budget will grow past 2% in 2021–22.
We should note, however, that Defence’s funding, as presented in this year’s budget, falls short of the fixed funding line presented in the White Paper by around $5 billion by the end of the forward estimates. The government essentially made two funding commitments—2% of GDP and a fixed funding line—and it’s possible it could meet one without reaching the other. Nonetheless, Defence continues to enjoy real increases to its funding.
The growth continues to be centred on Defence’s capital program. While capital investment has historically been the poor cousin alongside personnel and operating funding, the three are now roughly equivalent, and by 2020–21 capital funding could exceed the others for the first time. But it will need to, if Defence is to be able to afford the future force.
Defence has used that increase to invest heavily in remediating infrastructure. And while the shipbuilding enterprise is still in its early days, many other capital investment projects are delivering capability—Air Warfare Destroyers, P-8 maritime patrol aircraft, trucks, battlefield communications and airlifters, for example. And the Air Force’s transformation into a fifth-generation force is well underway. There is no doubt we are getting a more capable ADF.
Signs of pressure
We are starting to see the first signs of cost pressure on Defence
But, as always, there are things to be concerned about.
Full-time ADF personnel numbers are programmed to grow to 59,794 this year on the way to the White Paper target of 62,000. But actual growth has been slow, and Navy (potentially the service whose future platform growth is greatest) is going backwards. Civilian numbers fall by around 2,000 due to the Australian Signals Directorate becoming a statutory agency. Overall, however, net civilian numbers remain unchanged at the White Paper level—that is, well below where they were five years ago, potentially requiring greater reliance on expensive contractors. Funding for personnel effectively flat lines at less than 1% real increase annually over the forward estimates. That seems to be inviting future cost pressures, since ADF numbers are meant to increase, and individual personnel costs have historically increased in real terms.
Also, sustainment budgets appear to be increasing faster than predicted. Between last year’s PBS and the mid-year Additional Estimates update, the sustainment budget increased by $1.5 billion, or 16.7%. And this year’s sustainment budget is around $1 billion more than predicted last year. Some of that is likely to be due to different accounting practices that Defence has adopted, but one gets the sense that perhaps the sustainment requirements of an increasingly complex force were underestimated in the White Paper and Defence is having to adjust.
That could be one reason why Defence is underachieving against its predicted capital spend. Overall, its capital spending is increasing at a healthy rate, but it is likely to fall short of the spend predicted over the 2016–17 forward estimates by about $4 billion or so. Half of that may be due to foreign exchange adjustments, so it’s not a huge shortfall in the grand scheme of things, but probably confirms, first, that it’s always hard to ramp up investment spending quickly and, second, the sustainment increase had to come from somewhere.
Investment in ICT appears to have crashed last year, falling by 72% or $644 million between the PBS and Additional Estimates. It may be that ICT projects failed to deliver, or that sustaining current legacy ICT systems sucked funds away from investment in new acquisitions. Since there’s a complete lack of public reporting on the ICT program, it’s impossible to know what happened. The lack of transparency on ICT is particularly troubling, as the Integrated Investment Program foreshadows over $10 billion in ICT projects that are central not only to Defence’s corporate information systems, but also to its war-fighting ability.
This lack of transparency extends beyond the ICT program. While the government is claiming to be approving record numbers of projects, there’s no public record of what they are, let alone information on their scope, schedule or budget. For approved projects, there’s no reporting on progress unless they’re big enough to make the Major projects report of the Australian National Audit Office (ANAO). This year, for the first time, the PBS does not even include a list of project approvals planned for the coming year. That’s unfortunate, because capital investment projects lie at the heart of the government’s White Paper plan, so both the government and Defence should do better at transparency.
Location, location
Everybody has a view on industry policy but the key question must always be, does it make sense to do it here?
TheCost of Defence looks at two issues in more detail this year. The first is the government’s defence industry policy. A few years ago, it seemed as if everybody had an opinion on which fighter planes and submarines Australia should buy. Now the discussion has moved on to whether and what we should build in Australia. At some level, this isn’t a debate that can be resolved by data alone, as it involves issues of identity and ideology. At one end of the spectrum there are the economic rationalists who argue that there’s no net national benefit in subsidising uncompetitive industries, whether they be car manufacturing or shipbuilding. While Australia has been the world’s fifth biggest arms importer over the past decade, that has enabled us to get access to the most advanced military technologies when we need them at a price we can generally afford.
At the other end there are those who argue, whether for reasons of sovereignty, jobs, or even parochialism and prestige, that we should do as much as we can here. And in between there are those who see merit in both sides; perhaps we should be doing more to keep some of the money that we send offshore to buy arms here in Australia, but not at the 30-40% premium RAND Corporation suggested we were paying for shipbuilding, particularly if it means less capability for our servicemen and women.
The government’s industry policy includes elements of all of the above, which means that at times it appears inconsistent. Its policy documents state that, ultimately, developing Australian industry and exports is about improved capability for the ADF. Yet in practice it appears to favour building in Australia regardless of the cost premium and consequent decrease in output delivered to the ADF. Ultimately, our view is that we should support Australian defence industry when the costs and risks are understood and it makes sense to do so. However, based on the ANAO’s analysis, it doesn’t appear that Defence understands the premiums involved in local builds, so it’s hard to see how robust the business cases for local builds can be.
That said, once the government has made the initial decision to build in Australia, its choice of submarines, offshore patrol vessels, and armoured vehicles appears to have been based primarily on capability. For their part, the international primes have got the message that to be competitive they need robust Australian industry plans and partnerships with local companies and universities. Centres of excellence and cooperative research undertakings have been established, so industry seems to be meeting the government’s demand it put more skin in the game.
Innovation and R&D
Increasing funding for innovation and R&D seems like a safe bet
The innovation programs announced in the White Paper appear to be getting grant money out the door and, while it’s early days, anecdotally at least we are seeing local success stories. Since the funding involved is small compared to that spent on things like shipbuilding, it makes sense to double or even triple it in order to support the government’s broader innovation agenda, to keep up with other nations’ investments in emergent technologies, and to enhance Defence’s existing capabilities, which will have to remain in service for a long time until the future force is delivered.
In terms of exports, the goal of becoming a Top 10 defence exporter seems not only overly ambitious but also distracting. Rather than focusing on exporting platforms, there’s probably more benefit to be had by leveraging our involvement in the shipbuilding and armoured vehicle projects into greater access for Australian industry into the international primes’ supply chains for projects that they’re conducting around the world, not just here. That can achieve economic benefits here long before the mirage of submarine exports is realised.
Naval Shipbuilding
Naval Shipbuilding locks in $3.5-4 billion of cash flow, every year, forever
Which brings us to the second area that we’ve examined in more detail: the affordability of the Naval Shipbuilding Plan. There’s no getting around the fact that building modern warships is expensive. There are two numbers that perhaps warrant closer consideration than the $89 billion headline figure that’s widely quoted. The first is the $20 billion that the future frigate and future submarine projects will have spent between them before they each deliver usable capability (probably around 2028 and 2032, respectively). That’s a lot of cash to have tied up while our strategic circumstances deteriorate and our current platforms age. As ASPI has suggested previously, it’s probably worth looking at what Defence can do in the meantime in the form of cost-effective ways to enhance capability sooner.
The second number is the $3.5–4 billion in annual cash flow that we estimate the shipbuilding plan will require once it’s up and running. Granted, the capital equipment budget is growing. But shipbuilding will potentially consume around 30% of it on an ongoing basis. On the one hand, this smooths out the peaks and troughs, but on the other, since it sits at that level forever, it limits the room available for other capabilities. And since continuous local build appears to now be the government’s policy, there are likely to be other builds locked in forever (protected vehicles, armoured vehicles and so on), further shrinking the funding space for other capabilities and future flexibility.
Since the Navy is essentially undergoing a transformation that will double its tonnage, sustainment costs will also increase. Submarine and frigate sustainment (currently the largest and third largest sustainment lines in Defence) are likely to triple and double, respectively. Submarines alone could cost $2 billion a year to operate, on top of $2 billion a year to build, which together will potentially require 10% of Defence’s total budget for one capability. Granted, we are still a long way away from having all the future frigates and submarines, but at a time when western navies are shrinking due to the cost of building and operating modern warships, the fact that we are moving in the other direction raises questions about affordability.
And in order to get something close to a reasonable return on that capital investment, the Naval Shipbuilding Plan locks in a two-year delivery ‘drumbeat’ for frigates and submarines. Not only does this mean that it will be a very long time before the future fleet is delivered while our strategic environment is deteriorating, but it also limits Defence’s ability to manage cash flow by slowing things down, as that will further delay delivery and affect jobs.
There are other cost pressures. The future sustainment cost of the Joint Strike Fighter is a big unknown, but if it’s anywhere close to the jump from the classic Hornet to Super Hornet (around three times as much per aircraft), it will be hard to absorb.
In short, the megaprojects, in particular shipbuilding, have the potential to crowd out other capabilities. Historically, it’s the enablers (facilities and ICT) holding everything together that suffer. But it could be that the big projects will also distort the overall force structure. There are already signs of that, and the ANAO has noted that Defence may have to increase the future submarine project’s budget by $6.7 billion, even before the first submarine is delivered. That can only come from other areas of planned expenditure, most likely other capital investment.
Information sharing
Because these things are so big, and so important, Defence needs to get better at sharing information with the public
In the light of their centrality, both to Australia’s future military capability and to the government’s defence industry policy, there need be informed understanding and public scrutiny of the future frigate and future submarine projects—the two biggest projects in Defence’s, and potentially the nation’s, history. That discussion must be supported by real data. As a minimum, the two projects should be included in the ANAO’s Major projects report, regardless of whether they have received formal second-pass approval from government.
Because the media, the public and Defence often argue past each other when discussing the cost of military equipment, we have include a chapter (Chapter 7) that illustrates how Defence costs major acquisitions and shows why the ‘sticker’ price is very different from Defence’s total project budget. Hopefully this will contribute to better discussion around what the cost of Defence and its capabilities actually is.
So to sum up, the government is broadly meeting its commitment to get the Defence budget to 2% of GDP. But the content and timing of Defence White Paper’s investment program have not been revisited, despite changes (for the worse) in the strategic environment it was intended to address. Funding pressures are already emerging, with more to come in sustainment and personnel right at the time when a large share of the investment budget is being tied up in shipbuilding.
Informed decision making and public debate on these issues is essential to navigating them in order to keep Australia secure. To support this, the government needs to demand Defence provide greater public transparency in its planning and reporting.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquires should be addressed to the publishers.
Notwithstanding the above, Educational Institutions (including Schools, Independent Colleges, Universities, and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
Published in Australia by: Australian Strategic Policy Institute (ASPI) Level 2, 40 Macquarie Street Barton ACT 2600 Australia
Note on title: The figure of $99,606,202.74 represents one three-hundred-and-sixty-fifth of the consolidated Defence appropriation (including the Australian Signals Directorate) for 2018–19. This does not include funds appropriated to the Defence Housing Authority, nor those administered by Defence for military superannuation schemes and housing support services.
The Internet of Things (IoT) is the term used to describe the growing number of devices being connected to the internet. Some of the more common IoT devices include home appliances such as Google Home, wearable devices, security cameras and smart meters.It’s been predicted that the number of connected devices was close to 8.4 billion in 2017 and that there will be over 20 billion devices connected by 2020.1 Even though the IoT has been developing since the rise of the internet in the early 1990s, there’s no universally accepted definition. Kevin Ashton, who coined the phrase in 1999, says the IoT is much more than just connected appliances and describes it as a ‘ubiquitous sensor network’ in which automation leads to innovation.2 While there are some justifiable cybersecurity concerns about the IoT, there are also many notable advantages to living in a connected world. The IoT is saving lives through advanced healthcare technology, manufacturers are saving time and money through automation and tracking, and a plethora of home devices are adding value to people’s lives by providing a range of different services.
There are many different ways to categorise IoT devices, which makes safeguarding the technology challenging. The IoT can be dissected by industry, such as healthcare, transport, manufacturing and consumer electronics. One major subcategory of the IoT has earned its own acronym: the IIoT, to which control systems belong. Another way of categorising devices is by looking at their individual capabilities. Devices that can take action pose a different threat from devices that simply collect data to report back to the user.
The IoT offers benefits to all industries, but the connectivity of these once isolated things also introduces new vulnerabilities that can affect our homes and industries. As well as promising convenience and efficiency, the IoT is a problem because a vast number of internet connected devices with poor default security create a large attack surface that bad actors could take advantage of for malicious ends. A variety of international organisations and government groups are working on issues pertaining to the IoT, but at present there’s no coordinated vision to implement standards for the IoT on a global scale. Similarly, in Australia, a host of different cyber agencies and industrial groups are working to overcome some of the cybersecurity issues that the IoT presents, but a coordinated strategy detailing how government and industry can collaborate on the IoT is needed.
This issues paper aims to give a broad overview of IoT issues to increase awareness and public discussion on the IoT.
In December 2017, ASPI’s International Cyber Policy Centre produced a discussion draft asking stakeholders key questions about IoT regulation, governance, market incentives and security standards to help inform this issues paper. We received responses from government, industry representatives, technical experts and academics. While those stakeholders were consulted in the research phase of this paper, the views here are those of the authors.
THREAT TO CRITICAL INFRASTRUCTURE
In 2016, a severe storm disrupted crucial services in South Australia, resulting in a loss of power for 850,000 customers.3 Trains and trams stopped working, as did many traffic lights, creating gridlock on flooded roads. The storm, together with the failure of backup processes, resulted in the death of a number of embryos at a fertility clinic in Flinders Hospital.4 The total cost for South Australian businesses as a result of the blackout was estimated to be $367 million.5
Some have noted that, due to the interconnectedness of infrastructure, this event mirrored the potential effects of a large-scale cyberattack.6
Disrupting utilities that power an entire city could cause more damage than traditional terror tactics and can be done externally and with more anonymity.
Again, severe storms demonstrate that a loss of power can cause more deaths than the physical destruction of infrastructure.
When Hurricane Irma caused the air conditioning at a Florida nursing home to fail, 12 residents died of suspected heat-related causes.7
Digital weapons are being used intentionally by nation-states to inflict physical destruction or compromise essential services. The now infamous attack on Iran’s nuclear program, known as Stuxnet, used infected USB drives to contaminate computer systems with malware,8 which caused physical damage to a number of uranium centrifuges.9 In 2015, hackers used stolen user credentials to attack a Ukrainian power grid, which resulted in loss of power for more than 230,000 people.10 In 2016, the attackers used malware specifically designed to attack Ukraine’s power grid to disrupt the power supply to Kiev. This indicates that malicious actors have both the resources and the intent to develop cyberattack capabilities targeted at essential services.11
The IoT overlaps with critical infrastructure because many control systems are also now connected to the internet. Kaspersky researchers found more than 3,000 industrial control systems in Australia by using Shodan and Censys IoT search engines.12 Studies have also revealed vulnerabilities in control systems made by major vendors, such as Schneider Electric and Siemens.13
In the discussion version of this paper, several respondents expressed the view that a separate cyber organisation focusing specifically on the security of critical assets and services would be unhelpful. However, many acknowledged a need for greater collaboration between those responsible for protecting these assets to help mitigate IoT-related threats.
The Australian Cyber Security Centre (ACSC) could seek to increase coordination between owners and operators of critical assets, helping with the technical aspects of adopting voluntary industry standards for the IoT. The ACSC has the technical expertise to participate in the formation of international standards and could work with policy experts in the Department of Home Affairs to encourage national adoption.
THE CYBER LANDSCAPE IN AUSTRALIA
The cyber landscape in Australia is complex. Government cybersecurity responsibilities have recently been reorganised through the establishment of the Department of Home Affairs and structural changes to the Australian Signals Directorate and ACSC. Getting a clear picture of roles and responsibilities was difficult, and it would be beneficial to identify any gaps in roles and responsibilities after these recent organisational changes have been properly implemented. Industry roles could be identified in an IoT road map that helps industry and government bodies work together to more effectively mitigate IoT threats. Consumers should be educated on cybersecurity and responsible ownership of IoT devices, including patching and updating, building on initiatives such as Stay Safe Online.
The IoT has exacerbated an already confronting problem: the lack of skilled cybersecurity professionals both nationally and globally.
The Australian Cyber Security Growth Network estimates that a further 11,000 skilled experts will be needed in the next decade.14 In January 2018, the network announced that cybersecurity qualifications will be offered at TAFE institutions around Australia, which is a significant step forward.15 However, cybersecurity is a broad domain that requires not only workers with technical skills but also experts in risk management and policymaking, among other areas. Advances in automation and data analytics could help to address the skills shortage, as those technologies will increase the availability of cybersecurity experts, by replacing technical jobs in other areas.
We need to think about IoT security as a holistic system that combines practical skills-based training with industry best practise. The under-representation of women in cybersecurity has been widely noted and overcoming it was listed as a priority in Australia’s Cyber Security Strategy.16 The government has conducted research to better understand the issue and is running workshops to help increase participation.17
SECURITY RATINGS AND CERTIFICATIONS
A number of countries, including Australia, are considering the value of security ratings for IoT devices. In October 2017, Dan Tehan, the then Minister Assisting the Prime Minister on Cybersecurity, suggested in a media interview that such ratings should be created by the private sector, not by the Australian Government.18 The UK Government is also exploring ‘how to encourage the market by providing security ratings for new products’, as outlined in its National Security Strategy.19 Introducing a product security rating for consumer electronics has the potential to improve awareness of cybersecurity issues and to encourage industry to adhere to minimum security standards. But whether the ratings should be initiated by government or industry is only the beginning of the issue, as there are several problems with cybersecurity ratings that need to be addressed.
First, the vulnerability of an IoT device could potentially vary over its lifetime as weaknesses are discovered and then patched. The energy efficiency of a refrigerator or washing machine, by contrast, is relatively fixed, and so energy-efficiency ratings can be trusted over the device’s lifetime. With IoT devices, new vulnerabilities are constantly being exposed. At best, a security rating would reflect the security of a device based on the information available at the time of the security assessment. It would need to be adapted as security standards evolve and new vulnerabilities are discovered.
Second, it’s worth investigating whether a cyber rating could lull consumers into a false sense of security by negating their own role in protecting themselves from attack. Before implementing a security rating system, we need to research whether purchasing a device that claims to be secure could make consumers less likely to install updates or change default passwords.
Third, as mentioned in the introduction of this report, there’s considerable variation in IoT products. A Jeep Cherokee and a baby monitor (both of which have been compromised) present vastly different dangers, but the compromise of either can have serious consequences. While all IoT devices should include baseline security features in the design phase, devices deemed to be high risk should also require commensurately robust security features. Burdening otherwise cheap, low-risk devices with expensive certifications or strict security regulations, however, could make them commercially unviable in Australia. It’s important to recognise that it will be challenging and expensive to come up with a rating that appropriately addresses all the different categories of IoT devices.
In 2018, the IoT Alliance Australia (IoTAA) is prioritising the introduction of an ‘IoT product security certification program’ as a part of its strategic plan.20 Exactly what this will look like remains unknown, but it’s likely to be performed by accredited independent bodies that evaluate products based on security claims. The Australian Information Industry Association recommends an accreditation scheme that would also certify organisations making IoT devices. The authors’ view is that some manufacturers (for example, Samsung) make so many products that this would be ineffective as a stand-alone tactic, but this idea could be used in collaboration with an individual product rating.
REGULATION AND STANDARDS
Regulation and standardisation are at the forefront of the IoT debate, and positions tend to be polarised, as reflected in the responses to our discussion draft. The respondents acknowledged that regulation isn’t always effective and can impose a significant cost, but some also said that there’s potentially room for government to play a more direct role if a device is deemed to provide a critical service to the community. Some industries, such as transport and healthcare, already have safety standards addressing a wide range of security concerns; those standards need to prioritise current and emerging cybersecurity threats.
Multiple IoT-related bills introduced into the US Congress last year exemplified some of the legislative attempts to enforce IoT security by way of law. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 stresses the importance of built-in security and the provision of security patches,21 while the Cyber Shield Act of 2017 seeks to introduce a voluntary certification process for IoT devices.22
While US lawmakers have proposed some government regulation, some in Australia believe that IoT security would be more effectively regulated by industry.
Legislation takes time to introduce and often struggles to keep pace with the quickly evolving technology it seeks to control.
Taking a market-driven approach to IoT security may mean that imposed standards will more rapidly adapt to the changing security climate.
Some classes of IoT devices, however, present little threat to their owners, but their poor security allows them to be co-opted in ways that can be used to harm other internet users or internet infrastructure. This is similar to a widget-making factory that causes air pollution; the factory owner and widget buyer both benefit from lower costs of production and neither has a strong incentive to do the work needed to reduce air pollution, as that would raise costs. In economics, this is described as a negative externality, and negative externalities can be effectively dealt with through regulation. The authors’ view is that incentives do not exist for effective industry-led standards to develop, especially for consumer IoT devices.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are the two major global providers of standards. The ISO and IEC have a joint technical committee focusing on information technology and a subcommittee focusing on the IoT and related technologies. Australia is a member of the subcommittee through Standards Australia. ISO/IEC also has the 27000 series, which is a series of standards that addresses the security of information security management systems.23
The European Union Agency for Network and Information Security released baseline security recommendations for the IoT in late 2017.24 Standards have also been developed in Asia, including a draft policy on the IoT by India25 and a general framework by Japan.26 Other organisations working on IoT standards include the IEEE (Institute of Electrical and Electronics Engineers), The Open Group, and SAE International. While a considerable amount of work on IoT standards has been completed, a draft report on the status of global IoT standards by the National Institute of Standards Technology in the US indicates that there’s a long way to go. The report reveals several gaps in current standards development and implementation, including network security, IT system security evaluation and system security engineering.27 It also highlights the variety of SDOs (standards development organisations) working in this space. There’s currently a need for international consensus on IoT standards and a clear pathway to implementation.
Locally, the IoTAA has drafted multiple versions of IoT security guidelines to help promote secure designs for manufacturers and to support industry in understanding security and privacy issues. The IoTAA has also outlined key focus areas for 2018 in its Strategic Plan to Strengthen IoT Security. Australia also has iotsec, a non-profit start-up that promotes security in IoT devices to help industry and consumers.
While regulation and standardisation are often thought of in a binary way (enforced by either government or industry), the feedback from the discussion draft highlighted the importance of approaching IoT security in a holistic manner, in which government, industry and consumers all play a role. Furthermore, IoT cybersecurity is a problem of global, not national, proportions. Devices sold in Australia are manufactured all over the world. Being only a small proportion of the IoT market, Australia risks becoming a dead-end market if device makers’ security costs outweigh their income from sales. For this reason, any attempt to introduce standards for IoT devices in Australia must be done with a global mindset. The challenge now is to reach international consensus and to encourage manufacturers to adopt the standards. An IoT definition would help to focus global efforts both to secure and to develop the technology and help to articulate its scope.
CONCLUSION
The IoT offers Australia many economic and social advantages and should be embraced and used to benefit all Australians. However, it also introduces new risks and vulnerabilities that our current regulatory systems aren’t necessarily mitigating effectively.
It’s the authors’ view that our current policy and regulatory settings are almost certainly sub-optimal, but effective management of the IoT from a government policymaking perspective requires many difficult trade-offs, and easy answers aren’t immediately apparent. Corruption of traditional ICT devices such as phones and laptops has resulted in the theft of both personal and corporate data. Connecting more devices, such as watches, whitegoods, automobiles and industrial equipment, has intensified this problem and introduced new types of threats. Other incidences of organised crime and terrorism have shown that malicious actors exploit seams in systems, regulation and security.
For this reason, it is imperative that we continue to address gaps in these areas to limit opportunities for the exploitation of IoT devices.
This paper is intended to illuminate some of the issues involved in managing IoT risk so that industry and government can have a robust discussion and work collaboratively to improve the security of IoT devices.
Gartner, ‘Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016’, 2017, Gartner.com, online. ↩︎
Rain RFID Alliance, ‘RAIN Q&A with Kevin Ashton RFID and the internet of things’, 2015, pp. 1–4 ↩︎
IEEE. Sagar Samtani, Shuo Yu, Hongyi Zhu, Mark Patton, Hsinchun Chen, Identifying SCADA vulnerabilities using passive and active vulnerability assessment techniques, University of Arizona, 2016 ↩︎
National Institute Standards Technology, Interagency report on status of international cybersecurity standardization for the internet of things (IoT), 2018, pp. 54–55 ↩︎
Important disclaimer This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.
Acknowledgements We thank all of those who contribute to the ICPC with their time, intellect and passion for the subject matter. The work of the ICPC would be impossible without the financial support of our various sponsors but special mention in this case should go to JACOBS, which has supported this research.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/12160643/city-at-night-Static.jpg10801920nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2018-03-19 06:00:192025-03-12 16:32:40The Internet of Insecure Things
Another major government digitisation scheme—digital identity—is set to cause controversy and risk further disempowering Australians in the absence of clearer policy and legislative controls. That’s problematic because digital identity has the potential to power the 21st-century economy, society and government by providing easy, high-confidence verification of identity that will allow millions of offline transactions to move online and enable a string of enhanced services, such as easy delegation of authority (for example, to pick up prescriptions) and verifications (such as proof of age online).
However, the national digital identity program, known as GovPass, faces obstacles on multiple fronts:
Public communication about the scheme and its implications has been wanting, leaving the public largely unaware of the change afoot.
A key biometric enabling service for digital identity, the Face Verification Service (FVS), risks being conflated with the far-reaching law enforcement biometric enabler—the Face Identification Service (FIS)—that’s part of the same national facial biometric matching capability agreed to by Australian Government and state and territory government leaders in October 2017. The FIS lacks adequate safeguards and in its current form is likely to attract public opposition far exceeding that directed towards the My Health Record scheme.
The government is now building two digital identity schemes that will compete against each other. The first, which is already operational, was built by Australia Post at a cost of $30–50 million and is known as Digital iD. The second scheme, GovPass, secured $92.4 million in the 2018–19 Budget to create the infrastructure that will underpin it and fund its initial rollout.
Neither GovPass nor Digital iD is governed by dedicated legislation, beyond existing laws such as the inadequate Privacy Act 1988, leaving Australians vulnerable to having their data misused.
The lack of clarity about how the private sector will and will not be able to use the schemes will turbocharge the ability to gather detailed profiles of individual Australians. Controls are needed to prevent a Western version of China’s ‘social credit’ scheme emerging.
What’s the solution?
National multi-use identity schemes have a poor track record in Australia. To gain public approval for this major reform, the government needs a fresh approach that places the citizen at the centre of the system. To help restore public confidence in digital initiatives after a string of failures, the introduction of this reform needs to be accompanied by an overhaul of citizens’ and consumers’ rights so that they’re fit for purpose in the 21st century.
The government should work with civil society to stimulate and lead a national debate on the benefits of digital identity, including medium- to long-term plans for the scheme. It should emphasise the strengthened protections that the public will gain against the encroachment on citizens’ rights that this and other digital reforms are producing.
Proposed legislation enabling the FVS and FIS should be far more tightly drafted, paring back the applications that the FVS and the FIS can be used for and precisely defining their uses. Dedicated legislation should be introduced to govern both government digital identity schemes.
Opportunities should be explored to avoid duplication between the two schemes. Protections for individuals in the schemes should be strengthened to prevent private-sector actors using the service to build profiles of individual citizens and on-selling those profiles in a for-profit version of China’s social credit scheme. While detailed customer profiles can already be built through methods such as loyalty programs, digital identity will enable a vastly expanded range of activities to be linked to verified identities and so exponentially expand the scope for profile building and ranking if left unchecked.
Introduction
The 2014 Financial System Inquiry recommended that the government ‘develop a national strategy for a federated-style model of trusted digital identities’ that would be accessible for both public and private identity verification.1 The recommendation was subsequently agreed to by government.2 Creating this digital identity is a major micro-economic reform. How it’s deployed, structured, understood and protected will fundamentally shape the sort of Australia we end up with.
On 5 October 2017, the then Prime Minister and state and territory leaders laid the foundation for digital identity when they agreed to establish a ‘national facial biometric matching capability’. This connects national, state and territory photographic databases via an exchange. It has two key components. The FVS will use the exchange to allow digital identity verification. This is a one-to-one image-based verification that matches a person’s photo against an image on one of their government records (such as a passport photo) to help verify their identity. The second component, the FIS, is a one-to-many image-based identification service that matches a photo of an unknown person against multiple government records to help establish their identity and is designed for law enforcement purposes.3
What’s digital identity?
Digital identity is essentially a credential scheme allowing you to quickly confirm your personal details, entitlements and authorisations, such as proving you are over 18 years old or an Australian citizen, online or in person via your phone.
It requires a one-off verification—for example, by photographing your driver’s licence with your phone (the details of which are then checked against the relevant government database) or, for higher level verification, taking a selfie (which is then checked against a biometric template of your face that the government has collated).4
The selfie is tested against only one image—the document consented to and nominated by the individual.5 Through the FVS, the selfie would be checked separately against a template of the photos that it’s compared against, which would be your driver’s licence photo, a passport photo or a visa/citizenship photo.
Stored on a mobile app, you can use this digital identity to transact with government and companies (for example, by entering your phone number on their websites and then providing permission to undertake the identity check via your digital identity mobile app) or in person, without needing to carry a wallet and identity documents.
Australians make more than 800 million transactions with government annually; 26 million of those transactions involve face-to-face verifications, and more than 300 million require phone or other authentications. Some 750,000 applications for tax file numbers are made each year, requiring in-person verification or the sending of certified copies—a process that can take up to 40 days.6
More broadly, the government operates more than 30 different logins for online services.7 A single government digital identity can simplify this landscape, allowing a single login for each individual across governments—federal, state and territory—and also simplify the 800 million transactions. This can significantly reduce irritation on the part of citizens accessing government services, and if done properly should in fact enhance privacy by tailoring the amount of personal information disclosed to the bare minimum required for the specific transaction. It has many other far-reaching applications, such as improving child safety online, reducing cyberbullying and de-anonymising the online experience.
Decoding the jargon
MyGov: the existing common credential for authenticating to many government departments, but without strong identity verification (generally, you have to prove who you are to each department).
MyGovID: the brand name for the Australian Taxation Office’s (ATO’s) new ‘Commonwealth digital identity provider’ (formerly, AUSid). This is the portal through which people can validate their identity under the GovPass scheme.
GovPass: the overall system name for the federated identity scheme of the Digital Transformation Agency (DTA). MyGovID will be one of the components of GovPass and will allow people to validate their identity. GovPass is a DTA-led multiagency program in which the DTA plays an oversight, integration and delivery role, working in collaboration with the ATO, the Department of Human Services (DHS) and the Department of Home Affairs.
Trusted Digital Identity Framework (TDIF): the standards that describe the GovPass identity federation, which include provision for multiple identity providers, subject to their accreditation (currently Australia Post’s Digital iD and the ATO’s MyGovID).8 This creates consumer choice, but also means that all identity providers need to maintain high security standards if citizens’ data is to be protected. The TDIF defines the requirements to be met by government agencies and organisations in order to achieve TDIF accreditation for their identity services (for example, as an identity provider).
Face Verification Service (FVS): a one-to-one image-based verification service that can match a person’s photo against an image on one of their government records, such as a passport photo, to help verify their identity. Often, these transactions occur with the individual’s consent.9
Face Identification Service (FIS): a one-to-many image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. Access to the FIS will be restricted to agencies with law enforcement or national security related functions.10
Boston Consulting Group has estimated that digital identity could save $11 billion annually ‘through reduced cost to serve, cost of fraud and improved customer experience’.11 Deloitte Access Economics has estimated ‘productivity and efficiency savings of $17.9 billion over 10 years (if we reduce the number of transactions completed via non-digital channels from 40 percent to 20 percent)’.12Identity crime is estimated to cost over $2.2 billion annually and affects one in five Australians during their lives.13While the government estimates that it costs $17–20 each time someone tries to prove their identity to access a service, the cost of doing so digitally is somewhere between $0.40 and $2.00.14 Various different schemes are already operational in places such as New Zealand (RealMe), the UK (GOV.UK Verify), India (Aadhaar), Estonia (ID-card), Sweden and Norway (the last two have separate systems, both called BankID).
Digital identity, properly applied, should significantly improve users’ experiences when they deal with the public and private sectors. In 2015, 61% of Australians said they had used the internet for their most recent dealings with local, state or federal government, but only 29% were satisfied with their experience, and 58% encountered some problem with the online service. ‘The most common issue was that the process was long or difficult (21%). 15% had technical difficulties and for 13%, the service they needed was not available online. 11% couldn’t remember their user name or password.’15 Digital identity should help significantly to alleviate these problems.
Meet Digital iD and GovPass
The Australian Government is building two competing digital identity schemes. The first one, known as Digital iD, is already operational. It has been developed by Australia Post, an Australian government-owned corporation, at an estimated cost of $30–50 million.16The second is GovPass, a scheme being developed by the DTA.
Australia Post’s Digital iD now has a product team actively selling access to the private sector. This identity service is already accepted in licensed venues in the Australian Capital Territory, the Northern Territory, Queensland, Tasmania and Victoria, and by companies such as Travelex and Airtasker.17For individual users, the scheme is free of charge.
To function, Digital iD uses Australia Post’s access to government identity databases as well as private-sector databases, such as credit header records, and postal records. Creating a digital identity is quick and is done over the Digital iD app.18It essentially involves verifying your mobile number by entering a code sent to your phone and taking a photo of an identity document (driver’s licence, passport or Medicare card), which is checked against the government databases.
To validate your ID on, say, Airtasker, you click ‘connect’ and input your mobile number, and that sends an alert to your phone (Figure 1). Once you open the app, you’re notified that Airtasker would like to connect and are offered the option of ‘connect’ or ‘cancel’. If you hit ‘connect’, you’re notified that Airtasker is requesting confirmation of your identity plus your date of birth and name, giving you the option to ‘allow’ or ‘cancel’.
Figure 1: Using Digital iD to engage with AirTasker
Parallel to the Australia Post scheme, the Digital Transformation Office (now the DTA) was given the task of developing a second scheme, known as GovPass.19 Underway since 2016 (Australia Post’s foundational research on digital identity was also released in 201620), the scheme was initially intended to start public beta testing in mid-2018, but has been delayed.21 It finally secured $92.4 million in funding in the 2018–19 Budget22 to create the infrastructure that will underpin GovPass and roll out the scheme, initially for grants management, the My Health Record, Youth Allowance, business registration, NewStart, the Unique Student Identifier and tax file numbers. The government aims to roll out pilot services to half a million users by the end of June 2019.23
DHS will operate the exchange or gateway between the services and identity providers, the ATO will be the initial identity service provider,24 and the DTA will oversee the program. DHS will be the scheme administrator and the operator of the interoperability hub that will provide access to verification services run by or on behalf of other government agencies. Australia Post will be seeking accreditation as an identity provider (alongside the ATO), in addition to maintaining its existing Digital iD system. The range of actors involved in GovPass and the complexity of the model will make it difficult to deliver the project on time and without incident.
Digital iD is distinguished from GovPass mainly by the fact that it isn’t a federated model (Australia Post is the only entity through which you can verify your identity for Digital iD). It’s envisaged that multiple entities could provide this service under the GovPass scheme, giving consumers choice about which entity they use to prove their identity.
Some companies, such as Mastercard (and likely others) through its My Digital Life program, are positioning themselves to facilitate access to the rich data pools that the digital identity service will enable by serving as a platform through which third-party attribute vendors can sell data on individual Australians. If poorly regulated, these sorts of schemes could create serious privacy issues involving third-party data access. An indicator of this can be seen in the controversy over Facebook providing personal data to third-party organisations, including Cambridge Analytica. (Australia Post isn’t selling access to personal information; rather, companies that use Digital iD to verify their customers’ identities are being enabled to easily gather related data, such as purchase history, location and so on, and link it to a confirmed individual identity.)
A key enabler for both schemes will be the FVS, which will be vital for higher level identity checks that are required for transactions requiring greater confidence that someone is who they say they are, such as creating tax file numbers (Australia Post’s existing scheme currently performs lower level checks using biographic data). This was made possible by the Intergovernmental Agreement on Identity matching Services.25The agreement essentially enabled the federal, state and territory governments to share access to their databases of government-issued photographic identity documents (such as driver’s licence and passport databases) for a broad range of applications spanning road safety, law enforcement and identity checking. For identity checking, this will simplify the process of confirming identity, and the photos will enable higher levels of identity assurance. The FVS’s creation is enabled by the Identity-matching Services Bill 2018, which at the time of writing is still before the House of Representatives.26
As with the Australia Post scheme, it’s envisaged that the private sector will be able to rely on GovPass for identity checking in future. An example of how this would work is Australia Post’s Digital iD, which is already used by Australia’s largest credit union, CUA, for new members applying for some CUA accounts online or via their mobile devices. This allows accounts to be created in minutes without visiting a branch.27
Challenges
The take-up by individuals of digital identity schemes will require the government to overcome challenges in the areas of communication, rights protection, limit setting, coordination, commercialisation and security.
Communication
In all discussions about GovPass, the Australia Card experience looms large, and GovPass has been designed to deliberately distinguish it from previous efforts. The Australia Card was proposed by Prime Minister Bob Hawke in 1985 and eventually led to a double dissolution election before the proposal was dropped. Other failures also overshadow the rollout of GovPass. In 2006, Prime Minister John Howard made another attempt with the Access Card,28before it too was shut down by the new Rudd government in 2007.
The government’s own polling suggests that it’s right to be fearful of scaring the Australian public.
Sixty-nine per cent of Australians are more concerned about their online privacy than they were five years ago. A majority (58%) of Australians are ‘somewhat concerned’ or ‘very concerned’ about biometric data being used to gain access to a licensed pub, club or hotel (although that percentage is down from 71% in 2013), and 56% are concerned about using biometric information for day-to-day banking and 43% for boarding flights.29 Only a third of Australians are comfortable with the government sharing their personal information with other government agencies, and only 10% are comfortable with businesses sharing their information with other organisations.30 The controversy over police access to the My Health Record and the need to add further privacy protections in that scheme also point to heightened public awareness and concern about digitisation processes, including about losing control of personal information that might be used to cause harm.31
The DTA has issued regular updates on the progress of the GovPass scheme, but, with few exceptions, the updates haven’t been brought to the public’s attention by leaders,32 and there’s been very little discussion of the scheme in the media. When the Council of Australian Governments (COAG) announced the key underlying agreement to share identity information and create a national biometric exchange system, the focus was placed on the counterterrorism potential of the biometric database, not the broad digital identity possibilities for the Australian population. As the then Prime Minister said at the time, ‘Imagine the power of being able to identify, to be looking out for and identify a person suspected of being involved in terrorist activities walking into an airport, walking into a sporting stadium … This is a fundamentally vital piece of technology.’33
Ending the erosion of rights
The shift to a digital world is eroding citizens’ rights. With each new digitisation initiative, people are forced to trade off more of their rights for the convenience offered. Repeatedly, they’re assured that everything’s fine, only to discover that they’ve been hoodwinked. ‘Opt in’ becomes ‘opt out’. ‘Safe and secure’, it’s later discovered, means warrantless police access. Over time, people are being disempowered, but these initiatives could have the opposite effect if properly implemented and communicated.
Instead of thinking about how digital identity can solve a departmental problem and focusing narrowly on users’ experience in that context, a citizen-centric perspective is needed. In a citizen-centred society, the role of government should be as the custodian of citizen data—guaranteeing its security and integrity and the citizen’s inviolable rights to and control of their data.34
For government, this requires an overhaul in approach. What’s needed is a root-and-branch review of how citizen protections can be made fit for purpose in the 21st century and of opportunities to take advantage of digitisation to simplify the web of rules that we created for our paper-based society. Those rules are often needlessly complicated due to misaligned incentives between competing bureaucracies and rent-seekers who have fed off complexity. The Australian Treasury’s ‘consumer data right’35 is a step in the right direction to empower citizens, but a far more holistic approach is needed.
Clearer limits are needed
The creation of the FVS and FIS is enabled by the Identity-matching Services Bill 2018, but loose drafting leaves so much scope for unexpectedly broad use of the FIS (for law enforcement purposes) that it risks public backlash against the FVS (which is critical for identity matching). As the backlash against My Health Record demonstrated, sharing without consent is almost certain without well-crafted policy and legislation that’s accompanied by an effective public communications campaign.
An important provision of the COAG agreement that establishes the national biometric exchange system is that it can only be used for ‘general law enforcement’ purposes when suspected offences carry ‘a maximum penalty of not less than three years imprisonment’.36This key provision is missing from the Identity-matching Services Bill.
In practice, this will mean that for requests between jurisdictions (for example, a NSW agency checking a Victorian’s identity), the three-year-penalty rule agreed by COAG would need to be spelled out in interagency agreements. If NSW police wanted to check a photo of a suspect they would need to log the crime the person was suspected of (carrying at least a three-year prison sentence) and then run the check. It’s also possible that they could still run the check if the crime carried at least a three-year penalty in NSW, but less than a three-year sentence in Victoria.37
For intrastate biometric identity searches (such as NSW police searching NSW databases), it’s up to individual states to set any limits on what state police could use the federally run system for (that is, it could potentially be applied to any petty offence). Without clearer restrictions, the FIS in particular is open to serious misuse, especially given the Bill’s stated purpose of allowing it to be used for ‘preventing’ crime.
The parliamentary reviews of the legislation raised multiple concerns about the Bill that are beyond the scope of this paper but point to the need for far tighter controls.38
Competing government schemes and lack of oversight
It’s unfortunate that Australia has ended up with two taxpayer-funded digital identity systems. How this competition will play out is still to be seen. However, given the differences between the schemes and the groups behind them, it’s possible to foresee how it might evolve.
GovPass may dominate for government-linked identity checks, and Digital iD for private-sector identity checks. Australia Post is far more entrepreneurial than most government agencies, and if its scheme continues to operate without dedicated legislation it will also be more attractive to private-sector clients (the private sector’s ability to verify identity using GovPass is likely to be more restricted). Another potential advantage Australia Post might enjoy is working to achieve some degree of global harmonisation by working with other international postal services’ digital identity systems39 (although the DTA is considering similar international harmonisation for GovPass40).
While the Identity-matching Services Bill governs the use of the biometric FVS, it isn’t specifically focused on regulating the GovPass scheme. It’s yet to be decided whether dedicated legislation to cover GovPass will be developed. Given the sweeping applications of the scheme and open questions on issues such as liability, potential for misuse and privacy concerns, legislation is needed for both GovPass and Digital iD.
Commercial applications
Both digital identity schemes offer significant potential benefits for the private sector. If used, they should reduce identity fraud and theft. Some 69% of Australians are concerned about becoming victims of those crimes,41which cost the Australian economy billions of dollars. The schemes will also make it much easier for consumers to transact with businesses and have the potential to better control and manage personal data.
Digital identity will also allow more limited sharing of personal information. At present, most identity checks involve an over-sharing of personal information. The person selling you a beer doesn’t need to know your name, home address, driver’s licence number, or even your date of birth. They just need a yes/no answer that you are 18 years old or older.
However, without safeguards, digital identity opens up the possibility of serious misuse. With digital identity, the shop assistant selling you alcohol might see less of your personal information but, because they are able to confirm who you are, your purchase information could be on-sold to interested parties, such as your health insurer (affecting your premium) or DHS (affecting your cashless debit card payments). The DTA has advised that it’s currently considering establishing an oversight authority, oversight rules, or both, that would seek to prevent the on-selling of data the gathering of which is facilitated through digital identity verification.42This sort of oversight is critical for both GovPass and Digital iD.
As we move to a world where identity can be confirmed easily and cheaply, it opens up the possibility of building up profiles of individuals. If digital identity becomes the de facto way to buy alcohol, log on to social media, buy tickets, travel and shop, all of the data that those transactions collect (such as where you are, how much you spend, what you buy and what you look at) can be linked to an individual identity and sold (via your agreement in fine-print terms and conditions) to a third-party profile builder.
Commercial operators are already exploring this possibility. Mastercard (and no doubt competitors), for example, is considering using Australia as the first country to test and deploy its My Digital Life program. This will be a platform through which third-party ‘attribute vendors’ can confirm different attributes of individual consumers, many of which will be enabled via digital identity. For example, when you engage with a company you have never dealt with before, the company might request half a dozen attributes about you via the My Digital Life app to improve its confidence that you will be a good customer to engage with or are worth offering a higher level of customer service. This might include confirming that you have a perfect credit score, that you always pay your bills on time, that you never gamble, that you purchase fewer than 20 standard drinks of alcohol each week, that you give at least $1,000 a year to charity and that you volunteer. With your consent, My Digital Life will then request confirmation of those attributes from the third parties who have collected this information to on-sell via platforms such as My Digital Life and will send the results to the requesting company.
The private sector has been a leader in the development of ‘know your customer’ best practices and privacy protections, and some sharing of attributes (such as credit scores, police checks, speciality licences and working with children certificates) may facilitate commerce and community engagement. However, without tighter constraints, the potential applications of Westernised versions of China’s social credit scheme could seriously encroach on basic rights.
Security
It’s difficult to provide detailed cybersecurity risk assessments of GovPass (which is still being designed) and Digital iD (for which detailed architectural designs aren’t available). However, one area where risks are likely is in spoofing the FVS. Researchers in the US have demonstrated that wearing specially designed eyeglass frames ‘can effectively fool state-of-the-art face recognition systems’.43Technical means to overcome these immediate challenges are likely to emerge, but this demonstrates that biometrics won’t be a panacea for identity fraud.
More broadly, this ASPI policy brief has identified several issues of concern, including the security risks presented by having multiple identity providers, each of which will need to maintain rigorous security standards, as well as the potential for the schemes to be used to facilitate vastly more ambitious profile building of Australians. There also appears to be no legislative impediment to the ATO using its existing powers to use the GovPass exchange to request information that would allow for data matching—something likely to attract public concern. Data from the ATO-run MyGovID identity service portal could be used to match a particular user with other government services. The DTA exchange is designed at a technical level to resist an identity provider trying to do this sort of matching but won’t stop an authority with legislative power to demand the data.
A range of other security-related issues remain open. If either or both of the schemes are widely adopted, it’s unclear whether companies could mandate the use of them (for example, for online banking), making them de facto compulsory. It’s also unclear whether companies that have traditionally not required validated identity checks could start to do so. For example, companies such as Facebook that have a real-name policy could adopt mandatory digital identity verification for Australian users to enforce that policy.44
Opportunity ahead
Despite the challenges, digital identity is critical for a 21st-century economy. Done properly, it will allow citizens to enhance their privacy by sharing less personal information and save time by doing more things online with less hassle. If it’s accompanied by an overhaul of citizens’ rights, it could put Australians back in charge of their online lives, allow them to monitor and easily contest inappropriate uses of their data, and remove unnecessary regulatory and legislative complexity as the shift from offline to online proceeds.
Features of GovPass
User-centred design: User-centred design is a key principle for GovPass, and the program is being developed in accordance with the Digital Service Standard, which aims to ensure that digital teams build government services that are simple, clear and fast.45In addition, the TDIF has a component dealing with usability and accessibility requirements that government agencies and organisations need to meet in order to be accredited under the TDIF.
Privacy: The GovPass platform’s conceptual architecture is designed to be consistent with ‘privacy by design’ principles. Personal information that’s essential to provide the requested service will be collected and used with informed consent.46 Govpass has been designed as a federation of identity providers and an exchange using ‘double-blind’ architecture. Having the exchange means the service doesn’t see your identity documents, the identity provider doesn’t know what service you’re accessing, and your identity attributes aren’t stored centrally. The exchange merely passes those attributes on to the service. It doesn’t retain the attributes, but only some logs to record what occurred. The DTA advises that its research suggests that there’s community demand for multiple identity providers so citizens have choice for different transactions (for example, using a government provider for government transactions and a private-sector entity for commercial transactions).
Express consent: The GovPass program has been explicitly designed to be ‘opt in’ for users, although other schemes such as My Health Record have transitioned from ‘opt in’ to ‘opt out’. The exchange will be the vehicle for a user to express consent. Once a user has established their identity through an identity provider, the exchange will ask them to consent for their attributes to be passed to the requesting service (relying party). Unless the user gives explicit consent, the attributes can’t be passed on.
Recommendations
1. Accompany the introduction of digital identity with an overhaul of online citizens’ and consumers’ rights.
In democracies, governments exist to serve the citizenry, so it’s only logical that the citizen be placed at the centre as far-reaching schemes such as digital identity are introduced. Helpfully, this will also provide the most important ingredient needed for the success of digital identity: trust.
The government should conduct a root-and-branch review of how citizen protections can be made fit for purpose in the 21st century and of opportunities to take advantage of digitisation to simplify rules created for our paper-based society. This should include ensuring that minimum security baselines and rules for data use are maintained, regardless of who has custody of the information (government or the private sector).
The review should look at reforms that provide citizens with easy and meaningful control over their data. It should consider providing citizens with an online log every time their personal information is accessed by any arm of government or the private sector, and with a one-click process for contesting any access they believe may be unauthorised. It should allow citizens to decide who can access different components of their data (such as individual records) and provide strong default settings to protect those who don’t bother to adjust their settings.
The Privacy Act should be amended, including to create a principle that all digital identity checks gather only the minimum necessary personal information and where possible in de-identified ways (such as via yes/no answers for proof-of-age verification, rather than date of birth transmission).
2. Communicate with the public about the schemes and the accompanying rights overhaul.
After announcing a review to strengthen online citizen protections, the government should lead a national debate on the benefits of digital identity schemes, including by outlining medium- to long-term plans for the schemes and the strengthened protections that citizens will receive to guard against encroachments on their rights. This should include the production of an issues paper that clearly sets out the major implications and long-term plans for digital identity. The paper should be followed up with traditional consultation mechanisms, such as town hall meetings, industry round-tables and media engagement.
3. Place both Digital iD and GovPass under legislative oversight and protect both schemes from overreach. Expressly prohibit ‘social credit’ schemes that are facilitated by government-enabled digital identity checking.
Given that Digital iD and GovPass rely on government identity databases to operate and have far-reaching applications, both schemes should be brought under dedicated legislative oversight. The legislation should place strict limits on information about individual citizens that can be gathered through the use of digital identity verification and on-sold. The development of social-credit-style schemes should be expressly prohibited.
4. Explore options to join the schemes.
Opportunities should be explored to avoid duplication between the two schemes. This could include reviewing whether Australia Post’s already operational scheme could be adopted as a national scheme (and GovPass scrapped, although keeping the existing FVS), or strengthened sufficiently so that it is suitable by drawing on the TDIF. At a minimum, Australia Post should replace the ATO as the government identity provider under the GovPass scheme. This would be consistent with one of the DTA’s own core procurement principles of avoiding duplication by not building platforms that other agencies have already built.47
5. Apply stricter and clear limits on the use of biometrics at the federal, state and territory levels.
The governance of the FIS is largely beyond the scope of this paper, but is still relevant because current overreach threatens to undermine the digital identity schemes. Parliamentary inquiries into the Identity-matching Services Bill have exposed a litany of shortcomings, including inadequate privacy protections, insufficiently precise drafting, potential for overreach, and the key issue that Australians never consented to having their photographs for government identity documents repurposed for use in the biometric identity matching services now being contemplated.
Identity matching uses a relatively benign one-to-one match of a particular user’s photo against a reference photo via the FVS (although, as this policy brief has outlined, it could still be seriously misused if sufficient controls aren’t in place). The FIS is a one-to-many match of an unknown user against millions of possible matches, which has far-reaching privacy implications and the potential for serious misuse and expansion into many-to-many matching by adjusting the way the FIS works. Specific recommendations to strengthen the Identity-matching Services Bill have been provided in a separate submission to the Parliamentary Joint Committee on Intelligence and Security.48
6. Establish a national taskforce.
Discussions with government agencies working on different applications of face-matching services, which include the FVS and the FIS, suggest that second- and third-order consequences of different aspects of the schemes haven’t been considered because they fall outside specific agency or department remits. Developments at the state and territory level and within the private sector also need to be considered as part of a national approach that puts citizens at the centre. A taskforce (federal, state and territory) that includes key private-sector and civil society actors should be established to ensure that whole-of-nation implications are considered and addressed.49
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission.
Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published October 2018
Cover image: Illustration by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons License Attribution-Share Alike. Users of the image should use this sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by ASPI’s International Cyber Policy Centre’.
Michael Keenan, ‘Delivering Australia’s digital future’, address to the Australian Information Industry Association, 13 June 2018. Angus Taylor, ‘National standards to support government digital ID’, media release, 5 October 2017. Sara Howard, Unlocking up to $11 billion of opportunity, Australia Post, 5 December 2016. ↩︎
Angus Taylor, ‘What a Govpass digital ID would look like for Australians’, media release, 17 October 2017 ↩︎
Australia Post, A frictionless future for identity management: a practical solution for Australia’s digital identity challenge, White Paper, December 2016, p. 7 ↩︎
Australia Post, Choice and convenience drive ‘digital first’ success, Insight paper, November 2016, p. 5 ↩︎
One-off versions can also be created on the Australia Post website. ↩︎
Rachel Dixon, ‘Digital identity: early days in the discovery process’, DTA, 8 March 2016 ↩︎
Australia Post, Digital identity white paper: a single digital identity could unlock billions in economic opportunity, no date ↩︎
Taylor, ‘National standards to support government digital ID’. ↩︎
Australian Government, Budget 2018–19: Budget strategy and outlook, Budget paper no. 1, 2018–19, pp. 1–22 ↩︎
Keenan, ‘Delivering Australia’s digital future’. Level 2 identity verifications don’t require biometric verification. Four of the eight services being developed require a Level 2 identity verification and therefore aren’t dependent on the FVS. ↩︎
Keenan, ‘Delivering Australia’s digital future’. ↩︎
OAIC, Australian community attitudes to privacy survey, 2017, p. ii. ↩︎
Dana McCauley, ‘Health Minister backs down on My Health Record’, Sydney Morning Herald, 31 July 2018 ↩︎
Keenan, ‘Delivering Australia’s digital future’. ↩︎
Karen Barlow, ‘Turnbull dismisses privacy concerns in asking for a national facial recognition database’, Huffington Post, 4 October 2017 ↩︎
See David McCabe, ‘Scoop: 20 ways Democrats could crack down on Big Tech’, Axios, 30 July 2018 ↩︎
The Treasury, Consumer data right, Australian Government, 9 May 2018 ↩︎
COAG, Intergovernmental Agreement on Identity Matching Services, p. 12. ↩︎
There’s provision in the COAG agreement to review this after the first 12 months of operation; COAG, Intergovernmental Agreement on Identity Matching Services, section 4.25. ↩︎
Parliament of Australia, Identity-matching Services Bill 2018. ↩︎
Sara Howard, A world without borders, Australia Post, 19 December 2016 ↩︎
Asha McLean, ‘DTA considering international “brokerage” of digital identities’, ZDNet, 9 February 2018 ↩︎
OAIC, Australian community attitudes to privacy survey, 2017, p. 33. ↩︎
The potential oversight authority would have legal authority to enforce operating rules and the TDIF on participants of the identity federation. The operating rules would set out the legal framework for the operation of the identity federation, including the key rights, obligations and liabilities of participants (including relying party services). ↩︎
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, Michael Reiter, ‘Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition’, CCS 16, 24–28 October 2016, Vienna, p. 12 ↩︎
‘What names are allowed on Facebook?’, Facebook, 2018 ↩︎
DTA, Digital sourcing framework for ICT procurement, Australian Government, no date. ↩︎
Parliamentary Joint Committee on Intelligence and Security, Review of the Identity-matching Services Bill 2018 and the Australian Passports Amendment (Identity-matching Services) Bill 2018, ‘Submissions received by the committee’, submission no. 18↩︎
GovPass has a steering committee that reports to the Digital Leadership Group and is exploring how to broaden the group. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/13094523/Preventing-another-Australia-Card-fail_staticbanner.png24803508nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2018-03-18 06:00:312025-03-13 10:08:41Preventing another Australia Card fail
Europe and Australia are connected in many ways. As liberal democratic societies, they share a common normative foundation of values that set the parameters for what the state may or may not do.
Based on that background, in September 2017 a delegation from Australia composed of practitioners, policymakers and academics travelled to Germany and Belgium to participate in the 3rd Australian Strategic Policy Institute – Konrad Adenauer Stiftung Australia–Europe Counterterrorism Dialogue, entitled Transforming the New Threat Landscape.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/17211821/E1BAP1-1_Hi-Res.jpg7441608nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2018-02-27 06:00:002025-03-06 16:43:593rd Australia-Europe Counter-Terrorism Dialogue: ‘Transforming the New Threat Landscape’
This Strategic Insight aims to expand on Paul Dibb and Richard Brabin-Smith’s powerful, provocative paper, Australia’s management of strategic risk in the new era. Dibb and Brabin-Smith, two of Australia’s leading strategic thinkers, examined China’s growing assertiveness in our region. Here, I look beyond our region and beyond China’s One Belt, One Road Initiative (BRI) to highlight how China is expanding its influence in Africa and the Middle East. I examine some selected cases, such as Zimbabwe, Israel, Turkey and Iran. I also try to situate the BRI in President Xi Jinping’s grand strategy.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/17210850/China-shipping-line-scaled.jpg12802560nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2018-02-13 06:00:002025-03-06 16:52:55Understanding the BRI in Africa and the Middle East
In this compendium examining the France–Australia relationship, we have brought together experts from each country to explore our shared histories and plot a course for where we might take the relationship in the future. Each section examines a different aspect of the relationship—historical, international security, defence and the South Pacific—from a French and an Australian perspective. The experts brought together in this volume cover a breadth and depth of knowledge and experience as officials, academics and practitioners.
What emerges is a rich and complex picture of two vibrant and activist countries, grappling with complex problems, but each determined to contribute to making the world safer and more just. At a time when the international order appears under threat, the willingness of our two countries to continue to commit to the global rule of law and strengthening the liberal order and respect for human rights is both heartening and vital.
It’s also clear, however, that maximising the benefits of the bilateral relationship requires a strategic plan and practical commitment to getting things done. This compendium is a contribution to enhancing the relationship so that it can truly be more than the sum of its parts and we can navigate confidently through the decades to come.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/17205922/operaHouse-tricolour.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2017-12-20 06:00:002024-12-17 21:03:22More than submarines: New dimensions in the Australia–France strategic partnership
Diasporas are global social formations of people who have been scattered from their country of origin. They carry with them a collective representation, myth or imagined sense of their homeland. The connection between the diaspora and its members’ original ‘home’ was, until the rise of social media, sustained by letters, tapes and print media.
E-diasporas originally emerged as online manifestations of diaspora communities. Although social media are just some of many technologies used by people to communicate, their rise has intensified the articulation and elaboration of diasporic identities several-fold.
With social media, e-diasporas recreate and expand a diaspora’s sense of shared identity and community by providing a virtual venue for affirmation and recognition.
Today, e-diasporas are combinations of self-interest and identity groups that share experiences through online media. The members share their country of origin and, at times—depending on the size of the community—their host country.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/15105839/SR113_eDiasporas_banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2017-12-13 06:00:002024-12-15 11:02:52The virtual meets reality: Policy implications of e-diasporas
The reality of the world we live in today is one in which cyber operations are now the norm. Battlefields no longer exist solely as physical theatres of operation, but now also as virtual ones. Soldiers today can be armed not just with weapons, but also with keyboards. That in the modern world we have woven digital technology so intricately into our businesses, our infrastructure and our lives makes it possible for a nation-state to launch a cyberattack against another and cause immense damage — without ever firing a shot.
Even though it may use the same tools and techniques, cyber espionage, by contrast, is explicitly designed to gather intelligence without having an effect—ideally without detection. The Global Commission on the Stability of Cyberspace has commissioned ASPI’s International Cyber Policy Centre to do further work on defining offensive cyber capabilities.
