The Hon Malcolm Turnbull – Speech at Australia-US Cyber Security Dialogue

/in

Author: the Hon Malcolm Turnbull.
Washington DC. September 2016

No institution or infrastructure is more important to the future prosperity and freedom of our global community than the Internet.

It powers and punctuates our daily lives, supports our business transactions and joins our countries in what is truly a world wide web.

This is the modern world.

Yet, for all its ubiquity, it has—for the most part—remained free of government domination or control.

And this is how it should be.

A free and open internet supports our democratic rights of freedom—of speech, religious expression, political thought and choice.

However, governments cannot be completely hands off.

They have a clear role to play in cyberspace in the more traditional roles of a nation state: protecting citizens; advancing national interests; and encouraging neighbours into this exciting digital age.

Governments also have a role in helping secure the internet.

A secure internet is essential, not only in e-commerce, but also in maintaining the relationships that support our society.

Government leads on counter terrorism because these burdens can only be shouldered by nation-states.

Whereas a forward-thinking government knows it will always be intertwined with industry on cyber security.

That’s why we must work together—private sector and nation states—to secure the Internet. The challenges the Internet faces are greater than can be solved by any of us alone.

And this is what brings me here today.

To speak with you about how Australia and the United States can work to secure our cyber world.

I’d like to thank Toby Feakin from the Australian Strategic Policy Institute and Jim Lewis from the US Centre for Strategic and International Studies for jointly hosting this first 1.5. Track Cyber Security Dialogue.

I welcome academia and industry to this dialogue. For all my enthusiasm for government’s responsibilities in cyberspace, good cyber policy requires the cooperation and creativity of academia and industry.  

Indeed, government needs to be challenged by academia and industry.

The nature of global telecommunications infrastructure is such that cyber incidents inescapably engage the private sector.

The person on the front lines of a cyber incident is almost certainly a systems administrator in a private enterprise or a government department.

The intersection of IT security and national security means that we find ourselves aligned with a dual common purpose—to avoid the perils of cyber threats, and to realise the benefits of cyberspace.

When I launched Australia’s Cyber Security Strategy in April this year, I said that Australia will be more open about future compromises of government systems. 

While breaches damage reputations, in the long term only transparency can grow trust. K-mart Australia actively disclosed a data breach late last year, and that transparency helped insulate it from more serious economic loss. Government also intends to lead by example by initiating frank conversations about our success and also about failures.

Which is, of course, why this Dialogue has been termed ‘1.5’—that space between formal, ‘one track’ diplomatic interaction between nations and the more open ‘two track’ engagement. We want to be transparent, we want to cooperate and we want to be invigorated by the new ways of thinking and faster ways of achieving that the private sector and academia have to offer.

That thinking and doing is how we can change the cyber-world and set the future course for our societies.

And we are here today to ask for your help to achieve this.

The deal that I’m offering through Australia’s diplomacy is one of standing firm.

Australia is committed to standing firm on the values of an open and free internet.

We will champion a cyberspace in which state actors, businesses and individuals abide by international law and behave in accordance with agreed norms – because existing rules of behaviour should extend into the cyber world. [1]

This isn’t mere rhetoric.

I have committed Australia to promote the emerging norms of State behaviour in cyberspace—unilaterally with allies and partners and multilaterally through the United Nations, the G20 and elsewhere.[2]

In April this year, I announced for the first time that Australia possesses an offensive cyber capability.  A capacity to respond to state and non-state actors who attack us.  This option of offensive cyber response takes its place alongside options such as: diplomacy; law enforcement action; and sanctions amongst others.

Now, as governments, we don’t talk much about what this offensive capacity can do, nor how it can be carried out.  Much as we acknowledge we have warships, and submarines and fighter jets, we don’t detail the specific technical capabilities of each.  Merely acknowledging their existence forms part of our national deterrence.

In the short-term and in the absence of well-developed understandings about how to behave there is a risk that unexplained cyber incidents could escalate into conflict between states.[3]

That’s why Australia is supporting an emerging regional framework to raise awareness and reduce risks.

Jointly, with the United States, we are mapping our cyber incident response structures and mechanisms so that we can cooperate in the event of an incident affecting both our nations.

Online, incident response goes hand-in-hand with incident preparedness and with real world analysis of threats.

Our societies are increasingly reliant on faster telecommunications, secure data centres, satellite capability, and smart electricity networks.

That’s why fostering trust in infrastructure must be taken seriously.

Australia and the US have always been very clear that damaging critical infrastructure is unacceptable.  And we have maintained a strong line that cyber espionage for the purposes of commercial advantage is also unacceptable.

As well as countering any state-sponsored malicious cyber activity, we are working to ameliorate the damage caused by cyber-criminals.

Denial of service, hacking, phishing and malware, are disruptive to our economies, our social interactions, and—through their unwavering persistence—our sense of security.

This undermining of our online confidence means we are not fully leveraging the digital economy. 

So transparency, ‘norms promotion’ and maintaining a national capacity to counter cyber threats must be part of governments’ contribution to ensuring Australia and the US are secure and dynamic locations for business diversification and investment.

There is no point, however, simply being a digital stronghold in a network of insecurity.

Which is why countries like the US and Australia have both a moral obligation and clear economic benefit to engage in regional capacity building.

Consider Australia’s location in the Asia-Pacific and the forays into the online world that are being made on our doorstep.

New undersea cables have seen connectivity for our Pacific trading partners increase exponentially over the last decade. Their increase in connectivity has coincided with a doubling of mobile phone coverage and dramatically falling internet and phone prices—placing that connectivity in the hands of millions more people. 

It’s an exciting economic prospect for our region.

However, the Asia-Pacific region is also the most heavily affected by cybercrime—losing one third more business revenue to cybercrime than either the EU or North America.[4]

So, as well as being true to our view of ourselves as part of Asia, and a partner in the Pacific, Australia has an economic imperative to build regional capacity and to smooth the way for private sector involvement in self-sustaining economies.

It’s in our best interests.

It’s also in our best interests to be a good global citizen and to promote an open and secure internet.

Every ideology and every philosophy in every language is represented online.

I said at the launch of Australia’s National Cyber Security strategy that the ‘internet has change the world, has changed history and it has changed us. 

In addition to that, it has also changed how we communicate what we believe, and some suggest it is changing how we think and engage in conversation.[5]

If we truly believe, as I am sure everyone in this room does, in the merits of western liberal ideals, then we must prosecute our ideals online.

On the multi-faceted internet battlefield we are engaged in memetic warfare; a competition over the narrative and ideas that define our lives.[6]

It is because we abhor violence, racism and sexism, that we must promote conversations that are as inclusive and as unbounded as possible and not prohibit discussion. Violence begins where conversations end, so inclusive conversations and embracing an open Internet that fosters positive ideas are how we keep our societies safe.

We must, of course, be open minded enough to listen to evidence and logic and change our positions when we are on the wrong side of truth, but my central contention is that better ideas will win those conversations.[7]

Government and business must focus on the positive, because thinking about cyber only as a threat vector is missing the big picture.

Cyber is a catalyst for innovation and growth.

The cyber security sector could grow at faster than 10 per cent each year for at least the next 5 years—far exceeding expectations of the economy generally.[8]

My objective is for Australia to become even better placed to use home-grown cyber security expertise to solve challenges and develop new business opportunities of global significance.

Already Australia has announced an industry-led Cyber Security Growth Centre, based in Sydney. It will build on our expertise, promote greater collaboration and support our local cyber businesses to expand, to commercialise IP and to export innovative product.

I am here today to invite you and your expertise into the cyber-security frameworks of both our nations.

I want this dialogue to be more than just an annual gathering – I want it to be active and I ask three things of government, industry and academia between this dialogue and the next:

First, and most immediate, what early achievements are possible between now and the next dialogue?

Second, in the short to medium term, what barriers can government continue to remove, either through deregulation or positive action?

And third, articulate robust, long-term and innovative goals in cyber security we can agree at the next dialogue and then pursue with tenacity.

To commence the thinking on early gains and enabling real progress between this Dialogue and next, we must convince leaders, at Board and government levels, that cyber is one of their essential functions. That means people must be cyber ambassadors and carry that message.[9]

Many companies have Chief Technology Officers and Chief Information Security Officers. Both have the dual skills of technical-knowledge and business-acumen. As the business leaders in this room know, Chief Technology Officers drive the successful execution of the company’s strategy through technological innovation. Chief Information Security Officers quantify risk and ensure that their CTO’s urge to innovate is tempered by appropriate prudence.  

The most obvious reason to value the role of CISOs in board-level decision making is the risk of cyber threat to your budget bottom line. As we are all acutely aware, a cyber-attack or data leak from even a mundane business system—like e-mail—can have a dramatic impact on an enterprise.

In fact, it’s probably now more important that rather than CISOs we properly recognise the convergence of online and offline threats and consider the more appropriate title as being “Chief Security Officer”.

We can all name companies that have lost more than 10 per cent of their value overnight from a single cyber incident. 

Listening to the risk mitigation advice of your security staff is therefore good business. But it is better business to also think broadly about the benefits of information security. Security staff could use their skills to contribute new business models that take a company into new products and markets. On that basis, we should unleash security staff to focus on both sides of the risk-coin and to increase the value they add to their organisations.

Increasing the capacity for security staff to engage in conversations with senior decision makers is absolutely critical when it comes to responding to a cyber incident.

Many enterprises can effectively analyse attacks, build timelines of events, track data loss and restore systems, but without ongoing good communication and a working knowledge of the cyber space, your capacity to respond is hampered.

In one study 80 per cent of organisations say they don’t frequently communicate with executive management about potential cyber-attacks against their organisations.[11]

If a prudent decision is being made to keep a critical business system offline while a threat is properly diagnosed and addressed, how do security staff convince the final decision maker?

CEOs and boards want succinct information, which is not always easy when presented with IT security data. Undoubtedly, the IT security function needs to work on how it explains risks to management, but it is also incumbent on management to be well-versed in cyber security language and the realities of responding.

At the heart of any successful board-level incident response will be a lexicon.

How can consistent messaging travel from IT security to customers and the public when the IT professionals speak a different language and when the next spokespeople in the chain—the CEO, the board and the reporting media—can’t necessarily speak the languages of IT?

Improvements to cyber incident response are on our minds in Australia, thanks to a denial of service incident on our national census night.

Although it was nationally significant, it was technically predictable and not a unique situation for business and governments to be in. However, we struggled with the laden meaning of the word ‘attack’.

‘Distributed denial of service attack’ is language that has begun to permeate the public consciousness. However, if a nation state says that it has come under attack, the meaning, and therefore the act itself, is weighted with tremendous significance.

We need to be able to communicate an accurate level of significance.

We need to know collectively that a denial of service is equivalent to having a bus parked in your driveway so you can’t get your car out; that hacked data means someone broke into the garage and took the car; and that the solutions to these two things are very different.

Widely understood language in other fields has been hard fought for and won. If we hear of an air disaster involving a cabin fire or an engine fire on an aircraft, we understand the difference between, and different implications of those two scenarios. 

The general public also knows that a black box—that great Australian invention[12]—is important to aircraft investigation but that finding it can be difficult and takes time. If an air safety authority says that an investigation is focusing on locating the black box because it will yield vital clues about the aircraft’s final moments, the public accepts that.

The conversation about cyber incidents has not reached anything like that level of maturity. Those outside the cyber security world don’t readily understand the relative impact of different incidents, typical investigation timeframes, or likely response options—such as shutting down a site while investigating unusual traffic patterns.

On that basis, I call on academics to turn their minds to the problem of cyber lexicon. How can we communicate clearly with each other? How do we normalise cyber discussions so that they are held in the context of all threats, risks and opportunities?  I also ask the media present to involve itself in that conversation and to take care to understand what is being said by governments and businesses.   

Before I close, I’d like to talk briefly about fairness in relation to cyber security and how large companies can help themselves by helping others.

For each large enterprise, there are many small businesses putting a toe in the water of the online world. They are connected to you as suppliers, distributors and contractors.

Many are far less secure, far less savvy, far less resourced than governments and big business.

To widen the web of safety, the Australian Government is providing support for some 5000 of our small businesses to have their cyber security tested by certified practitioners.

Businesses, and indeed universities, can further widen the net by engaging with their own supply and distribution chains and with their social good programs.

The volunteer organisations that you support are human-based, not tech-based.

Some—like those assisting women who are victims of domestic violence—hold incredibly sensitive personal information and are acutely aware of the physical safety of those they are protecting.[13]

These organisations know their moral, and often legal, obligation to maintain personal information safely but, most likely, they are neither resourced nor skilled to be active, let alone, innovative online.

You would help secure the veracity of the Internet, if each of the organisations here with an established CSIO were to seek out a small or not-for-profit enterprise with which to share their knowledge.

By doing so, you will embody the social and national values of our nations.

In Australia and the US we are building cyber-smart nations through investment in education, centres of excellence and dialogues like this one. We are working to keep the net safe for our citizens and their businesses, to protect the infrastructure on which we all rely and to elevate the safe use of cyberspace in our trading partners.

Government, by necessity, has asked and will ask a lot from business to ensure cyber security, but it is because you have the imagination and the people, to create the confidence we are committed to building.

We are living in a world that needs the sort of dialogue and action that comes from working together in the 1.5 track diplomacy space.

This digital century is a time of remarkable opportunity.

Our response to those opportunities, and to the threat of people using it criminally and maliciously, will come to define the future course of our societies.

Thank you – and I urge you to use this Dialogue to guide the web we all comprise towards both ambitious and innovative ideas as well as practical solutions to secure the economic and social futures of both our countries.

I look forward to seeing you in Australia next year.

________________________________________

[1] Taken from the launch of the National Cyber Security Strategy

[2] Taken from the launch of the National Cyber Security Strategy

[3] Taken from the launch of the National Cyber Security Strategy

[4] $81b/$61b*100=132.8%

http://www.grantthornton.global/en/insights/articles/cyber-attacks-cost-global-business-over-$300bn-a-year/

[5] https://www.edge.org/responses/how-is-the-internet-changing-the-way-you-think

[6] https://www.democracyendowment.eu/we-support/institute-of-post-information-society/what-is-memetic-warfare-and-how-it-threats-democratic-values/

[7][7] From Cyber Security Strategy launch

[8] http://cybersecurityventures.com/cybersecurity-market-report/

[9] https://assets.kpmg.com/content/dam/kpmg/pdf/2016/06/Cyber-in-the-boardroom-3.pdf

[10] Prime Minister’s speech to IPAA in April 2016.

[11] http://www.securityweek.com/security-incident-response-teams-getting-short-end-budget-stick

http://www.securityweek.com/technical-management-challenges-facing-incident-response

[12] http://www.dst.defence.gov.au/innovation/black-box-flight-recorder/david-warren-inventor-black-box-flight-recorder

[13] https://securityintelligence.com/media/podcast-intersection-cybersecurity-victims-violence/