The Internet of Insecure Things

Introduction

The Internet of Things (IoT) is the term used to describe the growing number of devices being connected to the internet. Some of the more common IoT devices include home appliances such as Google Home, wearable devices, security cameras and smart meters.It’s been predicted that the number of connected devices was close to 8.4 billion in 2017 and that there will be over 20 billion devices connected by 2020.1 Even though the IoT has been developing since the rise of the internet in the early 1990s, there’s no universally accepted definition. Kevin Ashton, who coined the phrase in 1999, says the IoT is much more than just connected appliances and describes it as a ‘ubiquitous sensor network’ in which automation leads to innovation.2 While there are some justifiable cybersecurity concerns about the IoT, there are also many notable advantages to living in a connected world. The IoT is saving lives through advanced healthcare technology, manufacturers are saving time and money through automation and tracking, and a plethora of home devices are adding value to people’s lives by providing a range of different services.

There are many different ways to categorise IoT devices, which makes safeguarding the technology challenging. The IoT can be dissected by industry, such as healthcare, transport, manufacturing and consumer electronics. One major subcategory of the IoT has earned its own acronym: the IIoT, to which control systems belong. Another way of categorising devices is by looking at their individual capabilities. Devices that can take action pose a different threat from devices that simply collect data to report back to the user.

The IoT offers benefits to all industries, but the connectivity of these once isolated things also introduces new vulnerabilities that can affect our homes and industries. As well as promising convenience and efficiency, the IoT is a problem because a vast number of internet connected devices with poor default security create a large attack surface that bad actors could take advantage of for malicious ends. A variety of international organisations and government groups are working on issues pertaining to the IoT, but at present there’s no coordinated vision to implement standards for the IoT on a global scale. Similarly, in Australia, a host of different cyber agencies and industrial groups are working to overcome some of the cybersecurity issues that the IoT presents, but a coordinated strategy detailing how government and industry can collaborate on the IoT is needed.

This issues paper aims to give a broad overview of IoT issues to increase awareness and public discussion on the IoT.

In December 2017, ASPI’s International Cyber Policy Centre produced a discussion draft asking stakeholders key questions about IoT regulation, governance, market incentives and security standards to help inform this issues paper. We received responses from government, industry representatives, technical experts and academics. While those stakeholders were consulted in the research phase of this paper, the views here are those of the authors.

THREAT TO CRITICAL INFRASTRUCTURE

In 2016, a severe storm disrupted crucial services in South Australia, resulting in a loss of power for 850,000 customers.3 Trains and trams stopped working, as did many traffic lights, creating gridlock on flooded roads. The storm, together with the failure of backup processes, resulted in the death of a number of embryos at a fertility clinic in Flinders Hospital.4 The total cost for South Australian businesses as a result of the blackout was estimated to be $367 million.5

Some have noted that, due to the interconnectedness of infrastructure, this event mirrored the potential effects of a large-scale cyberattack.6

Disrupting utilities that power an entire city could cause more damage than traditional terror tactics and can be done externally and with more anonymity.

Again, severe storms demonstrate that a loss of power can cause more deaths than the physical destruction of infrastructure.

When Hurricane Irma caused the air conditioning at a Florida nursing home to fail, 12 residents died of suspected heat-related causes.7

Digital weapons are being used intentionally by nation-states to inflict physical destruction or compromise essential services. The now infamous attack on Iran’s nuclear program, known as Stuxnet, used infected USB drives to contaminate computer systems with malware,8 which caused physical damage to a number of uranium centrifuges.9 In 2015, hackers used stolen user credentials to attack a Ukrainian power grid, which resulted in loss of power for more than 230,000 people.10 In 2016, the attackers used malware specifically designed to attack Ukraine’s power grid to disrupt the power supply to Kiev. This indicates that malicious actors have both the resources and the intent to develop cyberattack capabilities targeted at essential services.11

The IoT overlaps with critical infrastructure because many control systems are also now connected to the internet. Kaspersky researchers found more than 3,000 industrial control systems in Australia by using Shodan and Censys IoT search engines.12 Studies have also revealed vulnerabilities in control systems made by major vendors, such as Schneider Electric and Siemens.13

In the discussion version of this paper, several respondents expressed the view that a separate cyber organisation focusing specifically on the security of critical assets and services would be unhelpful. However, many acknowledged a need for greater collaboration between those responsible for protecting these assets to help mitigate IoT-related threats.

The Australian Cyber Security Centre (ACSC) could seek to increase coordination between owners and operators of critical assets, helping with the technical aspects of adopting voluntary industry standards for the IoT. The ACSC has the technical expertise to participate in the formation of international standards and could work with policy experts in the Department of Home Affairs to encourage national adoption.

THE CYBER LANDSCAPE IN AUSTRALIA

The cyber landscape in Australia is complex. Government cybersecurity responsibilities have recently been reorganised through the establishment of the Department of Home Affairs and structural changes to the Australian Signals Directorate and ACSC. Getting a clear picture of roles and responsibilities was difficult, and it would be beneficial to identify any gaps in roles and responsibilities after these recent organisational changes have been properly implemented. Industry roles could be identified in an IoT road map that helps industry and government bodies work together to more effectively mitigate IoT threats. Consumers should be educated on cybersecurity and responsible ownership of IoT devices, including patching and updating, building on initiatives such as Stay Safe Online.

The IoT has exacerbated an already confronting problem: the lack of skilled cybersecurity professionals both nationally and globally.

The Australian Cyber Security Growth Network estimates that a further 11,000 skilled experts will be needed in the next decade.14 In January 2018, the network announced that cybersecurity qualifications will be offered at TAFE institutions around Australia, which is a significant step forward.15 However, cybersecurity is a broad domain that requires not only workers with technical skills but also experts in risk management and policymaking, among other areas. Advances in automation and data analytics could help to address the skills shortage, as those technologies will increase the availability of cybersecurity experts, by replacing technical jobs in other areas.

We need to think about IoT security as a holistic system that combines practical skills-based training with industry best practise. The under-representation of women in cybersecurity has been widely noted and overcoming it was listed as a priority in Australia’s Cyber Security Strategy.16 The government has conducted research to better understand the issue and is running workshops to help increase participation.17

SECURITY RATINGS AND CERTIFICATIONS

A number of countries, including Australia, are considering the value of security ratings for IoT devices. In October 2017, Dan Tehan, the then Minister Assisting the Prime Minister on Cybersecurity, suggested in a media interview that such ratings should be created by the private sector, not by the Australian Government.18 The UK Government is also exploring ‘how to encourage the market by providing security ratings for new products’, as outlined in its National Security Strategy.19 Introducing a product security rating for consumer electronics has the potential to improve awareness of cybersecurity issues and to encourage industry to adhere to minimum security standards. But whether the ratings should be initiated by government or industry is only the beginning of the issue, as there are several problems with cybersecurity ratings that need to be addressed.

First, the vulnerability of an IoT device could potentially vary over its lifetime as weaknesses are discovered and then patched. The energy efficiency of a refrigerator or washing machine, by contrast, is relatively fixed, and so energy-efficiency ratings can be trusted over the device’s lifetime. With IoT devices, new vulnerabilities are constantly being exposed. At best, a security rating would reflect the security of a device based on the information available at the time of the security assessment. It would need to be adapted as security standards evolve and new vulnerabilities are discovered.

Second, it’s worth investigating whether a cyber rating could lull consumers into a false sense of security by negating their own role in protecting themselves from attack. Before implementing a security rating system, we need to research whether purchasing a device that claims to be secure could make consumers less likely to install updates or change default passwords.

Third, as mentioned in the introduction of this report, there’s considerable variation in IoT products. A Jeep Cherokee and a baby monitor (both of which have been compromised) present vastly different dangers, but the compromise of either can have serious consequences. While all IoT devices should include baseline security features in the design phase, devices deemed to be high risk should also require commensurately robust security features. Burdening otherwise cheap, low-risk devices with expensive certifications or strict security regulations, however, could make them commercially unviable in Australia. It’s important to recognise that it will be challenging and expensive to come up with a rating that appropriately addresses all the different categories of IoT devices.

In 2018, the IoT Alliance Australia (IoTAA) is prioritising the introduction of an ‘IoT product security certification program’ as a part of its strategic plan.20 Exactly what this will look like remains unknown, but it’s likely to be performed by accredited independent bodies that evaluate products based on security claims. The Australian Information Industry Association recommends an accreditation scheme that would also certify organisations making IoT devices. The authors’ view is that some manufacturers (for example, Samsung) make so many products that this would be ineffective as a stand-alone tactic, but this idea could be used in collaboration with an individual product rating.

REGULATION AND STANDARDS

Regulation and standardisation are at the forefront of the IoT debate, and positions tend to be polarised, as reflected in the responses to our discussion draft. The respondents acknowledged that regulation isn’t always effective and can impose a significant cost, but some also said that there’s potentially room for government to play a more direct role if a device is deemed to provide a critical service to the community. Some industries, such as transport and healthcare, already have safety standards addressing a wide range of security concerns; those standards need to prioritise current and emerging cybersecurity threats.

Multiple IoT-related bills introduced into the US Congress last year exemplified some of the legislative attempts to enforce IoT security by way of law. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 stresses the importance of built-in security and the provision of security patches,21 while the Cyber Shield Act of 2017 seeks to introduce a voluntary certification process for IoT devices.22

While US lawmakers have proposed some government regulation, some in Australia believe that IoT security would be more effectively regulated by industry.

Legislation takes time to introduce and often struggles to keep pace with the quickly evolving technology it seeks to control.

Taking a market-driven approach to IoT security may mean that imposed standards will more rapidly adapt to the changing security climate.

Some classes of IoT devices, however, present little threat to their owners, but their poor security allows them to be co-opted in ways that can be used to harm other internet users or internet infrastructure. This is similar to a widget-making factory that causes air pollution; the factory owner and widget buyer both benefit from lower costs of production and neither has a strong incentive to do the work needed to reduce air pollution, as that would raise costs. In economics, this is described as a negative externality, and negative externalities can be effectively dealt with through regulation. The authors’ view is that incentives do not exist for effective industry-led standards to develop, especially for consumer IoT devices.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are the two major global providers of standards. The ISO and IEC have a joint technical committee focusing on information technology and a subcommittee focusing on the IoT and related technologies. Australia is a member of the subcommittee through Standards Australia. ISO/IEC also has the 27000 series, which is a series of standards that addresses the security of information security management systems.23

The European Union Agency for Network and Information Security released baseline security recommendations for the IoT in late 2017.24 Standards have also been developed in Asia, including a draft policy on the IoT by India25 and a general framework by Japan.26 Other organisations working on IoT standards include the IEEE (Institute of Electrical and Electronics Engineers), The Open Group, and SAE International. While a considerable amount of work on IoT standards has been completed, a draft report on the status of global IoT standards by the National Institute of Standards Technology in the US indicates that there’s a long way to go. The report reveals several gaps in current standards development and implementation, including network security, IT system security evaluation and system security engineering.27 It also highlights the variety of SDOs (standards development organisations) working in this space. There’s currently a need for international consensus on IoT standards and a clear pathway to implementation.

Locally, the IoTAA has drafted multiple versions of IoT security guidelines to help promote secure designs for manufacturers and to support industry in understanding security and privacy issues. The IoTAA has also outlined key focus areas for 2018 in its Strategic Plan to Strengthen IoT Security. Australia also has iotsec, a non-profit start-up that promotes security in IoT devices to help industry and consumers.

While regulation and standardisation are often thought of in a binary way (enforced by either government or industry), the feedback from the discussion draft highlighted the importance of approaching IoT security in a holistic manner, in which government, industry and consumers all play a role. Furthermore, IoT cybersecurity is a problem of global, not national, proportions. Devices sold in Australia are manufactured all over the world. Being only a small proportion of the IoT market, Australia risks becoming a dead-end market if device makers’ security costs outweigh their income from sales. For this reason, any attempt to introduce standards for IoT devices in Australia must be done with a global mindset. The challenge now is to reach international consensus and to encourage manufacturers to adopt the standards. An IoT definition would help to focus global efforts both to secure and to develop the technology and help to articulate its scope.

CONCLUSION

The IoT offers Australia many economic and social advantages and should be embraced and used to benefit all Australians. However, it also introduces new risks and vulnerabilities that our current regulatory systems aren’t necessarily mitigating effectively.

It’s the authors’ view that our current policy and regulatory settings are almost certainly sub-optimal, but effective management of the IoT from a government policymaking perspective requires many difficult trade-offs, and easy answers aren’t immediately apparent. Corruption of traditional ICT devices such as phones and laptops has resulted in the theft of both personal and corporate data. Connecting more devices, such as watches, whitegoods, automobiles and industrial equipment, has intensified this problem and introduced new types of threats. Other incidences of organised crime and terrorism have shown that malicious actors exploit seams in systems, regulation and security.

For this reason, it is imperative that we continue to address gaps in these areas to limit opportunities for the exploitation of IoT devices.

This paper is intended to illuminate some of the issues involved in managing IoT risk so that industry and government can have a robust discussion and work collaboratively to improve the security of IoT devices.

  1. Gartner, ‘Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016’, 2017, Gartner.com, online. ↩︎
  2. Rain RFID Alliance, ‘RAIN Q&A with Kevin Ashton RFID and the internet of things’, 2015, pp. 1–4 ↩︎
  3. Australian Energy Market Operator, Black System, 2017, p. 5 ↩︎
  4. ‘SA weather: human error to blame for embryo-destroying hospital blackout during wild storms’, ABC News, 23 January 2017 ↩︎
  5. Business SA, Blackout Survey Results, 2016 ↩︎
  6. Roger Bradbury, ‘South Australian power shutdown “just a taste of cyber attack”’, The Australian, 2016. ↩︎
  7. ‘12 of 14 nursing home deaths after Irma ruled homicides’, VOA News ↩︎
  8. European Union Agency for Network and Information Security, Stuxnet analysis ↩︎
  9. Council on Foreign Relations Cyber Operations Tracker, Stuxnet ↩︎
  10. Council on Foreign Relations, Compromise of a power grid in eastern Ukraine ↩︎
  11. ‘CRASHOVERRIDE: analysis of the threat to electric grid operations’, Dragos.com, pp. 10–11 ↩︎
  12. Oxana Andreeva, Sergey Gordeychik, Gleb Britsai, Olga Kochetova, Evgeniya Potseluevskaya, Sergey I Sidorov, Alexander A Timorin, Industrial control systems and their online availability, p. 8 ↩︎
  13. IEEE. Sagar Samtani, Shuo Yu, Hongyi Zhu, Mark Patton, Hsinchun Chen, Identifying SCADA vulnerabilities using passive and active vulnerability assessment techniques, University of Arizona, 2016 ↩︎
  14. Australian Cyber Security Growth Network, Cyber security sector competitiveness plan, 2017 ↩︎
  15. Australian Cyber Security Growth Network, Australian TAFEs join forces to tackle the cyber security skills gap, 2018 ↩︎
  16. Australian Government, Australia’s Cyber Security Strategy, p. 53 ↩︎
  17. PMC. Australian Government, Women in cyber security ↩︎
  18. Denham Sadler, Security ratings for IoT devices?, 2017 ↩︎
  19. UK Government, National Cyber Security Strategy 2016–2021, 2016, pp. 36–37 ↩︎
  20. IoT Alliance Australia, ‘Strategic plan to strengthen IoT security in Australia’, 2017 (unpublished material) ↩︎
  21. Mark Warner, Cory Gardner, Internet of Things Cybersecurity Improvement Act of 2017, 2017 ↩︎
  22. Cyber Shield Act of 2017, 2017 ↩︎
  23. ISO, ISO/IEC 27000 family— Information security management systems ↩︎
  24. European Union Agency for Network and Information Security, Baseline security recommendations for IoT, 2017 ↩︎
  25. Department of Electronics and Information Technology, Draft policy on internet of things, Indian Government, 2015 ↩︎
  26. National Center of Incident Readiness and Strategy for Cybersecurity, General framework for secure IoT systems,
    Japanese Government, 2016 ↩︎
  27. National Institute Standards Technology, Interagency report on status of international cybersecurity standardization for the internet of things (IoT), 2018, pp. 54–55 ↩︎

© The Australian Strategic Policy Institute Limited 2018
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.

Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

Acknowledgements
We thank all of those who contribute to the ICPC with their time, intellect and passion for the subject matter. The work of the ICPC would be impossible without the financial support of our various sponsors but special mention in this case should go to JACOBS, which has supported this research.

Preventing another Australia Card fail

Unlocking the potential of digital identity

What’s the problem?

Another major government digitisation scheme—digital identity—is set to cause controversy and risk further disempowering Australians in the absence of clearer policy and legislative controls. That’s problematic because digital identity has the potential to power the 21st-century economy, society and government by providing easy, high-confidence verification of identity that will allow millions of offline transactions to move online and enable a string of enhanced services, such as easy delegation of authority (for example, to pick up prescriptions) and verifications (such as proof of age online).

However, the national digital identity program, known as GovPass, faces obstacles on multiple fronts:

  • Public communication about the scheme and its implications has been wanting, leaving the public largely unaware of the change afoot.
  • A key biometric enabling service for digital identity, the Face Verification Service (FVS), risks being conflated with the far-reaching law enforcement biometric enabler—the Face Identification Service (FIS)—that’s part of the same national facial biometric matching capability agreed to by Australian Government and state and territory government leaders in October 2017. The FIS lacks adequate safeguards and in its current form is likely to attract public opposition far exceeding that directed towards the My Health Record scheme.
  • The government is now building two digital identity schemes that will compete against each other. The first, which is already operational, was built by Australia Post at a cost of $30–50 million and is known as Digital iD. The second scheme, GovPass, secured $92.4 million in the 2018–19 Budget to create the infrastructure that will underpin it and fund its initial rollout.
  • Neither GovPass nor Digital iD is governed by dedicated legislation, beyond existing laws such as the inadequate Privacy Act 1988, leaving Australians vulnerable to having their data misused.
  • The lack of clarity about how the private sector will and will not be able to use the schemes will turbocharge the ability to gather detailed profiles of individual Australians. Controls are needed to prevent a Western version of China’s ‘social credit’ scheme emerging.

What’s the solution?

National multi-use identity schemes have a poor track record in Australia. To gain public approval for this major reform, the government needs a fresh approach that places the citizen at the centre of the system. To help restore public confidence in digital initiatives after a string of failures, the introduction of this reform needs to be accompanied by an overhaul of citizens’ and consumers’ rights so that they’re fit for purpose in the 21st century.

The government should work with civil society to stimulate and lead a national debate on the benefits of digital identity, including medium- to long-term plans for the scheme. It should emphasise the strengthened protections that the public will gain against the encroachment on citizens’ rights that this and other digital reforms are producing.

Proposed legislation enabling the FVS and FIS should be far more tightly drafted, paring back the applications that the FVS and the FIS can be used for and precisely defining their uses. Dedicated legislation should be introduced to govern both government digital identity schemes.

Opportunities should be explored to avoid duplication between the two schemes. Protections for individuals in the schemes should be strengthened to prevent private-sector actors using the service to build profiles of individual citizens and on-selling those profiles in a for-profit version of China’s social credit scheme. While detailed customer profiles can already be built through methods such as loyalty programs, digital identity will enable a vastly expanded range of activities to be linked to verified identities and so exponentially expand the scope for profile building and ranking if left unchecked.

Introduction

The 2014 Financial System Inquiry recommended that the government ‘develop a national strategy for a federated-style model of trusted digital identities’ that would be accessible for both public and private identity verification.1 The recommendation was subsequently agreed to by government.2 Creating this digital identity is a major micro-economic reform. How it’s deployed, structured, understood and protected will fundamentally shape the sort of Australia we end up with.

On 5 October 2017, the then Prime Minister and state and territory leaders laid the foundation for digital identity when they agreed to establish a ‘national facial biometric matching capability’. This connects national, state and territory photographic databases via an exchange. It has two key components. The FVS will use the exchange to allow digital identity verification. This is a one-to-one image-based verification that matches a person’s photo against an image on one of their government records (such as a passport photo) to help verify their identity. The second component, the FIS, is a one-to-many image-based identification service that matches a photo of an unknown person against multiple government records to help establish their identity and is designed for law enforcement purposes.3

What’s digital identity?

Digital identity is essentially a credential scheme allowing you to quickly confirm your personal details, entitlements and authorisations, such as proving you are over 18 years old or an Australian citizen, online or in person via your phone.

It requires a one-off verification—for example, by photographing your driver’s licence with your phone (the details of which are then checked against the relevant government database) or, for higher level verification, taking a selfie (which is then checked against a biometric template of your face that the government has collated).4

The selfie is tested against only one image—the document consented to and nominated by the individual.5 Through the FVS, the selfie would be checked separately against a template of the photos that it’s compared against, which would be your driver’s licence photo, a passport photo or a visa/citizenship photo.

Stored on a mobile app, you can use this digital identity to transact with government and companies (for example, by entering your phone number on their websites and then providing permission to undertake the identity check via your digital identity mobile app) or in person, without needing to carry a wallet and identity documents.

Australians make more than 800 million transactions with government annually; 26 million of those transactions involve face-to-face verifications, and more than 300 million require phone or other authentications. Some 750,000 applications for tax file numbers are made each year, requiring in-person verification or the sending of certified copies—a process that can take up to 40 days.6

More broadly, the government operates more than 30 different logins for online services.7 A single government digital identity can simplify this landscape, allowing a single login for each individual across governments—federal, state and territory—and also simplify the 800 million transactions. This can significantly reduce irritation on the part of citizens accessing government services, and if done properly should in fact enhance privacy by tailoring the amount of personal information disclosed to the bare minimum required for the specific transaction. It has many other far-reaching applications, such as improving child safety online, reducing cyberbullying and de-anonymising the online experience.

Decoding the jargon

MyGov: the existing common credential for authenticating to many government departments, but without strong identity verification (generally, you have to prove who you are to each department).

MyGovID: the brand name for the Australian Taxation Office’s (ATO’s) new ‘Commonwealth digital identity provider’ (formerly, AUSid). This is the portal through which people can validate their identity under the GovPass scheme.

GovPass: the overall system name for the federated identity scheme of the Digital Transformation Agency (DTA). MyGovID will be one of the components of GovPass and will allow people to validate their identity. GovPass is a DTA-led multiagency program in which the DTA plays an oversight, integration and delivery role, working in collaboration with the ATO, the Department of Human Services (DHS) and the Department of Home Affairs.

Trusted Digital Identity Framework (TDIF): the standards that describe the GovPass identity federation, which include provision for multiple identity providers, subject to their accreditation (currently Australia Post’s Digital iD and the ATO’s MyGovID).8 This creates consumer choice, but also means that all identity providers need to maintain high security standards if citizens’ data is to be protected. The TDIF defines the requirements to be met by government agencies and organisations in order to achieve TDIF accreditation for their identity services (for example, as an identity provider).

Face Verification Service (FVS): a one-to-one image-based verification service that can match a person’s photo against an image on one of their government records, such as a passport photo, to help verify their identity. Often, these transactions occur with the individual’s consent.9

Face Identification Service (FIS): a one-to-many image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. Access to the FIS will be restricted to agencies with law enforcement or national security related functions.10

Boston Consulting Group has estimated that digital identity could save $11 billion annually ‘through reduced cost to serve, cost of fraud and improved customer experience’.11 Deloitte Access Economics has estimated ‘productivity and efficiency savings of $17.9 billion over 10 years (if we reduce the number of transactions completed via non-digital channels from 40 percent to 20 percent)’.12 Identity crime is estimated to cost over $2.2 billion annually and affects one in five Australians during their lives.13 While the government estimates that it costs $17–20 each time someone tries to prove their identity to access a service, the cost of doing so digitally is somewhere between $0.40 and $2.00.14 Various different schemes are already operational in places such as New Zealand (RealMe), the UK (GOV.UK Verify), India (Aadhaar), Estonia (ID-card), Sweden and Norway (the last two have separate systems, both called BankID).

Digital identity, properly applied, should significantly improve users’ experiences when they deal with the public and private sectors. In 2015, 61% of Australians said they had used the internet for their most recent dealings with local, state or federal government, but only 29% were satisfied with their experience, and 58% encountered some problem with the online service. ‘The most common issue was that the process was long or difficult (21%). 15% had technical difficulties and for 13%, the service they needed was not available online. 11% couldn’t remember their user name or password.’15 Digital identity should help significantly to alleviate these problems.

Meet Digital iD and GovPass

The Australian Government is building two competing digital identity schemes. The first one, known as Digital iD, is already operational. It has been developed by Australia Post, an Australian government-owned corporation, at an estimated cost of $30–50 million.16 The second is GovPass, a scheme being developed by the DTA.

Australia Post’s Digital iD now has a product team actively selling access to the private sector. This identity service is already accepted in licensed venues in the Australian Capital Territory, the Northern Territory, Queensland, Tasmania and Victoria, and by companies such as Travelex and Airtasker.17 For individual users, the scheme is free of charge.

To function, Digital iD uses Australia Post’s access to government identity databases as well as private-sector databases, such as credit header records, and postal records. Creating a digital identity is quick and is done over the Digital iD app.18 It essentially involves verifying your mobile number by entering a code sent to your phone and taking a photo of an identity document (driver’s licence, passport or Medicare card), which is checked against the government databases.

To validate your ID on, say, Airtasker, you click ‘connect’ and input your mobile number, and that sends an alert to your phone (Figure 1). Once you open the app, you’re notified that Airtasker would like to connect and are offered the option of ‘connect’ or ‘cancel’. If you hit ‘connect’, you’re notified that Airtasker is requesting confirmation of your identity plus your date of birth and name, giving you the option to ‘allow’ or ‘cancel’.

Figure 1: Using Digital iD to engage with AirTasker

Parallel to the Australia Post scheme, the Digital Transformation Office (now the DTA) was given the task of developing a second scheme, known as GovPass.19 Underway since 2016 (Australia Post’s foundational research on digital identity was also released in 201620), the scheme was initially intended to start public beta testing in mid-2018, but has been delayed.21 It finally secured $92.4 million in funding in the 2018–19 Budget22 to create the infrastructure that will underpin GovPass and roll out the scheme, initially for grants management, the My Health Record, Youth Allowance, business registration, NewStart, the Unique Student Identifier and tax file numbers. The government aims to roll out pilot services to half a million users by the end of June 2019.23

DHS will operate the exchange or gateway between the services and identity providers, the ATO will be the initial identity service provider,24 and the DTA will oversee the program. DHS will be the scheme administrator and the operator of the interoperability hub that will provide access to verification services run by or on behalf of other government agencies. Australia Post will be seeking accreditation as an identity provider (alongside the ATO), in addition to maintaining its existing Digital iD system. The range of actors involved in GovPass and the complexity of the model will make it difficult to deliver the project on time and without incident.

Digital iD is distinguished from GovPass mainly by the fact that it isn’t a federated model (Australia Post is the only entity through which you can verify your identity for Digital iD). It’s envisaged that multiple entities could provide this service under the GovPass scheme, giving consumers choice about which entity they use to prove their identity.

Some companies, such as Mastercard (and likely others) through its My Digital Life program, are positioning themselves to facilitate access to the rich data pools that the digital identity service will enable by serving as a platform through which third-party attribute vendors can sell data on individual Australians. If poorly regulated, these sorts of schemes could create serious privacy issues involving third-party data access. An indicator of this can be seen in the controversy over Facebook providing personal data to third-party organisations, including Cambridge Analytica. (Australia Post isn’t selling access to personal information; rather, companies that use Digital iD to verify their customers’ identities are being enabled to easily gather related data, such as purchase history, location and so on, and link it to a confirmed individual identity.)

A key enabler for both schemes will be the FVS, which will be vital for higher level identity checks that are required for transactions requiring greater confidence that someone is who they say they are, such as creating tax file numbers (Australia Post’s existing scheme currently performs lower level checks using biographic data). This was made possible by the Intergovernmental Agreement on Identity matching Services.25 The agreement essentially enabled the federal, state and territory governments to share access to their databases of government-issued photographic identity documents (such as driver’s licence and passport databases) for a broad range of applications spanning road safety, law enforcement and identity checking. For identity checking, this will simplify the process of confirming identity, and the photos will enable higher levels of identity assurance. The FVS’s creation is enabled by the Identity-matching Services Bill 2018, which at the time of writing is still before the House of Representatives.26

As with the Australia Post scheme, it’s envisaged that the private sector will be able to rely on GovPass for identity checking in future. An example of how this would work is Australia Post’s Digital iD, which is already used by Australia’s largest credit union, CUA, for new members applying for some CUA accounts online or via their mobile devices. This allows accounts to be created in minutes without visiting a branch.27

Challenges

The take-up by individuals of digital identity schemes will require the government to overcome challenges in the areas of communication, rights protection, limit setting, coordination, commercialisation and security.

Communication

In all discussions about GovPass, the Australia Card experience looms large, and GovPass has been designed to deliberately distinguish it from previous efforts. The Australia Card was proposed by Prime Minister Bob Hawke in 1985 and eventually led to a double dissolution election before the proposal was dropped. Other failures also overshadow the rollout of GovPass. In 2006, Prime Minister John Howard made another attempt with the Access Card,28 before it too was shut down by the new Rudd government in 2007.

The government’s own polling suggests that it’s right to be fearful of scaring the Australian public.

Sixty-nine per cent of Australians are more concerned about their online privacy than they were five years ago. A majority (58%) of Australians are ‘somewhat concerned’ or ‘very concerned’ about biometric data being used to gain access to a licensed pub, club or hotel (although that percentage is down from 71% in 2013), and 56% are concerned about using biometric information for day-to-day banking and 43% for boarding flights.29 Only a third of Australians are comfortable with the government sharing their personal information with other government agencies, and only 10% are comfortable with businesses sharing their information with other organisations.30 The controversy over police access to the My Health Record and the need to add further privacy protections in that scheme also point to heightened public awareness and concern about digitisation processes, including about losing control of personal information that might be used to cause harm.31

The DTA has issued regular updates on the progress of the GovPass scheme, but, with few exceptions, the updates haven’t been brought to the public’s attention by leaders,32 and there’s been very little discussion of the scheme in the media. When the Council of Australian Governments (COAG) announced the key underlying agreement to share identity information and create a national biometric exchange system, the focus was placed on the counterterrorism potential of the biometric database, not the broad digital identity possibilities for the Australian population. As the then Prime Minister said at the time, ‘Imagine the power of being able to identify, to be looking out for and identify a person suspected of being involved in terrorist activities walking into an airport, walking into a sporting stadium … This is a fundamentally vital piece of technology.’33

Ending the erosion of rights

The shift to a digital world is eroding citizens’ rights. With each new digitisation initiative, people are forced to trade off more of their rights for the convenience offered. Repeatedly, they’re assured that everything’s fine, only to discover that they’ve been hoodwinked. ‘Opt in’ becomes ‘opt out’. ‘Safe and secure’, it’s later discovered, means warrantless police access. Over time, people are being disempowered, but these initiatives could have the opposite effect if properly implemented and communicated.

Instead of thinking about how digital identity can solve a departmental problem and focusing narrowly on users’ experience in that context, a citizen-centric perspective is needed. In a citizen-centred society, the role of government should be as the custodian of citizen data—guaranteeing its security and integrity and the citizen’s inviolable rights to and control of their data.34 

For government, this requires an overhaul in approach. What’s needed is a root-and-branch review of how citizen protections can be made fit for purpose in the 21st century and of opportunities to take advantage of digitisation to simplify the web of rules that we created for our paper-based society. Those rules are often needlessly complicated due to misaligned incentives between competing bureaucracies and rent-seekers who have fed off complexity. The Australian Treasury’s ‘consumer data right’35 is a step in the right direction to empower citizens, but a far more holistic approach is needed.

Clearer limits are needed

The creation of the FVS and FIS is enabled by the Identity-matching Services Bill 2018, but loose drafting leaves so much scope for unexpectedly broad use of the FIS (for law enforcement purposes) that it risks public backlash against the FVS (which is critical for identity matching). As the backlash against My Health Record demonstrated, sharing without consent is almost certain without well-crafted policy and legislation that’s accompanied by an effective public communications campaign.

An important provision of the COAG agreement that establishes the national biometric exchange system is that it can only be used for ‘general law enforcement’ purposes when suspected offences carry ‘a maximum penalty of not less than three years imprisonment’.36 This key provision is missing from the Identity-matching Services Bill.

In practice, this will mean that for requests between jurisdictions (for example, a NSW agency checking a Victorian’s identity), the three-year-penalty rule agreed by COAG would need to be spelled out in interagency agreements. If NSW police wanted to check a photo of a suspect they would need to log the crime the person was suspected of (carrying at least a three-year prison sentence) and then run the check. It’s also possible that they could still run the check if the crime carried at least a three-year penalty in NSW, but less than a three-year sentence in Victoria.37

For intrastate biometric identity searches (such as NSW police searching NSW databases), it’s up to individual states to set any limits on what state police could use the federally run system for (that is, it could potentially be applied to any petty offence). Without clearer restrictions, the FIS in particular is open to serious misuse, especially given the Bill’s stated purpose of allowing it to be used for ‘preventing’ crime.

The parliamentary reviews of the legislation raised multiple concerns about the Bill that are beyond the scope of this paper but point to the need for far tighter controls.38

Competing government schemes and lack of oversight

It’s unfortunate that Australia has ended up with two taxpayer-funded digital identity systems. How this competition will play out is still to be seen. However, given the differences between the schemes and the groups behind them, it’s possible to foresee how it might evolve.

GovPass may dominate for government-linked identity checks, and Digital iD for private-sector identity checks. Australia Post is far more entrepreneurial than most government agencies, and if its scheme continues to operate without dedicated legislation it will also be more attractive to private-sector clients (the private sector’s ability to verify identity using GovPass is likely to be more restricted). Another potential advantage Australia Post might enjoy is working to achieve some degree of global harmonisation by working with other international postal services’ digital identity systems39 (although the DTA is considering similar international harmonisation for GovPass40).

While the Identity-matching Services Bill governs the use of the biometric FVS, it isn’t specifically focused on regulating the GovPass scheme. It’s yet to be decided whether dedicated legislation to cover GovPass will be developed. Given the sweeping applications of the scheme and open questions on issues such as liability, potential for misuse and privacy concerns, legislation is needed for both GovPass and Digital iD.

Commercial applications

Both digital identity schemes offer significant potential benefits for the private sector. If used, they should reduce identity fraud and theft. Some 69% of Australians are concerned about becoming victims of those crimes,41 which cost the Australian economy billions of dollars. The schemes will also make it much easier for consumers to transact with businesses and have the potential to better control and manage personal data.

Digital identity will also allow more limited sharing of personal information. At present, most identity checks involve an over-sharing of personal information. The person selling you a beer doesn’t need to know your name, home address, driver’s licence number, or even your date of birth. They just need a yes/no answer that you are 18 years old or older.

However, without safeguards, digital identity opens up the possibility of serious misuse. With digital identity, the shop assistant selling you alcohol might see less of your personal information but, because they are able to confirm who you are, your purchase information could be on-sold to interested parties, such as your health insurer (affecting your premium) or DHS (affecting your cashless debit card payments). The DTA has advised that it’s currently considering establishing an oversight authority, oversight rules, or both, that would seek to prevent the on-selling of data the gathering of which is facilitated through digital identity verification.42 This sort of oversight is critical for both GovPass and Digital iD.

As we move to a world where identity can be confirmed easily and cheaply, it opens up the possibility of building up profiles of individuals. If digital identity becomes the de facto way to buy alcohol, log on to social media, buy tickets, travel and shop, all of the data that those transactions collect (such as where you are, how much you spend, what you buy and what you look at) can be linked to an individual identity and sold (via your agreement in fine-print terms and conditions) to a third-party profile builder.

Commercial operators are already exploring this possibility. Mastercard (and no doubt competitors), for example, is considering using Australia as the first country to test and deploy its My Digital Life program. This will be a platform through which third-party ‘attribute vendors’ can confirm different attributes of individual consumers, many of which will be enabled via digital identity. For example, when you engage with a company you have never dealt with before, the company might request half a dozen attributes about you via the My Digital Life app to improve its confidence that you will be a good customer to engage with or are worth offering a higher level of customer service. This might include confirming that you have a perfect credit score, that you always pay your bills on time, that you never gamble, that you purchase fewer than 20 standard drinks of alcohol each week, that you give at least $1,000 a year to charity and that you volunteer. With your consent, My Digital Life will then request confirmation of those attributes from the third parties who have collected this information to on-sell via platforms such as My Digital Life and will send the results to the requesting company.

The private sector has been a leader in the development of ‘know your customer’ best practices and privacy protections, and some sharing of attributes (such as credit scores, police checks, speciality licences and working with children certificates) may facilitate commerce and community engagement. However, without tighter constraints, the potential applications of Westernised versions of China’s social credit scheme could seriously encroach on basic rights.

Security

It’s difficult to provide detailed cybersecurity risk assessments of GovPass (which is still being designed) and Digital iD (for which detailed architectural designs aren’t available). However, one area where risks are likely is in spoofing the FVS. Researchers in the US have demonstrated that wearing specially designed eyeglass frames ‘can effectively fool state-of-the-art face recognition systems’.43 Technical means to overcome these immediate challenges are likely to emerge, but this demonstrates that biometrics won’t be a panacea for identity fraud.

More broadly, this ASPI policy brief has identified several issues of concern, including the security risks presented by having multiple identity providers, each of which will need to maintain rigorous security standards, as well as the potential for the schemes to be used to facilitate vastly more ambitious profile building of Australians. There also appears to be no legislative impediment to the ATO using its existing powers to use the GovPass exchange to request information that would allow for data matching—something likely to attract public concern. Data from the ATO-run MyGovID identity service portal could be used to match a particular user with other government services. The DTA exchange is designed at a technical level to resist an identity provider trying to do this sort of matching but won’t stop an authority with legislative power to demand the data.

A range of other security-related issues remain open. If either or both of the schemes are widely adopted, it’s unclear whether companies could mandate the use of them (for example, for online banking), making them de facto compulsory. It’s also unclear whether companies that have traditionally not required validated identity checks could start to do so. For example, companies such as Facebook that have a real-name policy could adopt mandatory digital identity verification for Australian users to enforce that policy.44

Opportunity ahead

Despite the challenges, digital identity is critical for a 21st-century economy. Done properly, it will allow citizens to enhance their privacy by sharing less personal information and save time by doing more things online with less hassle. If it’s accompanied by an overhaul of citizens’ rights, it could put Australians back in charge of their online lives, allow them to monitor and easily contest inappropriate uses of their data, and remove unnecessary regulatory and legislative complexity as the shift from offline to online proceeds.

Features of GovPass

User-centred design: User-centred design is a key principle for GovPass, and the program is being developed in accordance with the Digital Service Standard, which aims to ensure that digital teams build government services that are simple, clear and fast.45 In addition, the TDIF has a component dealing with usability and accessibility requirements that government agencies and organisations need to meet in order to be accredited under the TDIF.

Privacy: The GovPass platform’s conceptual architecture is designed to be consistent with ‘privacy by design’ principles. Personal information that’s essential to provide the requested service will be collected and used with informed consent.46 Govpass has been designed as a federation of identity providers and an exchange using ‘double-blind’ architecture. Having the exchange means the service doesn’t see your identity documents, the identity provider doesn’t know what service you’re accessing, and your identity attributes aren’t stored centrally. The exchange merely passes those attributes on to the service. It doesn’t retain the attributes, but only some logs to record what occurred. The DTA advises that its research suggests that there’s community demand for multiple identity providers so citizens have choice for different transactions (for example, using a government provider for government transactions and a private-sector entity for commercial transactions).

Express consent: The GovPass program has been explicitly designed to be ‘opt in’ for users, although other schemes such as My Health Record have transitioned from ‘opt in’ to ‘opt out’. The exchange will be the vehicle for a user to express consent. Once a user has established their identity through an identity provider, the exchange will ask them to consent for their attributes to be passed to the requesting service (relying party). Unless the user gives explicit consent, the attributes can’t be passed on.

Recommendations

1. Accompany the introduction of digital identity with an overhaul of online citizens’ and consumers’ rights.

In democracies, governments exist to serve the citizenry, so it’s only logical that the citizen be placed at the centre as far-reaching schemes such as digital identity are introduced. Helpfully, this will also provide the most important ingredient needed for the success of digital identity: trust.

The government should conduct a root-and-branch review of how citizen protections can be made fit for purpose in the 21st century and of opportunities to take advantage of digitisation to simplify rules created for our paper-based society. This should include ensuring that minimum security baselines and rules for data use are maintained, regardless of who has custody of the information (government or the private sector).

The review should look at reforms that provide citizens with easy and meaningful control over their data. It should consider providing citizens with an online log every time their personal information is accessed by any arm of government or the private sector, and with a one-click process for contesting any access they believe may be unauthorised. It should allow citizens to decide who can access different components of their data (such as individual records) and provide strong default settings to protect those who don’t bother to adjust their settings.

The Privacy Act should be amended, including to create a principle that all digital identity checks gather only the minimum necessary personal information and where possible in de-identified ways (such as via yes/no answers for proof-of-age verification, rather than date of birth transmission).

2. Communicate with the public about the schemes and the accompanying rights overhaul.

After announcing a review to strengthen online citizen protections, the government should lead a national debate on the benefits of digital identity schemes, including by outlining medium- to long-term plans for the schemes and the strengthened protections that citizens will receive to guard against encroachments on their rights. This should include the production of an issues paper that clearly sets out the major implications and long-term plans for digital identity. The paper should be followed up with traditional consultation mechanisms, such as town hall meetings, industry round-tables and media engagement.

3. Place both Digital iD and GovPass under legislative oversight and protect both schemes from overreach. Expressly prohibit ‘social credit’ schemes that are facilitated by government-enabled digital identity checking.

Given that Digital iD and GovPass rely on government identity databases to operate and have far-reaching applications, both schemes should be brought under dedicated legislative oversight. The legislation should place strict limits on information about individual citizens that can be gathered through the use of digital identity verification and on-sold. The development of social-credit-style schemes should be expressly prohibited.

4. Explore options to join the schemes.

Opportunities should be explored to avoid duplication between the two schemes. This could include reviewing whether Australia Post’s already operational scheme could be adopted as a national scheme (and GovPass scrapped, although keeping the existing FVS), or strengthened sufficiently so that it is suitable by drawing on the TDIF. At a minimum, Australia Post should replace the ATO as the government identity provider under the GovPass scheme. This would be consistent with one of the DTA’s own core procurement principles of avoiding duplication by not building platforms that other agencies have already built.47

5. Apply stricter and clear limits on the use of biometrics at the federal, state and territory levels.

The governance of the FIS is largely beyond the scope of this paper, but is still relevant because current overreach threatens to undermine the digital identity schemes. Parliamentary inquiries into the Identity-matching Services Bill have exposed a litany of shortcomings, including inadequate privacy protections, insufficiently precise drafting, potential for overreach, and the key issue that Australians never consented to having their photographs for government identity documents repurposed for use in the biometric identity matching services now being contemplated.

Identity matching uses a relatively benign one-to-one match of a particular user’s photo against a reference photo via the FVS (although, as this policy brief has outlined, it could still be seriously misused if sufficient controls aren’t in place). The FIS is a one-to-many match of an unknown user against millions of possible matches, which has far-reaching privacy implications and the potential for serious misuse and expansion into many-to-many matching by adjusting the way the FIS works. Specific recommendations to strengthen the Identity-matching Services Bill have been provided in a separate submission to the Parliamentary Joint Committee on Intelligence and Security.48

6. Establish a national taskforce.

Discussions with government agencies working on different applications of face-matching services, which include the FVS and the FIS, suggest that second- and third-order consequences of different aspects of the schemes haven’t been considered because they fall outside specific agency or department remits. Developments at the state and territory level and within the private sector also need to be considered as part of a national approach that puts citizens at the centre. A taskforce (federal, state and territory) that includes key private-sector and civil society actors should be established to ensure that whole-of-nation implications are considered and addressed.49


© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission.

Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published October 2018

Cover image: Illustration by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons License Attribution-Share Alike. Users of the image should use this sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by ASPI’s International Cyber Policy Centre’.

  1. Financial System Inquiry, Final report, 7 December 2014 ↩︎
  2. Australian Government, Improving Australia’s financial system: government response to the Financial System Inquiry, 20 October 2015, p. 15 ↩︎
  3. Department of Home Affairs, Face matching services, Australian Government, no date. ↩︎
  4. Financial System Inquiry, Final report ↩︎
  5. Financial System Inquiry, Final report. ↩︎
  6. Michael Keenan, ‘Delivering Australia’s digital future’, address to the Australian Information Industry Association, 13 June 2018. Angus Taylor, ‘National standards to support government digital ID’, media release, 5 October 2017. Sara Howard, Unlocking up to $11 billion of opportunity, Australia Post, 5 December 2016. ↩︎
  7. Angus Taylor, ‘What a Govpass digital ID would look like for Australians’, media release, 17 October 2017 ↩︎
  8. Financial System Inquiry, Final report ↩︎
  9. Financial System Inquiry, Final report ↩︎
  10. Financial System Inquiry, Final report ↩︎
  11. Australia Post, A frictionless future for identity management: a practical solution for Australia’s digital identity challenge, White Paper, December 2016, p. 7 ↩︎
  12. Australia Post, Choice and convenience drive ‘digital first’ success, Insight paper, November 2016, p. 5 ↩︎
  13. Parliament of Australia, Identity-matching Services Bill 2018, Explanatory memorandum, p. 3 ↩︎
  14. Digital Transformation Agency (DTA), ‘Digital identity: enabling transformation’, handout, Australian Government; Keenan, ‘Delivering Australia’s digital future’. ↩︎
  15. Australia Post, Choice and convenience drive ‘digital first’ success, p. 7. ↩︎
  16. DTA, ‘Digital identity: enabling transformation’ and interviews for this research ↩︎
  17. Australia Post, Digital iD ↩︎
  18. One-off versions can also be created on the Australia Post website. ↩︎
  19. Rachel Dixon, ‘Digital identity: early days in the discovery process’, DTA, 8 March 2016 ↩︎
  20. Australia Post, Digital identity white paper: a single digital identity could unlock billions in economic opportunity, no date ↩︎
  21. Taylor, ‘National standards to support government digital ID’. ↩︎
  22. Australian Government, Budget 2018–19: Budget strategy and outlook, Budget paper no. 1, 2018–19, pp. 1–22 ↩︎
  23. Keenan, ‘Delivering Australia’s digital future’. Level 2 identity verifications don’t require biometric verification. Four of the eight services being developed require a Level 2 identity verification and therefore aren’t dependent on the FVS. ↩︎
  24. Keenan, ‘Delivering Australia’s digital future’. ↩︎
  25. Council of Australian Governments (COAG), Intergovernmental Agreement on Identity Matching Services, 5 October 2017 ↩︎
  26. Parliament of Australia, Identity-matching Services Bill 2018 ↩︎
  27. Credit Union Australia Limited, ‘CUA leading the way in bringing Digital iD to banking’, media release, 8 August 2017 ↩︎
  28. Office of Access Card, ‘What is the Access Card?’, Australian Government. ↩︎
  29. Office of the Australian Information Commissioner (OAIC), Australian community attitudes to privacy survey, 2017, Australian Government, 2017, pp. i, 21 ↩︎
  30. OAIC, Australian community attitudes to privacy survey, 2017, p. ii. ↩︎
  31. Dana McCauley, ‘Health Minister backs down on My Health Record’, Sydney Morning Herald, 31 July 2018 ↩︎
  32. Keenan, ‘Delivering Australia’s digital future’. ↩︎
  33. Karen Barlow, ‘Turnbull dismisses privacy concerns in asking for a national facial recognition database’, Huffington Post, 4 October 2017 ↩︎
  34. See David McCabe, ‘Scoop: 20 ways Democrats could crack down on Big Tech’, Axios, 30 July 2018 ↩︎
  35. The Treasury, Consumer data right, Australian Government, 9 May 2018 ↩︎
  36. COAG, Intergovernmental Agreement on Identity Matching Services, p. 12. ↩︎
  37. There’s provision in the COAG agreement to review this after the first 12 months of operation; COAG, Intergovernmental Agreement on Identity Matching Services, section 4.25. ↩︎
  38. Parliament of Australia, Identity-matching Services Bill 2018. ↩︎
  39. Sara Howard, A world without borders, Australia Post, 19 December 2016 ↩︎
  40. Asha McLean, ‘DTA considering international “brokerage” of digital identities’, ZDNet, 9 February 2018 ↩︎
  41. OAIC, Australian community attitudes to privacy survey, 2017, p. 33. ↩︎
  42. The potential oversight authority would have legal authority to enforce operating rules and the TDIF on participants of the identity federation. The operating rules would set out the legal framework for the operation of the identity federation, including the key rights, obligations and liabilities of participants (including relying party services). ↩︎
  43. Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, Michael Reiter, ‘Accessorize to a crime: real and stealthy attacks on
    state-of-the-art face recognition’, CCS 16, 24–28 October 2016, Vienna, p. 12 ↩︎
  44. ‘What names are allowed on Facebook?’, Facebook, 2018 ↩︎
  45. Financial System Inquiry, Final report. ↩︎
  46. Financial System Inquiry, Final report. ↩︎
  47. DTA, Digital sourcing framework for ICT procurement, Australian Government, no date. ↩︎
  48. Parliamentary Joint Committee on Intelligence and Security, Review of the Identity-matching Services Bill 2018 and the Australian Passports Amendment (Identity-matching Services) Bill 2018, ‘Submissions received by the committee’, submission no. 18 ↩︎
  49. GovPass has a steering committee that reports to the Digital Leadership Group and is exploring how to broaden the group. ↩︎

3rd Australia-Europe Counter-Terrorism Dialogue: ‘Transforming the New Threat Landscape’

Europe and Australia are connected in many ways. As liberal democratic societies, they share a common normative foundation of values that set the parameters for what the state may or may not do.

Based on that background, in September 2017 a delegation from Australia composed of practitioners, policymakers and academics travelled to Germany and Belgium to participate in the 3rd Australian Strategic Policy Institute – Konrad Adenauer Stiftung Australia–Europe Counterterrorism Dialogue, entitled Transforming the New Threat Landscape.

Understanding the BRI in Africa and the Middle East

This Strategic Insight aims to expand on Paul Dibb and Richard Brabin-Smith’s powerful, provocative paper, Australia’s management of strategic risk in the new era. Dibb and Brabin-Smith, two of Australia’s leading strategic thinkers, examined China’s growing assertiveness in our region. Here, I look beyond our region and beyond China’s One Belt, One Road Initiative (BRI) to highlight how China is expanding its influence in Africa and the Middle East. I examine some selected cases, such as Zimbabwe, Israel, Turkey and Iran. I also try to situate the BRI in President Xi Jinping’s grand strategy.

More than submarines: New dimensions in the Australia–France strategic partnership

In this compendium examining the France–Australia relationship, we have brought together experts from each country to explore our shared histories and plot a course for where we might take the relationship in the future. Each section examines a different aspect of the relationship—historical, international security, defence and the South Pacific—from a French and an Australian perspective. The experts brought together in this volume cover a breadth and depth of knowledge and experience as officials, academics and practitioners.

What emerges is a rich and complex picture of two vibrant and activist countries, grappling with complex problems, but each determined to contribute to making the world safer and more just. At a time when the international order appears under threat, the willingness of our two countries to continue to commit to the global rule of law and strengthening the liberal order and respect for human rights is both heartening and vital.

It’s also clear, however, that maximising the benefits of the bilateral relationship requires a strategic plan and practical commitment to getting things done. This compendium is a contribution to enhancing the relationship so that it can truly be more than the sum of its parts and we can navigate confidently through the decades to come.

The virtual meets reality: Policy implications of e-diasporas

Diasporas are global social formations of people who have been scattered from their country of origin. They carry with them a collective representation, myth or imagined sense of their homeland. The connection between the diaspora and its members’ original ‘home’ was, until the rise of social media, sustained by letters, tapes and print media.

E-diasporas originally emerged as online manifestations of diaspora communities. Although social media are just some of many technologies used by people to communicate, their rise has intensified the articulation and elaboration of diasporic identities several-fold.

With social media, e-diasporas recreate and expand a diaspora’s sense of shared identity and community by providing a virtual venue for affirmation and recognition.

Today, e-diasporas are combinations of self-interest and identity groups that share experiences through online media. The members share their country of origin and, at times—depending on the size of the community—their host country.

Cyber Maturity in the Asia Pacific Region 2017

The Cyber Maturity in the Asia–Pacific Region report is the flagship annual publication of the ASPI International Cyber Policy Centre.

This report assesses the national approach of Asia–Pacific countries to the challenges and opportunities of cyberspace, taking a holistic approach that assesses governance and legislation, law enforcement, military capacity and policy involvement, and business and social engagement in cyber policy and security issues.

The 2017 report is the fourth annual cyber maturity report. It covers 25 countries and includes assessment of Taiwan and Vanuatu for the first time.

The United States continues its leadership of the country rankings and although the transition to the Trump administration caused a pause while cyber policy was reviewed, the US military is recognising the importance of cyber capability and elevating US Cyber Command to a unified combatant command to give it increased independence and broader authorities.

Australia has moved up in our rankings from fourth to equal second on the back of continued investment in governance reform and implementation of the 2016 Cyber Security Strategy. Australia’s first International Cyber Engagement Strategy was released and the 2017 Independent Intelligence review made a number of recommendations that strengthen Australia’s cyber security posture – this includes broadening the Australian Cyber Security Centre’s (ACSC) mandate as a national cyber security authority and clarifying ministerial responsibility for cyber security and the ACSC,.

Japan (equal second with Australia), Singapore, and South Korea round out a very close top five countries. All countries in this leading group have improved their overall cyber maturity although very tight margins have seen some change in rankings: Australian and Japan moving up to equal second and Singapore and South Korea dropping to fourth and fifth.

Taiwan and Vanuatu both made strong initial entries into the Cyber Maturity Report. Taiwan ranked ninth, just behind China, hampered by difficulties with international engagement, while Vanuatu came seventeenth, best of the Pacific islands.

https://www.youtube.com/watch?v=nEszlPxaATMhttps://www.youtube.com/watch?v=nEszlPxaATM

Preventing and countering violent extremism in Africa: mining and Australia’s interests

Australia has commercial and strategic interests in helping to prevent and counter violent extremism in Africa. Australian mining companies are engaged across the continent in Mali, Burkina Faso, Kenya and many other countries where there have been high-profile terrorist attacks and kidnappings of foreign nationals, including Australians. Those threats already affect the way Australian mining companies approach their operations on the continent. With rising risks to Australian nationals, businesses and foreign investment through the mining industry, violent extremism in Africa is a direct threat to Australian national interests.

Drawing on the findings of a newly published in-depth report, Preventing and countering violent extremism in Africa: The role of the mining sectorthis paper examines how the Australian mining sector should step up efforts aimed at preventing and countering violent extremism (P/CVE) in Africa. While the report notes that mining projects present risks that can exacerbate some of the drivers of violent extremism, it also highlights the potential to leverage the work of mining projects as a bulwark against violent extremism.

This paper shows that there’s scope for further cooperation and engagement with the Australian Government in the mining sector. The potential of the private sector in P/CVE remains underexplored. Consequently, the mining sector has an opportunity to lead by example in this field.

Preventing and countering violent extremism in Africa: the role of the mining sector

Terrorism and violent extremism remain significant threats to international peace and security. Although few countries have been immune, Africa has been particularly susceptible. Weak institutions, porous borders, inadequately trained or ill-equipped security forces, historical grievances and a lack of economic opportunities have created conditions for extremist ideologies to grow and persist in parts of the continent.

“The global effort to prevent violent extremism can’t succeed without the private sector. This report explains why, and how to incorporate this essential partner.”

Dr Khalid Koser MBE
Executive Direct
Global Community Engagement and Resilience Fund (GCERF)

To date, most counterterrorism efforts have been security and intelligence led, with an emphasis on military and kinetic strategies to ‘defeat’ terrorism. Over the past decade in particular, global efforts have also focused on strategies for preventing and countering violent extremism (P/CVE), particularly on the role of international institutions, governments, regional organisations and communities. While several international frameworks for counterterrorism, for example the UN Secretary-General’s Plan of Action to Prevent Violent Extremism, have recognised the important role of the private sector in prevention measures, there’s been little research and analysis exploring the specificity and mechanisms of private sector involvement. This report by ASPI, in cooperation with Hedayah, uses a case study of the mining sector in Africa to examine how the private sector does and can engage in P/CVE efforts.

This report explores the correlation between the drivers of violent extremism and the different activities undertaken throughout a mining project’s life cycle in order to identify potential risks and opportunities. It examines the role of the mining sector in actions to address violent extremism, identifying preliminary lessons and best practices from the research. Finally, it provides recommendations for mining companies, the industry, governments and communities on approaches to engage mining companies in P/CVE efforts.

The report is accompanied by a second paper that draws on the findings and examines how the Australian mining sector should step up efforts aimed at preventing and countering violent extremism in Africa. See Preventing and countering violent extremism in Africa: Mining and Australia’s interests.

Australia’s management of strategic risk in the new era.

Australia’s strategic outlook is deteriorating and, for the first time since World War II, we face an increased prospect of threat from a major power.

This means that a major change in Australia’s approach to the management of strategic risk is needed.