Australia’s semiconductor national moonshot

Foreword

Australia has recently been forced to cross a Rubicon. Its wholehearted embrace of global free trade and just-in-time supply chains has had to confront the hard reality of geopolitics. In many parts of the world, geopolitics is choking free trade, and China—Australia’s largest trading partner—has shown itself particularly willing to use trade coercively and abrogate its free trade commitments, not just with Australia, but with countries all around the world.

Advanced technologies are at the centre of this geopolitical struggle, because of the risk that withheld supply poses to national economies and security. As Covid-19 disruptions have demonstrated, the risks are not even limited to deliberate coercion.

In this environment, bold action is warranted. Continuing to do what we did before is not an option because it will undermine the national interest. A new approach is needed that’s in part heretical to our old market-based approach but is driven by necessity: government intervention that works in tandem with industry expertise and drive.

In this important policy brief, Alex Capri and Robert Clark lay out a vision for Australia to secure its place in the global semiconductor industry—an industry they describe as ‘the single most important technology underlying leading-edge industries’.

Their proposal is to stimulate A$5 billion of semiconductor manufacturing activity through A$1.5 billion of government investment and financial incentives. Those subsidies and tax concessions would mirror similar initiatives such as the US ‘CHIPS’ and ‘FABS’ Acts, but are focused on Australia’s interests.

They identify a logical niche for Australia that would initially establish a distributed commercial compound semiconductor foundry capability across Australia via a public–private partnership. In the longer term, they propose establishing a commercial silicon complementary metal-oxide semiconductor foundry at mature process scale.

Government intervention in a market shouldn’t be made lightly, but Capri and Clark make a compelling case to do so. If policymakers agree that Australia needs access to semiconductors and that their supply from elsewhere can’t be guaranteed, then intervention is imperative.

This policy brief lays out a ‘moonshot’ to get Australia there.

Fergus Hanson
Director, International Cyber Policy Centre

What’s the problem?

Semiconductors (also known as ‘microchips’ or ‘chips’) are the single most important technology underpinning leading-edge industries. They’re essential for the proper functioning of everything from smartphones to nuclear submarines and from medical equipment to wireless communications.

Australia’s notable lack of participation in the global semiconductor ecosystem has put it at a geopolitical disadvantage. As a nation, with some niche exceptions, it’s almost entirely dependent on foreign-controlled microchip technology, making it increasingly vulnerable to global supply-chain shortages, shutdowns and disruptions. Such occurrences have become all too common, either because of events such as the Covid-19 pandemic or because of other governments’ attempts to weaponise supply chains for geopolitical reasons.

Having unfettered access to microchips is a matter of economic and national security, and, more generally, of Australia’s day-to-day wellbeing as a nation. In an increasingly digitised world, policymakers must treat semiconductors as a vital public good, almost on par with other basic necessities such as food and water supplies and reliable electricity—a reality that would become immediately apparent in a time of international crisis resulting from, for example, wars or natural disasters.

What’s the solution?

Australia must conceive, develop and execute a national plan that will enable capacity building in the semiconductor space. To do this, leadership must embrace bold thinking and adopt its own version of a 21st-century ‘moonshot’. Instead of landing astronauts on the Moon, however, as the Americans did in their own original moonshot in a Cold War space race against the Soviet Union, Australia faces an equally daunting task: from a low base, breaking into the world’s most complex, expensive and strategic technology ecosystem.

To achieve that, the Australian Government must do four overarching things.

First, it must embark on an epic technology-transfer initiative. To be successful, Australia must attract and absorb leading-edge technology, human capital (talent) and investment through a range of strategic partnerships with world-class companies, universities and friendly governments. The good news is that Australia already has a wealth of resources and building blocks to which it can turn to bring this to fruition.

Second, it must leverage its security partnerships and alliances with the US, Britain, Japan and others to tether the development of its semiconductor capabilities to evolving mutual defence needs and related innovation. Security alliances such as the Quadrilateral Security Dialogue (the Quad), AUKUS and the Five Eyes network must double up as enablers of Australia’s semiconductor sector (and other critical technology) advancement. The spillover to Australia’s commercial sector will be immense.

Third, Australia’s firms and local talent must become enmeshed in global value chains. Not just any value chains, however. Australia’s strategic industries must seek to secure supply-chain arrangements via bilateral, minilateral and multilateral agreements, and government should continue to participate in high-quality multilateral free trade agreements, assuming those agreements actually enforce rules and standards reflective of Australia’s core values.

Countries such as the US, the UK, Japan and South Korea, along with various EU nations, India, Taiwan and Singapore, show good potential for ‘friend-shoring’, meaning that they could provide safe havens for the ring-fencing of Australia’s strategic value chains. For example, Australia could join Washington’s ‘secure’ (‘China-free’) supply-chain arrangements with Taiwan, Japan and South Korea as part of the US Creating Helpful Incentives to Produce Semiconductors and Science Act (CHIPS Act) or pursue similar agreements with the EU’s nascent supply-chain security agreements as part of the EU’s European Chips Act. Bilateral and minilateral agreements are preferred. Such an outcome would be mutually advantageous to all parties, given the benefits of rationalised global value chains for the world’s most complex sector.

Highly specialised slices of the semiconductor value chain require a dizzying range of materials, processes, equipment and technologies from trading partners that must be relied upon to deliver the goods without the risk of sanctions, blacklists and export bans—or any other geopolitically motivated weaponisation of supply chains. Every niche player in Australia’s microchip ecosystem, therefore, must keep its critical production activities ring-fenced within ‘friendly’ geopolitical and geographical value chains.

Strategic friend-shoring and home-shoring must cover everything from localised rare-earth and critical-materials processing at the bottom of supply chains to the production of specialised microchips at the top end.

Fourth, Australia’s public sector must step up to facilitate the right kinds of public–private partnerships (PPPs), provide targeted funding for semiconductor R&D and education, and create commercial incentives for foreign and local investments. This will require adept ‘techno-diplomacy’ with foreign partners, as well as a deft touch regarding the local technology landscape, as too much government interference could impede Australia’s tremendous entrepreneurial spirit. This is a moonshot: big and bold actions and expenditures are needed, not overly cautious gradualism.

Executive summary

In this report, we set out to make specific recommendations underpinning an Australian semiconductor national plan. This is an urgent task, which is presented in a global context, with special emphasis given to the geopolitical complexity of semiconductor supply-chain issues and Australia’s important strategic alliances and partnerships.

Our analysis emphasises the centrality of a commercial semiconductor chip manufacturing capability, which is nearly absent in Australia. Developing other aspects of the semiconductor ecosystem is important, including critical minerals and microchip design, but those areas must be addressed concurrently, as part of a larger, decisive plan, not through a gradualist approach. Opting out of semiconductor manufacturing will severely constrain Australia’s growth as a technological nation and consign it to second-tier status.

International examples, and recent substantial incentives formalised by governments worldwide for this critical industry, such as the US and European ‘Chips’ Acts, are highlighted and provide guidance.

Australia has an R&D semiconductor fabrication foothold upon which it can build its new capabilities. Viable investment streams via the Australian National Fabrication Facility (ANFF) network under the National Collaborative Research Infrastructure Scheme must be increased substantially.

A sufficiently funded ANFF, with capability increased to pilot production in key nodes, could underpin closely located foundries via public–private partnerships (PPPs) with commercial manufacturing firms. As is the case for PPP developments in the US and UK, it’s proposed that Australia attract appropriately tailored foundry capability in compound semiconductors, and also in complementary metal-oxide-semiconductors (silicon CMOS) at mature process scale. The endgame is to address these key markets with a sovereign talent pipeline.

We provide a dollar amount estimate for that outcome, indicating a pathway to some A$5 billion of semiconductor manufacturing activity, stimulated by A$1.5 billion of government investment and financial incentives, including direct subsidies and tax offsets, which are part of that total.

As well as financial estimates, we address the issue of focus and the scale of an Australian semiconductor ‘moonshot’. We also map the four overarching actions that we’ve outlined under ‘What’s the solution?’ to quite specific recommendations. That mapping considers the current Australian semiconductor status quo to outline an existing foothold that Australia can sensibly build on. We also take note of significant US and UK government incentive schemes recently announced to strategically define and boost those countries’ semiconductor industries and supply chains, which Australia could proportionately finetune to its comparative stage of development.

In a geopolitical context, we focus on the task of creating and executing an Australian national semiconductor plan. At its heart, and notwithstanding the importance of microchip design and marketing, the central and most complex issue that will define such a plan is building a sustainable, appropriately scaled, strategic market-penetrating, trusted commercial semiconductor fabrication capacity across Australia. With this focus, in laying out an analysis of the semiconductor landscape, we highlight topics that should be at the forefront of the national discussion.

Those topics include:

  • concentrating on different business models and capacity-building scenarios, including the medium-term consideration of ‘pure play’ manufacturing of compound semiconductors as well as connected ‘fabless’ activities in research, design and innovation
  • over the long term, exploring the merits of the ‘integrated device manufacturing’ model and silicon chip fabrication at an appropriate entry point
  • focusing on specialised chip production for a growing range of sectors, including the automotive, medical, communications, energy and defence sectors
  • recognising the importance of so-called ‘trailing-edge’, ‘mature’ chip technologies and why they’re as important as ‘leading-edge’ semiconductors, in an economic and geopolitical context
  • understanding the enabling role of trusted PPPs involving Australian and other leading universities and public-sector technology agencies, semiconductor companies and governments
  • understanding the importance of technology transfer via defence-related alliances such as AUKUS and the Five Eyes and the role of government-funded research agencies in that transfer.

Assessing the impact of CCP information operations related to Xinjiang

What’s the problem?

The Chinese Communist Party (CCP) is using technology to enforce transnational digital repression and influence unwitting audiences beyond China’s territory. This includes using increasingly sophisticated online tactics to deny, distract from and deter revelations or claims of human rights abuses, including the arbitrary detention, mass sterilisation and cultural degradation of minorities in Xinjiang. Instead of improving its treatment of Uyghurs and other Turkic minorities, the CCP is responding to critiques of its current actions against human rights by coordinating its state propaganda apparatus, security agencies and public relations industry to silence and shape Xinjiang narratives at home and abroad.

Central to the CCP’s efforts is the exploitation of US-based social media and content platforms. CCP online public diplomacy is bolstered by covert and coercive campaigns that impose costs and seek to constrain international entities—be they states, corporations or individuals—from offering evidence-based critiques of the party-state’s record on human rights in Xinjiang and Hong Kong and other sensitive issues. This asymmetric access to US-based social media platforms allows the CCP to continue testing online tactics, measuring responses and improving its influence and interference capabilities, in both overt and covert ways, across a spectrum of topics.

The impact of these operations isn’t widely understood, and the international community has failed to adequately respond to the global challenges posed by the CCP’s rapidly evolving propaganda and disinformation operations. This report seeks to increase awareness about this problem based on publicly available information.

What’s the solution?

The exploitation of information operations and propaganda by Russia and China during Putin’s war on Ukraine demonstrates the importance of taking measures to reduce the power and impact of such activities before a crisis or military conflict is underway.1 This is a viable option, given both the success of the West in countering Russia’s false pretexts for instigating an invasion of Ukraine by revealing Russian plans,2 and the outstanding success of the Ukrainian Government’s communication efforts globally. This has undercut attempts by Putin to establish legitimacy in the conflict and has also pressured Beijing into moderating its international and material support for Moscow during the conflict. However, collective action was largely taken only after Russia’s invasion. The CCP has a different modus operandi and seeks to achieve its objectives without military force. It relies on other countries having high tolerance levels before those countries take action, which often means that the harmful impacts of information operations are occurring before any countermeasures are taken.

CCP information operations targeting Xinjiang narratives and human rights abuses should be countered now to mitigate the party’s global campaign of transnational repression and information warfare. Achieving that requires governments and civil society to work more closely with social media platforms and broadcasters to deter and expose propaganda organisations and operatives.

Governments must lead this policymaking process in coordination with allies and partners with shared interests. Economic sanctions regimes that target the perpetrators of serious human rights violations and abuses should be expanded to include the distributors of disinformation and foreign propaganda who silence, intimidate and continue the abuse of survivors and victims of human rights violations. Sanctions targeting propagandists and state media have already been used as an effective tool of statecraft. For example, the Australian Government,3 in coordination with other governments in the US, UK and Europe,4 has sanctioned Russian propagandists and state media for spreading disinformation and propaganda during Putin’s war. Sanctioning Chinese propagandists and state media for their repression of global free speech will curb the CCP’s disinformation and foreign propaganda prior to a conflict, undermine its capabilities during conflicts and deter future information campaigns.

CCP information operations are also evolving and changing. Governments should disrupt Chinese propaganda assets and identify strategic data sources—such as public opinion mining of US-based social media—that are being exploited to improve the party’s influence and interference capabilities. In addition, governments, civil society actors, think tanks and social media operators should create countermeasures and responses to CCP information operations and propaganda activities focusing on the discourse on human rights to blunt and deter malign CCP activity. This should include funding research exposing the Chinese foreign propaganda system, including public relations firms, cultural corporations and public opinion monitoring companies based inside and outside China.

Full Report

You can download the full report here.

  1. See Samantha Hoffman, Matthew Knight, China’s messaging on the Ukraine conflict, ASPI, Canberra, 23 May 2022. ↩︎
  2. Julian E Barnes, Helene Cooper, ‘US battles Putin by disclosing his next possible moves’, New York Times, 12 February 2022. ↩︎
  3. Marise Payne, ‘Further sanctions on Russia’, media statement, 8 March 2022. ↩︎
  4. Treasury sanctions Russians bankrolling Putin and Russia-backed influence actors’, media release, US department of the Treasury, 3 March 2022. ↩︎

Cultivating friendly forces: The Chinese Communist Party’s influence operations in the Xinjiang Diaspora

This report is a part of a larger online project which can be found on the Xinjiang Data Project website.

What’s the problem?

The Chinese Communist Party (CCP) has committed well-documented and large-scale human rights abuses against the Uyghurs and other indigenous minorities in the Xinjiang Uyghur Autonomous Region (XUAR) that amount to crimes against humanity. Through its complex united front system, the CCP is actively monitoring members of the diaspora, including Uyghurs, creating databases of actionable intelligence, and mobilising community organisations in the diaspora to counter international criticism of its repressive policies in Xinjiang while promoting its own policies and interests abroad. These organisations are powerful resources in Beijing’s ongoing efforts to reshape the global narrative on Xinjiang, influence political elites abroad, and ultimately control the Chinese diaspora, but they’re also poorly understood.

These organisations purport to represent and speak on behalf of ‘Xinjiang’ and its indigenous peoples.

They subsume Uyghur and other minority cultures and identities under a nebulous yet hegemonic ‘Chineseness’, which is defined by and connected to the Han-dominated CCP. In reality, these organisations and their leaders play important roles in muting alternative and independent voices from the community while amplifying CCP messaging and spreading disinformation. They exploit the openness of democratic and multicultural countries while assisting the CCP and its proxies to surveil and even persecute members of the Xinjiang diaspora community or individuals who are critical of the CCP’s Xinjiang policies.

Like united front work more broadly, the activities of these groups and their links to the Chinese Government are often overlooked and can be difficult to parse. While human rights abuses in Xinjiang are being exposed internationally, the mechanisms and tactics developed by united front agencies to co-opt overseas Xinjiang-related community groups have gone largely unnoticed. Our research demonstrates how these groups can sow distrust and fear in the community, mislead politicians, journalists and the public, influence government policies, cloud our assessment of the situation in Xinjiang, and disguise the CCP’s interference in foreign countries.

What’s the solution?

Transparency is the best weapon at our disposal. The international community must expose and counter the CCP’s overseas influence and interference operations. In order to counteract Xinjiang-related united front work, we must shine a brighter light on community organisations that cooperate with the CCP to achieve its repressive political aims overseas; at the same time, we must safeguard the ability of citizens of all backgrounds to engage in public life free from outside interference.

Governments must first acknowledge the problem and then denounce the CCP’s interference operations publicly. They should work together to disrupt the CCP’s capacity to covertly intrude in sovereign countries and open societies, carry out transnational repression and cover up its human rights abuses in Xinjiang. They must strengthen countermeasures through intelligence work, law enforcement and legislative reform, and provide additional funding to analyse the CCP’s united front system while working closely with other countries to safeguard universal human rights in China and other parts of the world. Understanding the CCP’s united front system, tactics and methods is a crucial starting point.

Finally, we must increase the capacity of political figures and civil society organs to understand and resist interference by the CCP and other nefarious state and non-state actors and strengthen the ability of the policy sector, academia and the media to identify and call out foreign interference and misinformation. This is playing to the strengths of open societies in particular, but is also key to any state’s ability to exercise sovereignty in the face of corrosive CCP activities.

Countering the Hydra: A proposal for an Indo-Pacific hybrid threat centre

What’s the problem?

Enabled by digital technologies and fuelled by geopolitical competition, hybrid threats in the Indo-Pacific are increasing in breadth, application and intensity. Hybrid threats are a mix of military, non-military, covert and overt activities by state and non-state actors that occur below the line of conventional warfare. The consequences for individual nations include weakened institutions, disrupted social systems and economies, and greater vulnerability to coercion—especially from revisionist powers such as China.

But the consequences of increased hybrid activity in the Indo-Pacific reach well beyond individual nations. The Indo-Pacific hosts a wide variety of political systems and interests, with multiple centres of influence, multiple points of tension and an increasingly belligerent authoritarian power. It lacks the regional institutions and practised behaviours to help ensure ongoing security and stability. And, because of its position as a critical centre of global economic and social dynamism, instability in the Indo-Pacific, whether through or triggered by hybrid threats, has global ramifications.

Because hybrid threats fall outside the conventional frameworks of the application of state power and use non-traditional tools to achieve their effects, governments have often struggled to identify the activity, articulate the threat and formulate responses. Timeliness and specificity are problematic: hybrid threats evolve, are often embedded or hidden within normal business and operations, and may leverage or amplify other, more traditional forms of coercion.

More often than not, hybrid threat activity is targeted towards the erosion of national capability and trust and the disruption of decision-making by governments—all of which reduce national and regional resilience that would improve security and stability in the region.

What’s the solution?

There’s no silver-bullet solution to hybrid threats; nor are governments readily able to draw on traditional means of managing national defence or regional security against such threats in the Indo-Pacific.

Because of the ubiquity of digital technologies, the ever-broadening application of tools and practices in an increasing number of domains, it’s evident that policymakers need better and more timely information, the opportunity to share information and insights in a trusted forum and models of how hybrid threats work (we provide one here). Exchange of information and good practice is also needed to help counter the amorphous, evolving and adaptive nature of hybrid threats.

We propose the establishment of an Indo-Pacific Hybrid Threat Centre (HTC, or the centre) as a means of building broader situational awareness on hybrid threats across the region.1 Through research and analysis, engagement, information sharing and capacity building, such a centre would function as a confidence-building measure and contribute to regional stability and the security of individual nations.

While modelled on the existing NATO–EU Hybrid Centre of Excellence (CoE) in Finland, the centre would need to reflect the differences between the European and Indo-Pacific security environments. Most notably, that includes the lack of pan-regional Indo-Pacific security institutions and practice that the centre could use. There are also differences in the nature and priorities assigned to threats by different countries: the maritime domain has more influence in the Indo-Pacific than in Europe, many countries in the region face ongoing insurgencies, and there’s much less adherence to, or even interest in, democratic norms and values.

That will inevitably shape the placement, funding, and operations of an Indo-Pacific HTC. A decentralised model facilitating outreach across the region would assist regional buy-in. Partnership arrangements with technology companies would provide technical insight and support. Long-term commitments will be needed to realise the benefits of the centre as a confidence-building measure. The Quad countries are well positioned to provide such long-term commitments, while additional support could come from countries with experience and expertise in hybrid threats, particularly EU countries and the UK.

As with the NATO–EU Hybrid CoE, independence and integrity are paramount. That implies the positioning of the Indo-Pacific HTC core in a strong democracy; better still would be the legislative protection of its operations and data. Accordingly, we propose scoping work to establish policy approval, legislative protection and funding arrangements and to seed initial research capability and networks.

Introduction

Hybrid threats are a mix of military and non-military, covert and overt activities by state and non-state actors that occur below the line of conventional warfare. Their purpose is to blur the lines between war and peace, destabilise societies and governments and sow doubt and confusion among populations and decision-makers. They deliberately target democratic systems and state vulnerabilities, often leveraging legitimate processes for inimical ends, and typically aim to stay below the threshold of detection, attribution and retaliation.2 They’re the same activities that the Australian Government attributes to the ‘grey zone’, involving ‘military and non-military forms of assertiveness and coercion aimed at achieving strategic goals without provoking conflict.’3

Hybrid threats are increasingly of concern to governments as they grapple with the effects of digital technologies, Covid-19 and an increasingly tense geopolitical environment. Ambiguous, evolving, at the intersection of society, commerce and security, and transnational in character, hybrid threats challenge and undercut ‘normal’ conceptions of security. Unmet, they stoke division and anxiety in societies and states. They threaten to erode national security, sovereignty and societal resilience, leaving nations and their people vulnerable to coercion, particularly by authoritarian states and criminal elements.

The immediate targets of motivated hybrid activity are typically non-traditional, in the sense that government security apparatuses aren’t expected to manage and repulse them. Hybrid activity takes advantage of other, easier targets and means of generating confusion and disruption at the nation-state level: individuals may be targeted for repression or assassination; fishing vessels harassed; intellectual property stolen; commercial advantage pillaged; researchers and journalists intimidated; ethnic communities hijacked; and elites co-opted for corrupt ends.

The Indo-Pacific region is particularly vulnerable. For example, it lacks the more practised security frameworks, cooperative mechanisms and understandings present in Europe. There’s little shared awareness and understanding of the nature and consequences of hybrid threats. The region is also especially economically and demographically dynamic and socially diverse, featuring a number of competing political systems and institutions.

That offers both challenge and opportunity. In this paper, we consider the nature of hybrid threats, explore the threat landscape in the Indo-Pacific, turn our attention to the potential ‘fit’ of an Indo-Pacific HTC and make recommendations for the way forward.

A number of the thoughts and insights incorporated in this paper emerged during ASPI’s consultations with governments, businesses and civil society groups in the Indo-Pacific, as well as in Europe and the UK. We thank those respondents for their time and insights.

  1. Danielle Cave, Jacob Wallis, ‘Why the Indo-Pacific needs its own hybrid threats centre’, The Strategist, 15 December 2021. ↩︎
  2. See NATO’s definition, online, and the Hybrid Centre of Excellence’s definition. ↩︎
  3. Defence Department, Defence Strategic Update, Australian Government, 2020, 5. ↩︎

China’s messaging on the Ukraine conflict

In the early days of Russia’s invasion of Ukraine, social media posts by Chinese diplomats on US platforms almost exclusively blamed the US, NATO and the West for the conflict. Chinese diplomats amplified Russian disinformation about US biological weapon labs in Ukraine, linking this narrative with conspiracy theories about the origins of COVID-19. Chinese state media mirrored these narratives, as well as replicating the Kremlin’s language describing the invasion as a ‘special military operation’.

ASPI found that China’s diplomatic messaging was distributed in multiple languages, with its framing tailored to different regions. In the early stage of the conflict, tweets about Ukraine by Chinese diplomats performed better than unrelated content, particularly when the content attacked or blamed the West. ASPI’s research suggests that, in terms of its international facing propaganda, the Russia–Ukraine conflict initially offered the party-state’s international-facing propaganda system an opportunity to reassert enduring preoccupations that the Chinese Communist Party perceives as fundamental to its political security.

Building genuine trust

A framework and strategy for Indigenous STEM and cyber pathways

Executive summary

Indigenous recruitment and retention in the Australian Defence organisation is defined by a high target of 5% participation in the armed services and 3% in the Australian Public Service component of the Defence Department by 2025. The participation target is a point of pride and a source of clear goodwill and has provided momentum in several areas of Defence for Indigenous employment and pathways.

However, the individual areas of success and effort are yet to translate into an effective whole-of-Defence framework with cohesive lines of effort. This policy report suggests how that can change. It provides a framework and strategy for Defence to support science, technology, engineering and mathematics (STEM) recruitment and retention and cybersecurity careers, particularly through engagement with the vocational education and training system and through targeted relationship building with university- and school-based Indigenous STEM initiatives.

We propose that Defence should enact a wider set of supporting measures—particularly in data and reporting to track professional development—that’s more likely to create more sustainable success that delivers organisational improvements and outcomes for Defence. That should include mechanisms to enhance the achievements of the Indigenous Procurement Policy.

Defence must ensure that it meets its immediate skills shortfalls as well as its long-term obligations under the Closing the Gap initiative and the Defence Reconciliation Action Plan to foster genuine and meaningful relationships built upon trust with Indigenous peoples.

We suggest how that’s possible through a framework and 56 recommendations focusing on 12 areas of activity:

  • data, reporting and user-experience web design
  • career pathways
  • defence and technology contractors
  • community engagement
  • procurement and business development
  • veterans’ employment and procurement
  • the vocational education sector
  • universities
  • recruitment
  • retention
  • coordination with other public agencies
  • international partnerships.

Action on those recommendations will ensure that Defence is an employer of choice and fosters genuine and meaningful trust with Australia’s Indigenous peoples. And it will also build Defence’s capability to keep our nation safe and secure in a more dangerous world.

Introduction: Building trust—what’s visible and what are the blind spots?

The recruitment and retention of Indigenous Australians in the Defence organisation is defined by high ambitions. The aim is to reach 5% Indigenous participation in the armed services and 3% in the Australian Public Service (APS) by 2025. However, the implementation of employment pathways is lagging due to weak engagement with the talent pool, especially with Indigenous Australians who are training in science, technology, engineering and mathematics (STEM) fields in the vocational education and training (VET) and university sectors. Weak talent market mapping means that current success rates in Defence recruiting are unlikely to be maintained, particularly as competition to attract and retain Indigenous workers increases.

A common story in the services and Defence APS is the slow progress on the policy reform that’s urgently needed to build Indigenous employment pathways into Defence and through to the wider defence ecosystem, including veterans’ employment. Defence needs to demonstrate that it invests in the long-term training, retention and advance of Indigenous personnel.

Our discussions with Defence personnel have revealed that silos in the Defence organisation work against Indigenous recruitment and retention. The services are driving much reform, but a comprehensive data picture and an annual public report that canvasses what’s working well—that establishes clear process metrics, benchmarks and areas for attention, including in recruitment, retention, training and professional development—means that many work areas are without a clear guide or a definition of success beyond participation targets, so their efforts are unfocused and can be discordant.

Developing measures and public reporting, including on how senior leadership is achieving Indigenous targets within the workforce, will be an important step forward. It will cement Defence’s leadership role as an exemplar to other parts of government and the wider defence industry. It will also ensure that Indigenous employment is addressed as part of the renewed drive to optimise defence data, as outlined in the Defence Data Strategy 2021–2023.1

Setting up Indigenous employees for success within the One Defence team requires Defence personnel at all levels to have greater situational awareness of the grassroots reasons for Indigenous Australians joining, staying in, or leaving the organisation. Developing career pathways requires policy and procedures geared towards addressing the drivers and impediments to jobs and training in cities, regions and remote Australia for Indigenous men and women of different ages.

Addressing career pathways and enhancing retention require a mindset that anticipates employee issues—including cultural factors—and addresses them so that Indigenous Australians decide to join and stay. The cultural integrity framework for the APS, sponsored by Defence, will be an important part of that effort. The framework seeks to provide support for employees and leaders so that Indigenous personnel are invested in as a resource in Defence and in the Australian Government’s broader strategic thinking and so that their experience and insight are valued appropriately.

The ‘pathway’ metaphor is often deployed to describe Indigenous training and employment programs and equity and social inclusion initiatives.2 Pathways are rarely straight lines. Indigenous employment pathways aren’t just about entry points, but are also about systemic training and development opportunities within Defence and beyond into veterans’ employment. Defence will need to approach attraction broadly to reach school leavers and students in the VET and university sectors. Defence and other agencies will need to ensure that the growth of Indigenous opportunities is part of the government’s revised ‘industry cluster’ model for skills development.3

One bright spot is the Indigenous businesses sector, which is a growing source of employment, labour market information and training for young Indigenous people. Defence is a driver in that sector. In 2020–21, Defence outstripped its target of 676 contracts, awarding 6,476 contracts worth $610 million to Indigenous businesses.4 Although that was a doubling of contract value, from $300 million to $600 million in one year, a House of Representatives committee report tabled in August 2021 suggested various measures to increase the capability of the Indigenous business sector in order to push the sector further up the value chain. Since 2015, Defence has awarded $1.86 billion in contract value to more than 550 Indigenous businesses.

Problems in the Indigenous business sector, such as ‘blackcladding’ (creating a management structure that satisfies the ownership criteria for the Indigenous Procurement Policy but in which control of the enterprise can be vested in non-Indigenous managers), are not adequately addressed by current policy. Indigenous business operators have said that they feel discriminated against in procurement panel processes and that they have higher barriers to overcome. Although that view is also characteristic of many non-Indigenous small and medium-sized enterprises (SMEs), it risks undermining Defence’s current achievements.

The size of Defence’s procurement portfolio creates an expectation that it should take a leading role in procurement policy reform. Improved opportunities that reinforce the expansion and maturation of sovereign industrial capability through Indigenous businesses would be a step forward, given that Indigenous businesses have substantially better employment outcomes for Indigenous people than non-Indigenous businesses.5 However, that will be a real challenge, as the sector needs to mature in its training and finances to deliver to Defence. A veterans’ business procurement policy could strengthen relationships with Indigenous veterans.

Initiatives for Defence and other parts of government that tie together training, scholarships and pre-apprenticeship programs would provide a major lift to current efforts. Initiatives to build capability (business incubators, venture financing and ensuring that existing policy tools are being used effectively and opportunities for veterans’ businesses) would increase the ability of Indigenous businesses to deliver higher value contracts. There are risks in all those areas, so Defence’s activities will need to be communicated clearly to stakeholders and political decision-makers, and the linkage of those policies to Defence’s core purposes—delivering capabilities for the government to use to advance Australia’s security—must be clear.

This is a clear point of difference between the broader defence industry and the Defence organisation. Defence’s ambitions include a market-leading participation target, using procurement as a driver of an economic and social uplift, and a commitment to meet Closing the Gap targets. Defence can encourage industry to take up the challenge, given its stake in key areas such as cybersecurity. In the broader business environment, there’s patchy engagement with reconciliation processes (particularly the registration of reconciliation action plans with Reconciliation Australia) among major defence contractors, including those that provide recruitment advertising or provide technology. This is an area where Defence can influence overall change in the sector.

There will always be tension for Defence and government between targeting problems that are clearly visible (and for which data is available) and addressing blind spots. Labour market data on Indigenous Australia is notoriously unreliable, so government action can be misaligned. For example, an effort to improve the quality of labour force statistics by the Department of the Prime Minister and Cabinet’s Central Analytics Hub was shelved because of the Covid-19 pandemic, the bushfire season and data access problems. Defence can be a powerful advocate for improved federal and state data collection as a basis for policy and implementation in this area.

Visible data creates a bias towards taking action that seems relatively straightforward, but which in fact will require concerted efforts on multiple fronts and involve several government portfolios or work areas. For example, the Certificate IV in Cybersecurity qualification in the vocational sector is only four years old. The curriculum was developed by TAFE administrators and several technology and cybersecurity companies and overseen by the Victorian Registration and Qualification Authority, but with no Defence involvement.

A seemingly straightforward solution, such as directing recruitment efforts towards TAFE cybersecurity students, can be surprisingly complicated. Current data (from 2020) shows that 129 Indigenous students were studying for the Certificate IV in NSW, 55 in Queensland and 275 in Victoria.6 Twenty-four registered training organisations across the country are currently approved to deliver the course.7 However, the National Centre for Vocational Education Research public data isn’t disaggregated to the campus level, so exactly where those students are learning (including online) is difficult.

This is why relationship building comes up so often in discussions with those in Defence charged with attracting Indigenous candidates and with their counterparts in the education sector responsible for guiding students into careers. Relationships trump everything when data is ambiguous, and raw numbers (on, for example, completion rates) might not tell the full story of Indigenous perseverance. For example, Indigenous students are much more likely than non-Indigenous students to experience conflict between study and family commitments, including caring for children or other family members, which affects results.8

Defence hasn’t built strong enough relationships through frequent interactions with the VET and university sectors, including Indigenous Elders in universities and Indigenous pro-vice chancellors (some of whom are ADF veterans). Its signature cyber initiatives—the ADF Cyber Gap and Cyber Defence College—don’t have a visible Indigenous engagement strategy or a clear link to the Defence TAFE Employment Scheme. TAFE is a major trainer of Indigenous Australians.

Defence has set itself an ambitious goal in the Defence Reconciliation Action Plan 2019–2022: ‘fostering genuine relationships built on trust.’9 Trust is intangible, but high-trust organisations have lower costs and ensure social cohesion in the face of rising uncertainties.10 How Defence holds itself to account and builds long-term relationships with Indigenous Australians will be a key marker of its future success.

To build trust makes the task of Defence more ambiguous and success more difficult to assess in the short term. Box-ticking exercises will risk jeopardising Defence’s ambitions to be an employer of choice. Defence isn’t a social policy portfolio, but it does have obligations under wider government policies, particularly the National Agreement on Closing the Gap. The population growth of Indigenous Australia is shifting towards the southern capital cities and the more populous states and territories, which is something to keep in mind when allocating resources because of the potential to exacerbate existing inequalities in access.11

The harder task is to forge relationships with communities and address the impacts of Defence’s past policies with Indigenous people, as indicated in the Defence Reconciliation Action Plan. Aspects of this work are being done through the engagement activities of the Indigenous Liaison Officer network and through initiatives such as the appointment of Indigenous elders to military bases. But some foundational blocks are missing, such as an Indigenous youth engagement strategy and a digital service design attuned to the way Indigenous candidates access internet services, including for labour market information.12

Fostering genuine trust is necessary for Defence to truly represent the nation that it protects. There are opportunities to partner with Indigenous Australians, build capacity alongside them and prioritise their leadership so that the collection and use of data, strategies on staff training and development, and strategies on youth, veteran, business and community engagement are developed in genuine partnership.

Full Report

We warmly encourage you to download and read the full report, which can be found here.

Acknowledgements

ASPI ICPC would like to thank all of those who peer-reviewed drafts of this report, including Major General Marcus Thompson, Stephen Chey, Michael Shoebridge, Fergus Hanson, John Coyne, Miah Hammond-Errey and Anastasia Kepatas. We’re also grateful to individuals we consulted in government, industry and academia, including participants at a workshop with Indigenous members of the Australian Defence Force that helped to shape and focus this report.

This report was commissioned by the Australian Department of Defence Strategic Policy and Intelligence Group. The work of ASPI ICPC would not be possible without the support of our partners and sponsors in governments, industry and civil society.

Within this report, the term ‘Indigenous’ is used to refer both to Aboriginal people and to Torres Strait Islanders.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies and issues related to information and foreign interference and focuses on the impact those issues have on broader strategic policy. The centre has a growing mixture of expertise and skills, including teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity-building, satellite analysis, surveillance and China-related issues. The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The centre enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and the Indo-Pacific region, the ICPC has a capacity-building team that conducts workshops, training programs and large-scale exercises for the public and private sectors. We thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre, contact: icpc@aspi.org.au

Important Disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2022

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published April 2022.
Front and back cover images: ‘Silhouettes in the sky’, Marcus McGregor Cassady.

Funding

Funding for this report was provided by the Australian Department of Defence Strategic Policy and Intelligence Group.

  1. Department of Defence (DoD), Defence Data Strategy 2021–2023, Australian Government, 2021, online. ↩︎
  2. Jack Frawley, James A Smith, Andrew Gunstone, Ekaterina Pechenkina, Wendy Ludwig, Allison Stewart, ‘Indigenous VET to higher education pathways and transitions: a literature review’, ACCESS: Critical Explorations of Equity in Higher Education, 2017, 4(1), online. ↩︎
  3. Department of Education, Skills and Employment (DESE), ‘New industry engagement arrangements—Industry clusters’, Skills Reform, Australian Government, 2022, online. ↩︎
  4. Huon Curtis, Khwezi Nkwanyana, ‘Where to next for government policy on Indigenous procurement?’, The Strategist, 17 December 2021 ↩︎
  5. Boyd Hunter, ‘Indigenous employment and businesses: Whose business is it to employ Indigenous workers?’, Centre for Aboriginal Economic Policy Research (CAEPR), Australian National University, 2014. ↩︎

  6. ‘Table builder’, National Centre for Vocational Education Research (NCVER). ↩︎
  7. ‘Organisation / RTO search’, Training.gov.au, 2022. ↩︎
  8. K Hillman, The first year experience: the transition from secondary school to university and TAFE in Australia, Australian Council for Educational Research, Camberwell, 2005. ↩︎
  9. DoD, Defence Reconciliation Action Plan 2019–2022, Australian Government, August 2019. ↩︎
  10. A Green, G Janmaat, H Cheng, ‘Social cohesion: converging and diverging trends’, National Institute Economic Review, 2011, 215, R6-R22. doi:10.1177/0027950111401140; O Schilke, KS Cook, ‘A cross-level process theory of trust development in interorganizational relationships’, Strategic Organization, 2013, 11(3):281–303, doi:10.1177/1476127012472096; P Spoonley, P Gluckman, A Bardsley, T McIntosh, R Hunia, S Johal, R Poulton, He oranga hou: Social cohesion in a post-COVID world, Centre for Informed Futures, University of Auckland, 2020. ↩︎
  11. Australian Bureau of Statistics (ABS), ‘Estimates and projections: Aboriginal and Torres Strait Islander Australians’, Australian Government, 2019. ↩︎
  12. Defence has a youth engagement and development strategy but not one that’s specific to Indigenous youth. DoD, ‘The Defence Youth Engagement and Development Strategy’, Australian Government, no date. ↩︎

Artificial intelligence: Your questions answered

This collection of short papers developed by the Australian Institute for Machine Learning (AIML) at the University of Adelaide and the Australian Strategic Policy Institute (ASPI) offers a refreshing primer into the world of artificial intelligence and the opportunities and risks this technology presents to Australia.

AI’s potential role in enhancing Australia’s defence capabilities, strengthening alliances and deterring those who would seek to harm our interests was significantly enhanced as a result of the September 2021 announcement of the AUKUS partnership between the US, the UK and Australia. Perhaps not surprisingly, much public attention on AUKUS has focused on developing a plan ‘identifying the optimal pathway to deliver at least eight nuclear-powered submarines for Australia’.

This AIML/ASPI report is a great starting point for individuals looking to better understand the growing role of AI in our lives. I commend the authors and look forward to the amazing AI developments to come that will, we must all hope, reshape the world for a more peaceful, stable and prosperous future.

University of Adelaide, Australian Institute for Machine Learning - logo

.auCheck: A free website and email security check tool

Today, the Australian Strategic Policy Institute (ASPI), in collaboration with the .au Domain Administration (auDA), is launching .auCheck‘: a free tool that helps users check their website, email and internet connection for use of the latest and most secure internet standards.

Standards form the technical heart of the internet and are fundamental to the security, reliability and resilience of websites and email communication. As these standards develop over time, it is crucial to remain up-to-date.

Checking if a website and email are set up correctly can be quite difficult; that’s why .auCheck was created. Its aim is to empower users, in particular Australian small businesses, to ask the right questions and choose the right level of services from their providers, including adequate security settings.

.auCheck will enable users to have an informed discussion with their IT support, internet service provider, domain registrar, web hosting company or IT contractor to improve the security standards of their website, email or internet connection and facilitate the adoption of best practice internet standards.

Standards that are checked by the .auCheck tool include:

  • Encryption methods (to ensure the secure transfer of information over the Internet);
  • Ways to authenticate website and mail servers (to ensure internet users are dealing with genuine website and email accounts);
  • Security of domain names (to allow domain names to be verified);
  • Security of website applications (to prevent insertion of malicious code or unauthorised access);
  • Protection against phishing through email from fake accounts.

Following the test, .auCheck offers users advice on additional steps they can take to bring their website and email domains up-to-standard.

Fergus Hanson, Director of ASPI’s International Cyber Policy Centre, believes .auCheck will be a valuable practical contribution to the work Australian governments, industry and internet organisations are already doing to raise awareness of the need to be cyber secure.

We hope .auCheck will give Australian businesses practical advice to improve the security and reliability of their online presence. The tool also empowers every Australian to check for themselves the security of the websites they visit.

The idea for .auCheck came from discussions with international partners in the UK and the Netherlands who pioneered similar tools. We’re very grateful to the Dutch Internet Standards Platform and for the support of auDA which allowed us to develop .auCheck in a way that fits the Australian context.

auDA CEO Rosemary Sinclair AM said auDA was pleased to support the development of .auCheck, noting the tool will provide Australian small businesses and consumers with information to empower them, boosting their online confidence and uplifting security standards by working with their IT support professionals.

auDA research shows cyber security is the top concern among Australian internet users. However, many Australian internet users and small business owners are unsure where to find trusted information and advice on cyber security. The .auCheck tool provides a free, independent and plain language assessment of online security standards, and will help empower users to be more confident managing their cyber security.

Over time, the aggregated test results will deliver an understanding of the security standards being used by individuals, businesses and organisations in Australia.

You can access .auCheck here

Understanding Global Disinformation and Information Operations: Insights from ASPI’s new analytic website

ASPI’s International Cyber Policy Centre has launched the Understanding Global Disinformation and Information Operations website alongside this companion paper. The site provides a visual breakdown of the publically-available data from state-linked information operations on social media. ASPI’s Information Operations and Disinformation team has analysed each of the data sets in Twitter’s Information Operations archive to provide a longitudinal analysis of how each state’s willingness, capability and intent has evolved over time. Our analysis demonstrates that there is a proliferation of state actors willing to deploy information operations targeting their own domestic populations, as well as those of their adversaries. We find that Russia, Iran, Saudi Arabia, China and Venezuela are the most prolific perpetrators. By making these complex data sets available in accessible form ASPI is broadening meaningful engagement on the challenge of state actor information operations and disinformation campaigns for policymakers, civil society and the international research community

infoops.org.au

The UN norms of responsible state behaviour in cyberspace

Guidance on implementation for Member States of ASEAN

Foreword

Global digital growth is continuing to fundamentally transform the lives of people, businesses and institutions, bringing people out of poverty, increasing wider prosperity, welfare and enabling new ways for governments and citizens to engage with each other. It is also creating a more connected world and supporting globalisation with greater access to free markets, democratic systems, prosperity and innovation.

But as we become more reliant on cyberspace, malicious cyber activity has grown in intensity, complexity and severity over recent years, with rising incidents of cybercrime and hostile states targeting critical national infrastructure, democratic institutions, business and media. There is too much at risk to allow cyberspace to become a lawless world and we need to continue to work together to identify the rules of the road in how international law applies to state behaviour in cyberspace just as it does to activities in other domains.

The 11 norms, as part of the UN framework of responsible state behaviour in cyberspace, is a way to help develop those rules of the road and the UK, as part of our outreach, is committed to supporting partners across all continents be better able to both implement the norms but also be better empowered to join in the international debate in the UN.

This ASPI programme has provided an insight into meaningful measures being put in place across ASEAN to deliver the norms, showcasing the region as trailblazing good practice and policies. Sharing and communicating these is in itself a confidence building measure and the examples shared in this report will have an impact across the global debate.

The UK, as a responsible democratic cyber power is proud to have supported this report and we look forward to future activity in the ASEAN region and globally to help shape the future frontiers of an open and stable international order in cyberspace.

– Will Middleton, Foreign, Commonwealth and Development Office, UK

Advances in cyber and critical technology underpin our future prosperity but they also have the potential to harm national and economic security interests and undermine democratic values and principles. The countries that can harness the current wave of innovation while mitigating its risks will gain significant economic, political and security advantages and will be at the forefront of 21st century leadership.

As states increasingly exert power and influence in cyberspace, it is important that there are clear rules in place. In other words, cyberspace is not the Wild West, all countries have agreed that existing international law applies in cyberspace and all countries have endorsed UN norms of responsible state behaviour.

The Plan of Action to Implement the ASEAN Australia Strategic Partnership 2020–2024 details our joint commitment to an open, secure, stable, accessible and peaceful ICT environment. Australia will continue to work closely with our ASEAN partners to deepen understanding and implementation of longstanding agreements of international law and norms in cyberspace.

This report, produced by APSI in partnership with Australia’s Cyber and Critical Technology Cooperation Program and the UK Foreign, Commonwealth and Development Office, is the result of a multi-year cyber-capacity building program focused on supporting the effective implementation of UN norms throughout ASEAN.

These 11 norms lay the groundwork for collective expectations for state behaviour in cyberspace. They are the bedrock on which regional and bilateral agreements around state behaviour in cyberspace are built and create a mutually reinforcing set of agreements and expectations.

Australia is grateful for ASPI’s tireless work on this important cyber-capacity building project helping to kickstart the process of understand and actioning the norms and behaviours which are central to an open, free, safe and secure cyberspace.

– Dr Tobias Feakin, Ambassador for Cyber Affairs and Critical Technology, Australia

Introduction

This document is the result of a multi-year cyber capacity-building program by ASPI in partnership with the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade (Cyber and Critical Technology Cooperation Program). Through the project, the partners sought to support member states of the Association of Southeast Asian Nations (ASEAN) with the implementation of the United Nations (UN) norms of responsible state behaviour in cyberspace. The content of this publication is primarily based on experiences, inputs and outputs from activities run under this program.

What are norms?

Norms in international affairs are generally defined as ‘a collective expectation for the proper behaviour of actors with a given identity’.

Norms are norms for the following reasons:

  • They are widely shared and agreed among a large group of states; norms exist only because we all believe they exist and apply.
  • They exert a moral attractiveness for states to conform to norms; states prefer to be seen to endorse, follow and promote norms, and to be responsible members of the international community.
  • They assign specific duties and obligations, albeit non-legal, for specific actors; most norms in cyberspace are regulative in character at the national level, as they recommend that states prescribe, prohibit or permit certain activities.
  • They are dynamic; they develop as expectations and opinions in society about what’s responsible and acceptable change over time.
  • People, organisations and states will—from time to time—contest or violate norms; this doesn’t mean that a norm does not exist as long as the norm remains accepted by a large and influential enough community, and the violator is held to account.

Source: Based on Martha Finnemore, Cybersecurity and the concept of norms, Carnegie Endowment for International Peace, 30 November 2017, pp. 1–2.

The UN norms were first agreed by a UN group of governmental experts in 2015. The group’s report was subsequently endorsed by consensus at the UN General Assembly in 2015 through resolution 70/237. It called on all member states ‘to be guided in their use of ICTs’ by the 2015 report. The focus on the operationalisation and implementation of the UN norms was also front and centre in the 2019–2021 round of UN First Committee negotiations. The report of the OEWG recommended that states ‘further support the implementation and development of norms’. The 2021 UNGGE report offers an additional layer of understanding to help governments with their implementation.

In 2018, the ASEAN leaders expressed a commitment to operationalise the UN norms as a core element in ASEAN’s approach to promoting regional stability in cyberspace. That same year, the ASEAN ministers responsible for cybersecurity subscribed in principle to the norms. At the 2019 ASEAN Ministerial Conference on Cybersecurity, they agreed to establish a working committee to develop a framework for implementation.

Participants reaffirmed the importance of a rules-based cyberspace as an enabler of economic progress and betterment of living standards,and agreed in-principle that international law, voluntary and non-binding norms of State behaviour, and practical confidence building measures are essential for stability and predictability in cyberspace.

– Chairman’s statement of the third ASEAN Ministerial Conference on Cybersecurity, 2018.

In compiling this document, ASPI intends to contribute to the ongoing UN and ASEAN working groups, and offer participants region-specific perspectives based on real and observed examples of good practice. The information was gathered through various regional workshops and training activities that took place between 2019 and 2021, and supplemented with open-source research.

This document consists of two main parts:

  1. An explanation of the norms implementation process.
  2. Practical guidance on implementation with examples from the ASEAN region.

Each government is responsible for its own pathway to implementation and for informing other states of its efforts. Expectations of national and regional implementation will alter as states start to focus on local implementation and as understanding of the norms’ meaning grows.

This document should help kickstart that process of understanding and actioning. It should be considered a living document that supports a gradually maturing regional approach.

This document will help policymakers and state officials answer questions such as:

  • What examples can governments consider to demonstrate their efforts in implementing the UN norms?
  • How can a state demonstrate that it is implementing and following the UN norms of responsible state behaviour in cyberspace?
  • Where can a state find advice, assistance and support to advance further implementation efforts?

PART A – THE IMPLEMENTATION PROCESS EXPLAINED

Part A: the implementation process explained

In this first part of the document, the process for implementation of the UN cyber norms is explained. It starts with a clarification of the concept of international norms, how the cyber norms work and what practical steps make up an implementation effort. Examples of mechanisms and tools to demonstrate implementation efforts are also provided. At the end, we elaborate on the reasons why states would want to make an effort to implement the UN norms of responsible state behaviour in cyberspace.

Full text of the UN cyber norms

  1. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
  2. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
  3. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
  4. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
  5. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
  6. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
  7. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
  8. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
  9. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
  10. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICTdependent infrastructure;
  11. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

What are the UN norms of responsible state behaviour in cyberspace?

The UN norms of responsible state behaviour in cyberspace (Figure 1) are 11 voluntary and non-binding rules that describe what states should and should not be doing in cyberspace.

Figure 1: The UN norms of responsible state behaviour in cyberspace

The content of the 11 norms reflects the expectations that the broader international community has of each state and regional organisation.1 They express a common opinion of what is considered to be responsible behaviour by states. Naturally, this collective opinion of what is responsible and what is irresponsible behaviour develops over time as understanding of cybersecurity deepens, incidents occur, and more governments contribute to the process.

The purposes of the norms as reflected in UNGA Resolution 70/237 are to reduce risks to international peace and security, and to contribute to conflict prevention.2 They have been crafted to deal with state-to-state actions that could potentially carry the highest risks to international peace and security and the welfare of citizens.

Norms in international affairs are political agreements. They do not infringe on a state’s sovereignty or impose legal obligations on states.3 In fact, the norms provide a common basis for a state to design strategic direction, develop capabilities and execute actions in a responsible manner.

The UN norms process

International efforts to establish norms of responsible state behaviour in cyberspace concentrate around the work of two groups: the UNGGE and the OEWG.

The first UN group of governmental experts convened between 2004 and 2005, and a sixth round of negotiations concluded in 2021. Four rounds concluded with consensus reports, in 2010, 2013, 2015 and 2021. The OEWG was first established in 2019, and a second round has commenced in 2021 for a period of five years.

The UNGGE and OEWG are predominantly intergovernmental negotiation processes with—at times—opportunities for consultations with non-government organisations and civil society. Those consultations have, however, a non-official character.

The UN cyber groups

UN Group of Governmental Experts (UNGGE) on Developments in the Field of Information and Telecommunications in the Context of International Security

2004-05 ֍ 2009-10 ֍ 2012-2013 ֍ 2014-2015 ֍ 2016-17

UN Group of Governmental Experts (UNGGE) on Advancing responsible state behaviour in cyberspace in the context of international security

2019-21

UN Open-ended working group (UN OEWG) on developments in the field of information and telecommunications in the context of international security

2019-21 ֍ 2021-25

Member states of ASEAN have been participating in all the meetings of the UNGGE and the OEWG that have convened since 2004. Figure 5 shows ASEAN member states’ participation in the UNGGE and OEWG since 2004. Stars indicate a country’s membership of the UNGGE, and its active participation in the OEWG as determined by written submissions or oral statements.

Figure 5: ASEAN member states’ participation in UN norms processes 2004-2021.

Notes: * Although Brunei has not participated in the UNGGE or the OEWG, it did offer a national views document in 2017; it was the first ASEAN member state to do so. # Although Vietnam did not offer written submissions or made any statements, representatives formally attended OEWG meetings in New York.

In parallel to the UN-facilitated intergovernmental negotiation processes, various multistakeholder and other government-led initiatives have formed too. Examples include:

  • Cyber Tech Accord: a commitment of 150+ companies to work together and follow a set of principles that seeks to protect and empower users and customers
  • Paris Call for Trust and Security in Cyberspace: a multistakeholder commitment to work together to reduce risks to the stability of cyberspace and to build up confidence, capacity and trust
  • Agreement on Cooperation in the Field of ICTs: a proposal by the Shanghai Cooperation Organisation’s six member countries for an international code of conduct
  • World Wide Web Foundation Contract for the Web: an internet community-led initiative to advance principles of accessibility, affordability, availability and rights-based principles of respect for human rights and privacy for all in the operations of the internet.

What do norms do?

Norms typically codify existing state practice. The UN norms, as introduced in UNGA Resolution 70/237, set the standards of what the international community considers responsible on the basis of observed behaviour by state actors in the past and currently. With these agreed norms, activities and intentions of states can be subjected to assessments. States can be complimented on their response to an incident, or national practices can be heralded as global good practice. Also, states can be reprimanded if they haven’t done enough to prevent an incident, or if they have used cyber capabilities in an irresponsible manner.

In practice, governments will use international norms, such the UN norms of responsible state behaviour in cyberspace, in three ways:

  1. To serve as a point of reference to reassure other states of their good intentions and to demonstrate that they are constructive members of the international community.
  2. To serve as a point of reference to guide national cybersecurity policy and national cybersecurity investments.
  3. To serve as a point of reference to hold other actors responsible for behaviour that is not in line with the UN norms for responsible state behaviour.

Governments that embrace the UN norms and can report on their efforts contribute to predictability, trust and confidence in cyberspace.

How do norms work?

The implementation of internationally agreed political agreements is always challenging. As they have been crafted through an intergovernmental negotiation process, their language and terminology can be ambiguous. For that reason and in the absence of an overall blueprint, it is important that states find their own way and form their own view and approach to embracing the UN’s normative framework.

Figure 2: The four components that make up the UN framework of responsible state behaviour in cyberspace.

The 11 norms should be seen in their entirety and not as a ‘pick-and-choose’ menu. It is important that governments review their efforts in a comprehensive manner covering aspects that touch on issues of national (cyber)security, security of ICTs as well as on constructive inter-state relations.

Furthermore, governments need to keep in mind that the 11 norms are part of a broader framework that also includes the recognition that international law applies to state conduct in cyberspace, a set of confidence-building measures and a commitment to coordinated capacity building.4 Together, those four components make up the UN framework of responsible state behaviour in cyberspace (Figure 2).

In general, the more states show commitment to the norms and actively engage in their implementation, the more robust the norms become and the more compelling the call for compliance becomes.

What does the implementation of international norms involve?

States can demonstrate their implementation of international norms of behaviour in various ways (see figure 3). Typically, implementation occurs at three different levels: at the level of political endorsement, national laws and policies, and actions on the ground (Figure 3).

  1. First, political endorsement can be demonstrated, for example, through voting in favour of relevant resolutions at the UN General Assembly, by subscribing to ASEAN leaders’ statements and by (prime) ministerial statements.
  2. Second, states can integrate or internalise norms (explicitly or implicitly) in national legal frameworks, strategies and national policies.
  3. Third, a state can demonstrate implementation by referring to its government practices in the form of its institutional capabilities, doctrine and procedures, and actions. Those practices can offer de facto evidence of a state’s effort to follow norms of responsible behaviour, as they demonstrate an ability and willingness to act.

Implementation of international norms of responsible state behaviour

Figure 3: A framework for the implementation of norms.
Source: The author.

Responsibility for the implementation of the UN norms rests with governments. In practice, however, meaningful implementation will rely on individual governments’ ability and willingness to consult and collaborate with industry, civil society organisations, the internet technical community and academia, and on governments’ ability to ensure a whole-of-government approach.

Meaningful implementation requires the involvement of multiple stakeholders and a whole-of-government approach.

For the purpose of including views, expertise and capabilities of non-government stakeholders, mechanisms such as a national action plan or a national road map are proven methods that help build a national or whole-of-economy approach to cybersecurity.

A National Action Plan is an effective method to form an integrated approach to implementation.

What’s a trajectory for the implementation of norms?

Building a national approach to cybersecurity let alone the implementation of the UN norms is neither straightforward nor instant. Typically, stakeholders go through a step-by-step process of gradually increasing their understanding, maturity and comfort with the topic (see figure 4).

  1. A first step is to build awareness across the government of its international responsibilities. This could be achieved through a dedicated training program or awareness campaign on the UN norms.
  2. This should lay the foundation for a cross-governmental recognition that the government is committed to the UN’s normative approach and is willing to be guided by it in its national and international cybersecurity activities.
  3. What follows could be an assessment of where the country stands in its implementation efforts. Such a baseline assessment could be done by a third party or through a whole-of-government mapping process.

    Figure 4: A step-by-step process towards implementation.
  4. The outcome of the baseline assessment will inform the government of its strengths and areas for improvement.
  5. This could then lead to domestic investments in particular areas of cybersecurity, to requesting assistance from the global cyber capacity-building community, or to offers of expertise to others.
  6. At the end of these steps, one can presume a state to be implementing the UN norms commensurate with its own means and capabilities.

The implementation of norms is a dynamic process that evolves as a country’s maturity in cybersecurity grows over time. At the same time, it’s unlikely that any state will ever reach a state of ‘full implementation’, just as no state will ever be 100% cybersecure.

How can governments demonstrate implementation?

For the purpose of the UN norms (to reduce risks to international peace and security, and to contribute to conflict prevention), it is critical that states demonstrate what they’re doing and what they intend to do. Therefore, documenting and reporting are critical in implementation.

There are several ways for states to make their views, achievements and known capacity shortfalls known.

1. Reporting through the UN Secretary-General

On regular occasions, the UN Secretary-General invites member states to share their views and assessments (see figure 6). Governments can share their ‘general appreciation of the issues of information security; efforts taken at the national level to strengthen information security and promote international cooperation in this field; the content of concepts such as the application of international law; and possible measures that could be taken by the international community to strengthen information security at the global level’.

Figure 6: UN member states’ views and assessments

2. Submissions through UN working groups

As part of the ongoing OEWG process, member states are encouraged to provide written submissions or statements to the working group. The statements are shared by the UN Secretariat to other member states, the chair(s) and non-government stakeholders. States are also encouraged to participate in a UN-facilitated survey of their national efforts and experiences.

3. ASEAN Regional Forum

The ARF’s semi-annual Inter-Sessional Meeting on ICT Security offers participants an opportunity to exchange their views on the regional and global ICT landscape and their efforts and initiatives. For the ARF’s annual security outlook, member countries are asked to submit a contribution that includes a section for ‘cyber/ICT security’.

4. Recognition by third party/ies

A state can engage third-party organisations to perform an external assessment and prepare a report. This could be done through a capacity-building relationship, such as ASPI’s national norms implementation reports (see figure 7). ASEAN member states can also make use of their academic and think-tank organisations such as those represented in ASEAN–ISIS and the Council for Security Cooperation in the Asia Pacific (CSCAP).

Figure 7: ASPI national norms implementation reports

Why would states make an effort to implement the UN cyber norms?

There are a few reasons why states would make the effort to implement international norms, such as the UN norms of responsible state behaviour in cyberspace.

  1. Cyber resilience. By following the recommendations from the norms and through acts of implementation, States are effectively strengthening their national cybersecurity maturity. Therefore, implementation of the norms is directly contributing to a nation’s ability to protect against malicious cyber activity, reduce exposure to risks and vulnerabilities in ICTs, and respond to malicious ICT activity.
  2. International credibility. Most states want to be, and be seen as, responsible members of the international community. Showing demonstrable support for norms of responsible behaviour adds to a country’s international and regional credibility. Domestically, the implementation of international norms helps governments provide direction to their national cybersecurity policy and developments.
  3. Contribute to norm-setting. The effective demonstration of implementation allows states to shape the common opinion of what is and what is not considered responsible behaviour of states and ensure that international expectations align with the local and regional context.
  4. Reassurance, accountability and transparency. In a situation in which a large enough group of states can show demonstrable implementation of the UN norms, each within its own means and capabilities and within its national and regional context, a global environment is created in which states can be reassured of each other’s willingness and ability to prevent unnecessary tensions and unintended conflict. Altogether, this adds to the accountability and transparency of state activities in cyberspace.

PART B – PRACTICAL GUIDANCE ON IMPLEMENTATION, WITH EXAMPLES FROM THE ASEAN REGION

To read part B, please download the full report here.

ASPI’s Bart Hogeveen provides a brief overview of the project.

Acknowledgements

The author would like to acknowledge contributions by officials and participants working with the governments of Brunei Darussalam, Cambodia, Indonesia, Lao PDR, Malaysia, the Philippines, Singapore, Thailand and Vietnam.

Our particular appreciation goes to:

  • the Department of Foreign Affairs, Department of ICT, Office of the President and the National Security Council, the Philippines
  • the Ministry of Foreign Affairs and Badan Siber dan Sandi Negara, Indonesia
  • the Ministry of Information and Communications, Ministry of Foreign Affairs, and the Diplomatic Academy Vietnam, Vietnam
  • the National Cybersecurity Agency, Ministry of Foreign Affairs, and CyberSecurity Malaysia, Malaysia

In addition, the author is indebted to contributions from Dr Fitriani, Ms Farlina Said, Dr Moonyati Yetid, Mr Eugene Tan, Mr Ben Ang and the Global Forum on Cyber Expertise and support from the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade and their embassies and high commissions in Southeast Asia.

This publication is the output of a project funded by the UK Government and the Australian Government (Cyber and Critical Technology Cooperation Program). More information can be found at https://www.aspi.org.au/cybernorms. The views expressed in this work are not necessarily those of the UK or Australian governments or of the participating governments. The author is responsible for its content, any views expressed or mistakes.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies and issues related to information and foreign interference and focuses on the impacts those issues have on broader strategic policy. The centre has a growing mixture of expertise and skills and teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues. The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity-building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2022

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, micro-copying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publisher. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published February 2022.

Funding support for this publication was provided by the UK and Australian governments.

  1. UN General Assembly, Group of Government Experts on Developments in the field of ICTs in the context of international security, A/70/174, 22 July 2015, paragraph 10. ↩︎
  2. UN General Assembly, Group of Government Experts on Advancing responsible state behaviour in cyberspace in the context of international security, A/76/135, 14 July 2021, paragraph 15; UN General Assembly, Open-ended working group on developments in the field of ICTs in the context of international security, A/75/816, 18 March 2021, paragraph 24. ↩︎
  3. UN General Assembly, Group of Government Experts on Developments in the field of ICTs in the context of international security, A/70/174, 22 July 2015, paragraphs 26-28. ↩︎
  4. It is important to distinguish between ‘norms of responsible state behaviour’ (that is, the UN norms) and what are called ‘norms of international law’. In this document, the term ‘norms’ refers only to the former. ↩︎