Tag Archive for: Cyber

State-sponsored economic cyber-espionage for commercial purposes: Governmental practices in protecting IP-intensive industries

Introduction

This report looks at measures that governments in various parts of the world have taken to defend their economic ‘crown jewels’ and other critical knowledge-intensive industries from cyber threats. It should serve as inspiration for other governments, including from those economies studied in State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft. Despite accounting for the bulk of GDP growth, innovation and future employment, such intellectual property (IP)-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure and critical information infrastructure (Figure 1).

Figure 1: Various layers of cybersecurity protection regimes

Source: Developed by the authors.

Since 2022, an increasing number of governments have introduced new policies, legislation, regulations and standards to deal with the threat to their economies from cyber-enabled IP theft. Most prominently, in October 2023, the heads of the major security and intelligence agencies of Australia, Canada, New Zealand, the UK and the US (also known as the ‘Five Eyes’) appeared together in public for the first time, in front of a Silicon Valley audience, and called out China as an ‘unprecedented threat’ to innovation across the world.1 That was followed up in October 2024 with a public campaign called ‘Secure Innovation’.

There is, however, variation in how governments frame their responses. Countries such as the UK and Australia take a national-security approach with policy instruments that seek to monitor the flow of knowledge and innovation to and from specific countries (primarily China). Other countries, such as Malaysia and Finland, take a due-diligence risk approach with a focus on awareness building and providing incentives to organisations to do their due-diligence checks before engaging with foreign entities. Countries such as Japan and Singapore, by contrast, take an economic-security approach in which they focus on engaging and empowering at-risk industries proactively.

This report is the third in a compendium of three. The first report, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, published in 2022, looked at the scale, scope and impact of state-sponsored cyber-espionage campaigns aimed at extracting trade secrets and sensitive business information. The second report, State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, looks at the extent to which agreed norms effectively constrain states from conducting economic cyber-espionage and also examines the varying levels of vulnerability experienced by selected major emerging economies.

This third report complements those diagnoses by offering policymakers an action perspective based on good practices observed across the world. Various practices and examples have been selected, drawing from a multi-year capacity-building effort that included engagements in Southeast Asia, South Asia and Latin America and consultations with authorities in developed economies such as the US, Australia, Japan, Singapore and the Netherlands. Many of the practices covered in this report were presented at the Track 1 Dialogue on Good Governmental Practices that ASPI hosted during Singapore International Cyber Week 2023.

International guardrails

The issue of economic cyber-espionage2 is inherently international. It’s an issue caused by malicious or negligent behaviour of other states. Accordingly, international law and norms are as critical as domestic responses in countering the threat posed. This section offers a review of the most relevant international initiatives that touch on the governance of cyberspace and the protection of IP.

Through the UN First Committee process, states have introduced a set of voluntary and non-binding norms (Figure 2). That has included the following provisions:

  • States should not knowingly allow their territory to be used for internationally wrongful acts; that is, activities that constitute (serious) breaches of international obligations, inflict serious harm on another state or jeopardise international peace and security.
  • States should not conduct or support cyber activities that damage critical infrastructure or impair the operation of critical infrastructure that provides services to the public.
  • States should offer assistance upon request and respond to requests to mitigate ongoing cyber incidents if those incidents affect the functioning of critical infrastructure.

Figure 2: UN norms of responsible state behaviour in cyberspace


The G20 norm complements the work of the UN First Committee, providing that:

  • States should not engage in cyber-espionage activities for the purpose of providing domestic industry with illegitimately obtained commercially valuable information.

The extent to which states accept that economic cyber-espionage without commercial intent is an acceptable tool of statecraft remains a live debate. In 2017, the authors of the Tallin Manual 2.0 asserted that although ‘peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so’.3 Other states, however, such as the members of MERCOSUR (the trade bloc comprising Argentina, Brazil, Paraguay, Uruguay and Venezuela [currently suspended]) and China hold the view that ‘[n]o State shall engage in ICT-enabled espionage or damages against other States’.4 Austria recently (2024) added to this debate, arguing that ‘cyber espionage activities, including industrial cyber espionage against corporations, within a state’s territory may also violate that state’s sovereignty.’5

The Budapest Convention on Cybercrime and the new UN Cybercrime Convention don’t address the theft of IP or offer mechanisms to deal with state-sponsored cyber activities.6 Both frameworks merely offer mechanisms for the harmonisation of legal regimes to enable states to collaborate on investigations and prosecutions of cyber-related crimes.

The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), administered by the World Trade Organization (WTO), sets minimum standards for IP protection. Article 39 provides perpetual trade-secret protection, provided that the secret is not ‘generally known or readily accessible’ to the general public, has ‘commercial value because it is a secret’, and the owner has taken reasonable precautions to protect the secret.77 However, TRIPS doesn’t take into account any cyber-related threats to IP protection; nor does it provide dispute-settlement mechanisms to address state-sponsored or state-supported acts of theft.

Finally, there are international agreements that regulate certain technology transfers. For instance, the Wassenaar Arrangement—a voluntary export-control regime established to promote responsible transfers of conventional arms and dual-use technologies and goods—offers a list of technologies that are considered sensitive and ought to be subject of additional layers of review before being approved for export. While it doesn’t address cyber-enabled IP theft, it does regulate the trade in technologies that could facilitate such theft, such as intrusion software and surveillance tools.

However, despite the serious impact of IP theft, there’s a clear gap in current international law and norms that would otherwise offer national governments guardrails for introducing measures that would help states to prevent, deter, detect and recover from economic cyber-espionage. Therefore, the onus for protection presently lies on national governments taking ownership and responsibility within their own borders.

References

  1. Zeba Siddiqui, ‘Five Eyes intelligence chiefs warn on China’s “theft” of intellectual property’, Reuters, 19 October 2023, online.
    ↩︎

  2. ‘Economic cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one state against another or by one state against a private entity. ‘Industrial or commercial cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one private entity against another private entity. ↩︎
  3. Michael N Schmitt, Tallinn manual 2.0 on the international law applicable to cyber operations, 2nd edition, Cambridge University Press, 2017.
    ↩︎
  4. On China, see “China’s views on the application of the principle of sovereignty in cyberspace,” United Nations, online; on Mercosur, see “Decision rejecting the acts of espionage conducted by the United States in the countries of the region,” United Nations, 22 July 2013, online.
    ↩︎
  5. Przemysław Roguski, “Austria’s Progressive Stance on Cyber Operations and International Law,” Just Security, 25 June 2024, online.
    ↩︎
  6. See, for instance, Brenda I Rowe, ‘Transnational state-sponsored cyber economic espionage: a legal quagmire’, Security Journal, 13 September 2019, 33:63–82.
    ↩︎
  7. ‘Article 39 of the Agreement on Trade-Related Aspects of Intellectual Property Rights’, World Trade Organization, online.
    ↩︎

State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft

Introduction

Strategic competition is deepening existing tensions and mistrust between states and prompts nations to develop capabilities that they consider central to sovereign national power. Technological capabilities sit at the centre of this. It’s therefore not surprising that governments around the world are seeking technological advantage over their competitors and potential adversaries. In this context, safeguarding intellectual property (IP) has become necessary not just because it’s an essential asset for any modern economy—developed or emerging—but because it’s also increasingly underwriting national and regional security.

Today, middle-income countries1 ‘World Bank country and lending groups’, World Bank, 2024, online. that are seeking to progress in the global value chain are home to vibrant knowledge-intensive sectors. Some of the world’s largest science and technology clusters are located in São Paulo and Bengaluru, for example.2 Other exemplars include the biochemical industry in India, information and communication technology (ICT) firms in Malaysia and petroleum processors in Brazil. In fact, countries such as Brazil, India, Indonesia, Mexico and Vietnam have emerged as increasingly major producers of knowledge and innovation.3

Perhaps reflecting that changing reality, it’s middle-income countries that are confronted by increasing attempts to deprive them of their economic crown jewels. In our report State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, ASPI estimated that the number of state-sponsored cyber incidents affecting private entities in Southeast Asia, South Asia, Latin America and the Middle East increased from 40% in 2014 to nearly 60% in 2020.4 To be clear: economic espionage isn’t new. But it’s the growing scale and intensification of economic cyber-espionage for commercial purposes—and as an integrated tool of statecraft—that is a cause for concern.

The promise of 2015

In September 2015, a bilateral summit between Chinese President Xi Jinping and then US President Barack Obama laid the foundation for an international norm against cyber-enabled theft of IP for commercial gain. The joint communique produced at the end of the summit highlighted that China and the US had reached an understanding not to ‘conduct or knowingly support cyber-enabled theft of IP, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors’. This—critically—recognised a distinction between hacking for commercial purposes and hacking for national-security purposes. Building on that apparent progress, the 2015 G20 Antalya leaders’ communique on ICT-enabled theft of IP established bounds for responsible state behaviour in cyberspace—what was described at the time as a landmark moment.

However, the promise of that seemingly historic moment has not been realised since. Rather than seeing this practice stop, cyber-enabled theft of IP quadrupled between 2015 and 2023. Higher barriers to market access across China, the US and Europe—the result of tit-for-tat behaviour seeking to bolster local technological capabilities, reduce dependence on high-risk vendors, achieve greater strategic autonomy and/or counter unfair advantage—have combined to incentivise irresponsible behaviour by malign states.

China’s and the US’s adherence was always going to be critical to the continued strength and legitimacy of any international norm against cyber-enabled economic espionage. However, bilateral relations between Beijing and Washington devolved in the period after 2015. During the first Trump administration, the US drew a clearer connection between economic and national security. That included explicitly calling out in 2020 China’s theft of American technology, IP and research as a threat to the safety, security and economy of the US. The Trump administration also established the China Initiative, which investigated and prosecuted perceived Chinese spies in American research and industry. While the Biden administration closed the China Initiative, it has continued efforts to protect American IP. That includes through the passing of the Protecting American Intellectual Property Act of 2022, which empowers the US President to sanction entities seen to benefit from or sponsor trade-secret theft.5

For its part, China may never have intended to uphold its commitment to the norm over the long term. China may have endorsed a commitment against economic cyber-espionage as a strategic move to accelerate domestic initiatives, such as rooting out corruption in the People’s Liberation Army and refining Chinese hacking methods to be more sophisticated and less conspicuous.6 Alternatively, the lack of a clearly articulated distinction between hacking for competitive advantage and hacking for national-security purposes under Obama and Xi’s agreement may have contributed to the current situation. In any case, the threat of economic cyber-espionage continues to spiral rapidly, increasingly affecting emerging economies as well.

Emerging economies in the Global South, including members of the G20, have been the most vulnerable to that backsliding. India, Vietnam and Brazil have become important and impactful IP-producers, but their means to protect that innovation have lagged—unfortunately creating an expanded attack surface without the commensurate resilience. Still coming to terms with the scope and nature of the threat, they and other similar governments have so far introduced higher-end requirements and support arrangements for their own systems, and for operators of critical infrastructure and critical information infrastructure. However, most other industries—even when they’re substantial contributors to national GDP, high-value IP holders and the enablers for economic advancement—have been left out.

Building capacity to defend against cyber-enabled theft of IP

This report is a first-ever analytical exercise that examines the vulnerability of emerging economies in the face of economic cyber-espionage. It’s a culmination of two years of research and stakeholder engagement across the Indo-Pacific and Latin America. The focus has been on investigating perspectives on the threat of economic cyber-espionage and the degree to which major emerging economies are prepared to respond. The first of the three reports in the compendium—published in late 2022—examined state practices of cyber-enabled theft of IP. It found that, since 2015, the number of reported cases of economic cyber-espionage had tripled. Further, it found that the scale and severity of incidents had grown proportionally with the use of cyber technology as a tool of statecraft for securing economic and strategic objectives.

This specific report is the second in the compendium of three. It considers Chinese and US perspectives in the first instance—recognising their criticality to the effectiveness of any international norm. It goes on to assess the level of vulnerability across Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. This is because it’s those economies in South Asia, Southeast Asia and Latin America that are experiencing some of the world’s most rapid knowledge and innovation production. Each country has been assessed and given a risk label indicating its vulnerability based on a diagnostic tool developed by ASPI.

The third of the three reports in the compendium goes beyond analysing the problem. Through a mapping of responses, it identifies and presents a capture of best practice. The purpose is to support vulnerable states in defending their economic ‘crown jewels’—that is, critical knowledge-intensive industries. It offers a capacity-building checklist intended to help policymakers make sense of the cyber-threat landscape and respond to protect private entities from economic cyber-espionage.

References

  1. ‘World Bank country and lending groups’, World Bank, 2024, online. ↩︎
  2. ‘Science and technology cluster ranking 2023’, World Intellectual Property Organization (WIPO), online.
    ↩︎
  3. ‘2023 Global Innovation Index’, WIPO, online.
    ↩︎
  4. Gatra Priyandita, Bart Hogeveen, Ben Stevens, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to
    prosperity, ASPI, Canberra, 2022, online. ↩︎

  5. ‘Protecting American Intellectual Property Act of 2022’, US Congress, online. ↩︎
  6. Jack Goldsmith, ‘US attribution of China’s cyber-theft aids Xi’s centralization and anti-corruption efforts’, Lawfare, 21 June 2016, online. ↩︎

State-Sponsored Economic Cyber-Espionage for Commercial Purposes

The Australian Strategic Policy Institute (ASPI) has launched the world’s first capacity-building initiative dedicated to raising awareness about the threat of economic cyber-espionage in key emerging economies across the Indo-Pacific and Latin America.

Through a series of research reports, case studies, and learning materials, this initiative highlights how economic cyber-espionage is not just a concern for advanced economies—it is a growing risk for emerging economies like India, Brazil, and Indonesia, which are rapidly digitizing their industries.

What is Economic Cyber-Espionage?

Economic cyber-espionage refers to the state-sponsored theft of intellectual property (IP) via cyber means for commercial gain. As nations undergo digital transformation, securing knowledge-based industries is critical for economic security. However, many countries—especially those with lower cybersecurity maturity—are increasingly vulnerable to cyber-enabled IP theft.

In the modern economy, local businesses that trade internationally, critical national industries, and start-ups as well as universities, research and development organisations and public services rely on secure data, digital communications and ICT-enabled systems and applications.

But trust and confidence in the digital economy is threatened by the practice of some states that deploy offensive cyber capabilities against industries, organisations and individuals in other states. Those who operate in environments with lower levels of cybersecurity maturity are particularly vulnerable to fall victim to cyber-enabled theft of intellectual property.

Project Activities and Findings

This project has included a series of workshops and engagements in India, Southeast Asia, and Latin America, bringing together officials and experts to discuss cyber threats that endanger national economies and innovation sectors.

For this project, ASPI has also published three reports, which can be downloaded on the right.

  1. State-sponsored economic cyber-espionage for commercial purposes: Tackling an invisible but persistent risk to prosperity (2022): Highlights how state-sponsored cyber-espionage has intensified, with more targeted industries and universities now based in emerging economies
  2. State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft: Evaluates the readiness of 11 emerging economies—including Argentina, Brazil, India, Indonesia, Malaysia, Mexico, the Philippines, Thailand, and Vietnam—to counteract cyber-enabled IP theft.
  3. State-sponsored economic cyber-espionage for commercial purposes: Governmental practices in protecting IP-Intensive industries: Reviews how governments around the world are responding to the threat of economic cyber-espionage and considers how states are employing, among others, legislative, defensive, and reactive measures.

On 15 November 2022, ASPI also issued a Briefing Note recommending that the G20 members recognise that state-sponsored ICT-enabled theft of IP remains a key concern for international cooperation and encouraging them to reaffirm their commitment made in 2015 to refrain from economic cyber-espionage for commercial purposes.

Videos and Podcasts

Explore the videos and podcasts we have produced to help you make sense of economic cyber-espionage.

Project Team

This team is led by CTS Deputy Director Bart Hogeveen and CTS senior analyst Dr. Gatra Priyandita. We thank the support and contributions of other serving and former ASPI staff, including Urmika Deb, Dr. Ben Stevens, Dr. Teesta Prakash, and Shivangi Seth. This project involved input from researchers from across the world, including those in South Asia, Southeast Asia, and Latin America. We thank them for their contributions.

Australia and South Korea: Leveraging the strategic potential of cooperation in critical technologies

Executive summary

Cooperation between Australia and the Republic of Korea (hereafter South Korea or the ROK) in a range of critical technology areas has grown rapidly in recent years. Underpinned by the Australia – South Korea Memorandum of Understanding (MoU) on Cyber and Critical Technology Cooperation signed in 2021, collaboration is currently centred around emerging technologies, including next-generation telecommunications, artificial intelligence (AI) and quantum computing. Such technologies are deemed to be critical due to their potential to enhance or threaten societies, economies and national security. Most are dual- or multi-use and have applications in a wide range of sectors.1

Intensifying geostrategic competition is threatening stability and prosperity in the Indo-Pacific region. Particularly alarming is competition in the technological domain. ASPI’s Critical Technology Tracker, a large data-driven project that now covers 64 critical technologies and focuses on high-impact research, reveals a stunning shift in research ‘technology leadership’ over the past two decades. Where the United States (US) led in 60 of the 64 technologies in the five years between 2003 and 2007, the US’s lead has decreased to seven technologies in the most recent five years (2019–2023). Instead, China now leads in 57 of those technologies.

Within the Indo-Pacific region, some countries have responded to those shifts in technology leadership through the introduction of policies aimed at building ‘technological sovereignty’. The restriction of high-risk vendors from critical infrastructure, the creation of sovereign industrial bases and supply-chain diversification are examples of this approach. But a sovereign approach doesn’t mean protectionism. Rather, many countries, including Australia and South Korea, are collaborating with like-minded regional partners to further their respective national interests and support regional resilience through a series of minilateral frameworks.

The Australia – South Korea technological relationship already benefits from strong foundations, but it’s increasingly important that both partners turn promise into reality. It would be beneficial for Australia and South Korea to leverage their respective strengths and ensure that collaboration evolves in a strategic manner. Both countries are leaders in research and development (R&D) related to science and technology (S&T) and are actively involved in international partnerships for standards-setting relating to AI and other technologies. Furthermore, both countries possess complementary industry sectors, as demonstrated through Australia’s critical-minerals development and existing space-launch capabilities on one hand, and South Korea’s domestic capacity for advanced manufacturing on the other.

This report examines four stages common to technological life cycles — (1) R&D and innovation; (2) building blocks for manufacturing; (3) testing and application; and (4) standards and norms. For each, we examine a specific critical technology of interest. Those four life-cycle areas and respective technologies—spanning biotechnologies-related R&D, manufacturing electric-battery materials, satellite launches and AI standards-setting—were chosen as each is a technology of focus for both countries. Furthermore, collaboration through these specific technological stages enables Australia and South Korea to leverage their existing strengths in a complementary manner (see Figure 1). Supporting the analysis of these four stages of the technological life cycle and selected critical technologies is data from ASPI’s Critical Technology Tracker and the Composite Science and Technology Innovation Index (COSTII) jointly released by South Korea’s Ministry of Science and ICT (MSIT) and the Korea Institute of Science & Technology Evaluation and Planning (KISTEP).

Informed by that examination, this report identifies a set of recommendations for strengthening cooperation that is relevant for different stakeholders, including government and industry.

Policy recommendations

Biotechnologies

Australia and South Korea can enhance knowledge-sharing in biotechnologies-related R&D through people-to-people exchanges. Links should be formalised through an MoU between relevant institutions—such as Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Korea Research Institute of Bioscience and Biotechnology. An MoU could be used to implement initiatives such as a virtual mentoring program and long-term in-person exchanges (preferably at least 12 months in duration). Such exchanges would support immersive in-country interaction, enabling the transfer of specialised R&D expertise. Australian researchers could share knowledge about advances in early-stage clinical trials processes, while South Korean researchers could contribute insights into synthetic biology and AI tools in drug-discovery clinical-trial methodologies. Financial support from Australia’s National Health and Medical Research Council could facilitate the exchanges.2 There remains a need to address visa constraints impeding the free flow of researchers between both countries. While this report focuses on R&D, we suggest that there’s equal value in considering cooperation in the manufacturing stages of the biotechnologies value chain.

Recommendation 1: Formalise links between Australia’s and South Korea’s key biotechnologies R&D institutions by facilitating long-term people-to-people exchanges aimed at transferring specialised expertise. This includes in areas such as clinical trials, synthetic biology and AI integration in biotechnologies.

Electric batteries

Australian companies should consider the production of battery materials, including lithium hydroxide and precursor cathode active materials (pCAM), through joint ventures with South Korean battery manufacturers. Such ventures would benefit from jointly funded and owned facilities geographically close to requisite critical minerals. Since spodumene is needed for lithium hydroxide and nickel, cobalt and manganese are required for pCAM, Western Australia provides the ideal location for those facilities. Furthermore, BHP’s recent suspension of its Western Australian nickel operations provides an ideal opportunity for a South Korean battery company to purchase those operations— securing nickel sulphate supplies necessary for pCAM manufacturing.3 There’s also the potential for South Korea to invest in cathode active manufacturing (CAM) manufacturing in Australia by taking advantage of the co-location of mining and pCAM operations.

The provision of loans with relatively low interest rates from South Korean Government–owned banks,4 as well as tax credits and energy incentives provided by the Australian Government, would assist in offsetting the relatively high operational costs (including for labour and materials) associated with establishing joint battery-material plants in Australia instead of South Korea.5 Environmental regulations will need careful consideration in assessing such proposals, such as those covering the disposal of by-products. In the case of sodium sulphate, that by-product can be used in fertilisers and even recycled for future use in battery-material manufacturing.6

Recommendation 2: Consider the establishment of facilities in Australia under joint venture arrangements between Australian and South Korean companies to enable expanded production of battery materials (including lithium hydroxide and pCAM).

Space and satellite technologies

Australia and South Korea should establish a government-to-government agreement that would facilitate the launch of South Korean satellites from northern and southern locations in Australia. This would be similar to the Australia–US Technologies Safeguard Agreement. The agreement would increase the ease with which companies from both countries can pursue joint launches by streamlining launch permit application processes, export controls, taxation requirements and environmental regulations. The agreement can establish a robust framework for joint operations and continued R&D in space and satellite technologies while ensuring that both countries protect associated sensitive technologies. Any such agreement should prioritise consultations with community stakeholders to further inclusive decision-making focused on addressing the social and environmental impacts of space launches.7 Engaging with Indigenous landowners to ensure the protection of cultural heritage, sacred sites and traditional land stewardship is particularly key.8

Recommendation 3: Establish a government-to-government agreement similar to the Australia–US Technologies Safeguard Agreement to bolster the ease with which Australian and South Korean companies can conduct joint satellite launches on Australian soil.

Artificial intelligence technologies

Closer collaboration between Standards Australia and the Korea Standards Association in establishing international AI standards will be beneficial. The established positive record of Australian and South Korean stakeholders in relation to international norms and standards relating to critical technologies, and comparative regional strengths, provide a means to ensure that international AI standards continue to evolve in a way that fosters interoperability, innovation, transparency, diversity and security-by-design. One recommended body through which Australian and South Korean stakeholders could coordinate their respective approaches is the international, industry-led multistakeholder joint subcommittee (SC) created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) known as the ISO/IEC Joint Technical Committee 1 Subcommittee 42 on AI (ISO/IEC JTC 1/SC 42).

Recommendation 4: Coordinate the approach of Standards Australia and the Korea Standards Association in establishing international AI standards in international technology standards bodies, for example, through ISO/IEC JTC 1/SC 42.

Full Report

For the full report, please download here.

  1. J Wong Leung, S Robin, D Cave, ASPI’s two-decade Critical Technology Tracker, ASPI, Canberra, 28 August 2024, online. ↩︎
  2. Austrade, ‘Australia: A go-to destination for clinical trials’. ↩︎
  3. ‘Western Australian Nickel to temporarily suspend operations’, BHP, 11 July 2024, online. ↩︎
  4. Government-owned banks in South Korea are currently funding a similar joint venture in the form of the POSCO – Pilbara Minerals lithium hydroxide facility in South Korea. For more information, see A Orlando, ‘POSCO Pilbara Lithium Solution executes US$460 million loan agreement to help fund chemical facility in South Korea’, Mining.com.au, 27 February 2023, online. ↩︎
  5. In particular, the high cost of a joint lithium hydroxide plant in Australia rather than South Korea was the primary reason for the joint POSCO – Pilbara Minerals plant to be built in Gwangyang, South Korea. For more information, see P Kerr, ‘Lithium processing is 40pc cheaper in South Korea, says POSCO’, Australian Financial Review, 22 May 2023, online. ↩︎
  6. M Stevens, ‘Cathode manufacturing: solutions for sodium sulphate’, Worley, 29 May 2024, online. ↩︎
  7. ‘Koonibba Test Range launches large commercial rocket’, Asia–Pacific Defence Reporter (APDR), 6 May 2024, online; J Hamilton, A Costigan, ‘Koonibba looks to the future as a rocket launch site, but one elder is concerned about the impact on sacred sites’, ABC News, 11 May 2024, online. ↩︎
  8. M Garrick, ‘Equatorial Launch Australia lodges plans for expansion to 300 hectares for Arnhem Space Centre’, ABC News, 8 November 2023, online. ↩︎

Persuasive technologies in China: Implications for the future of national security

Key Findings

The rapid adoption of persuasive technologies—any digital system that shapes users’ attitudes and behaviours by exploiting physiological and cognitive reactions or vulnerabilities—will challenge national security in ways that are difficult to predict. Emerging persuasive technologies such as generative artificial intelligence (AI), ambient technologies and neurotechnology interact with the human mind and body in far more intimate and subconscious ways, and at far greater speed and efficiency, than previous technologies. This presents malign actors with the ability to sway opinions and actions without the conscious autonomy of users.

Regulation is struggling to keep pace. Over the past decade, the swift development and adoption of these technologies have outpaced responses by liberal democracies, highlighting the urgent need for more proactive approaches that prioritise privacy and user autonomy. That means protecting and enhancing the ability of users to make conscious and informed decisions about how they’re interacting with technology and for what purpose.

China’s commercial sector is already a global leader in developing and using persuasive technologies. The Chinese Communist Party (CCP) tightly controls China’s private sector and mandates that Chinese companies—especially technology companies—work towards China’s national-security interests. This presents a risk that the CCP could use persuasive technologies commercially developed in China to pursue illiberal and authoritarian ends, both domestically and abroad, through such means as online influence campaigns, targeted psychological operations, transnational repression, cyber operations and enhanced military capabilities.

ASPI has identified several prominent Chinese companies that already have their persuasive technologies at work for China’s propaganda, military and public-security agencies. They include:

  • Midu—a language intelligence technology company that provides generative AI tools used by Chinese Government and CCP bureaus to enhance the party-state’s control of public opinion. Those capabilities could also be used for foreign interference (see page 4).
  • Suishi—a pioneer in neurotechnology that’s developing an online emotion detection and evaluation system to interpret and respond to human emotions in real time. The company is an important partner of Tianjin University’s Haihe Lab (see page 16), which has been highly acclaimed for its research with national-security applications (see page 17).
  • Goertek—an electronics manufacturer that has achieved global prominence for smart wearables and virtual-reality (VR) devices. This company collaborates on military–civil integration projects with the CCP’s military and security organs and has developed a range of products with dual-use applications, such as drone-piloting training devices (see page 20).

ASPI has further identified case studies of Chinese technology companies, including Silicon Intelligence, OneSight and Mobvoi, that are leading in the development of persuasive technologies spanning generative AI, neurotechnologies and emerging ambient systems. We find that those companies have used such solutions in support of the CCP in diverse ways—including overt and attributable propaganda campaigns, disinformation campaigns targeting foreign audiences, and military–civil fusion projects.

Introduction

Persuasive technologies—or technologies with persuasive characteristics—are tools and systems designed to shape users’ decision-making, attitudes or behaviours by exploiting people’s physiological and cognitive reactions or vulnerabilities.1 Compared to technologies we presently use, persuasive technologies collect more data, analyse more deeply and generate more insights that are more intimately tailored to us as individuals.

With current consumer technologies, influence is achieved through content recommendations that reflect algorithms learning from the choices we consciously make (at least initially). At a certain point, a person’s capacity to choose then becomes constrained because of a restricted information environment that reflects and reinforces their opinions—the so-called echo-chamber effect. With persuasive technologies, influence is achieved through a more direct connection with intimate physiological and emotional reactions. That risks removing human choice from the process entirely and steering choices without an individual’s full awareness. Such technologies won’t just shape what we do: they have the potential to influence who we are.

Many countries and companies are working to harness the power of emerging technologies with persuasive characteristics, such as generative artificial intelligence (AI), wearable devices and brain–computer interfaces, but the People’s Republic of China (PRC) and its technology companies pose a unique challenge. The Chinese party-state combines a rapidly advancing tech industry with a political system and ideology that mandate companies to align with CCP objectives, driving the creation and use of persuasive technologies for political purposes (see ‘How the CCP is using persuasive technologies’, page 21). That synergy enables China to develop cutting-edge innovations while directing their application towards maintaining regime stability domestically, reshaping the international order, challenging democratic values and undermining global human-rights norms.

There’s already extensive research on how the CCP and its military are adopting technology in cognitive warfare to ‘win without fighting’—a strategy to acquire the means to shape adversaries’ psychological states and behaviours (see Appendix 2: Persuasive technologies in China’s ‘cognitive warfare’, page 29).2 Separately, academics have considered the manipulative methods of surveillance capitalism, especially on issues of addiction, child safety and privacy .3 However, there’s limited research on the intersection of those two topics; that is, attempts by the Chinese party-state to exploit commercially available emerging technologies to advance its political objectives. This report is one of the first to explore that intersection.

Chinese technology, advertising and public-relations companies have made substantial advances in harnessing such tools, from mobile push notifications and social-media algorithms to AI-generated content. Many of those companies have achieved global success. Access to the personal data of foreign users is at an all-time high, and Chinese companies are now a fixed staple on the world’s most downloaded mobile apps lists, unlike just five years ago.44 While many persuasive technologies have clear commercial purposes, their potential for political and national-security exploitation—both inside and outside China—is also profound.

This report seeks to break through the ‘Collingridge dilemma’, in which control and understanding of emerging technologies come too late to mitigate the consequences of those technologies.55 The report analyses generative AI, neurotechnologies and immersive technologies and focuses on key advances being made by PRC companies in particular. It examines the national-security implications of persuasive technologies designed and developed in China, and what that means for policymakers and regulators outside China as those technologies continue to roll out globally.

Persuasive-technology capabilities are evolving rapidly, and concepts of and approaches to regulation are struggling to keep pace. The national-security implications of technologies that are designed to drive users towards certain behaviours are becoming apparent. Democratic governments have acted slowly and reactively to those challenges over the past decade. There’s an urgent need for more fit-for-purpose, proactive and adaptive approaches to regulating persuasive technologies. Protecting user autonomy and privacy must sit at the core of those efforts. Looking forward, persuasive technologies are set to become even more sophisticated and pervasive, and the consequences of their use are increasingly difficult to detect. Accordingly, the policy recommendations set out here focus on preparing for and countering the potential malicious use of the next generation of those technologies.

Full Report

For the full report, please download here.

References

  1. First defined by Brian J Fogg in Persuasive technology: using computers to change what we think and do, Morgan Kaufmann, 2003. ↩︎
  2. See, for example, Nathan Beauchamp-Mustafaga, Chinese next-generation psychological warfare, RAND Corporation, Santa Monica, 1 June 2023, online; Elsa B Kania, ‘Minds at war: China’s pursuit of military advantage through cognitive science and biotechnology’, PRISM, 2019, 8(3):82–101, online; Department of Defense, Annual report to Congress; Military and security developments involving the People’s Republic of China, US Government, 19 October 2023, online. ↩︎
  3. Shoshana Zuboff, The Age of Surveillance Capitalism: the fight for a human future at the new frontier of power, Ingram Publisher Services, 2017. ↩︎
  4. Examples of Chinese-owned apps that are among the most downloaded globally include Tiktok, CapCut (a ByteDance-owned video editor) and the e-commerce platforms Temu and Shein. See David Curry, ‘Most popular apps (2024)’, Business of Apps, 30 January 2024, online. ↩︎
  5. Richard Worthington, ‘The social control of technology by David Collingridge’, American Political Science Review, 1982, 76(1):134–135; David Collingridge,
    The social control of technology, St Martin’s Press, New York, 1980. ↩︎

The future of intelligence analysis: US-Australia project on AI and human machine teaming


Dr Alex Caples is Director of The Sydney Dialogue, ASPI’s annual summit for critical, emerging and cyber technologies.

Previously, she was Director of Cyber, Technology and Security at ASPI.

Alex is a former diplomat and national security official whose career spans over 20 years’ in Defence, the Office of National Intelligence, the Department of the Prime Minister and Cabinet and the Department of Foreign Affairs, including postings to Canada and Afghanistan.

Between 2019-2023, Alex was an Associate Director, Operations Advisory and Director, Policy Evaluation and Public Impact at professional services firm KPMG, supporting Commonwealth and State Governments on policy and program design and implementation.

Prior to this, Alex held various senior policy advisor roles in the Department of the Prime Minister and Cabinet’s National Security Division, including Director of Law Enforcement and Border Security, Director Cyber Security Policy and Director Crisis Management. In this capacity Alex provided advice to Government on a wide range of security legislation, policy and operations, including critical infrastructure security, foreign interference, cyberspace, telecommunications security, digital identity management, intelligence and border security.

During 2011-2012, Alex was a Senior Analyst for Transnational Issues at the Office of National Intelligence, where she provided senior executives and Ministers with all-source analysis on people smuggling, regional law enforcement and transnational crime.

Alex is an Australian Defence Force Academy Graduate. She holds a PhD in International Relations from Monash University (2007).

ASPI’s two-decade Critical Technology Tracker: The rewards of long-term research investment

The Critical Technology Tracker is a large data-driven project that now covers 64 critical technologies spanning defence, space, energy, the environment, artificial intelligence, biotechnology, robotics, cyber, computing, advanced materials and key quantum technology areas. It provides a leading indicator of a country’s research performance, strategic intent and potential future science and technology capability.

It first launched 1 March 2023 and underwent a major expansion on 28 August 2024 which took the dataset from five years (previously, 2018–2022) to 21 years (2003–2023). Explore the website and the broader project here.

Governments and organisations interested in supporting this ongoing program of work, including further expansions and the addition of new technologies, can contact: criticaltech@aspi.org.au.

Executive Summary

This report accompanies a major update of ASPI’s Critical Technology Tracker website,1 which reveals the countries and institutions—universities, national labs, companies and government agencies—leading scientific and research innovation in critical technologies. It does that by focusing on high-impact research—the top 10% of the most highly cited papers—as a leading indicator of a country’s research performance, strategic intent and potential future science and technology (S&T) capability.

Now covering 64 critical technologies and crucial fields spanning defence, space, energy, the environment, artificial intelligence (AI), biotechnology, robotics, cyber, computing, advanced materials and key quantum technology areas, the Tech Tracker’s dataset has been expanded and updated from five years of data (previously, 2018–2022)2 to 21 years of data (2003–2023).3

These new results reveal the stunning shift in research leadership over the past two decades towards large economies in the Indo-Pacific, led by China’s exceptional gains. The US led in 60 of 64 technologies in the five years from 2003 to 2007, but in the most recent five years (2019–2023) is leading in seven. China led in just three of 64 technologies in 2003–20074 but is now the lead country in 57 of 64 technologies in 2019–2023, increasing its lead from our rankings last year (2018–2022), where it was leading in 52 technologies.

India is also emerging as a key centre of global research innovation and excellence, establishing its position as an S&T power. That said, the US, the UK and a range of countries from Europe, Northeast Asia and the Middle East have maintained hard-won strengths in high-impact research in some key technology areas, despite the accelerated efforts of emerging S&T powers.

This report examines short- and long-term trends, to generate unique insights. We have updated the recent five-year results (2019–2023) to show current research performance rankings (top 5 country results are in Appendix 1). We have also analysed our new historical dataset to understand the country and institutional trends in research performance over the full 21-year period. In select technologies we have also made projections, based on current trends, for China and the US to 2030.

The results show the points in time at which countries have gained, lost or are at risk of losing their global edge in scientific research and innovation. The historical data provides a new layer of depth and context, revealing the performance trajectory different countries have taken, where the momentum lies and also where longer term dominance over the full two decades might reflect foundational expertise and capabilities that carry forward even when that leader has been edged out more recently by other countries. The results also help to shed light on the countries, and many of the institutions, from which we’re likely to see future innovations and breakthroughs emerge.

China’s new gains have occurred in quantum sensors, high-performance computing, gravitational sensors, space launch and advanced integrated circuit design and fabrication (semiconductor chip making). The US leads in quantum computing, vaccines and medical countermeasures, nuclear medicine and radiotherapy, small satellites, atomic clocks, genetic engineering and natural language processing.

India now ranks in the top 5 countries for 45 of 64 technologies (an increase from 37 last year) and has displaced the US as the second-ranked country in two new technologies (biological manufacturing and distributed ledgers) to rank second in seven of 64 technologies. Another notable change involves the UK, which has dropped out of the top 5 country rankings in eight technologies, declining from 44 last year to 36 now.

Besides India and the UK, the performance of most secondary S&T research powers (those countries ranked behind China and the US) in the top 5 rankings is largely unchanged: Germany (27), South Korea (24), Italy (15), Iran (8), Japan (8) and Australia (7).

We have continued to measure the risk of countries holding a monopoly in research for some critical technologies, based on the share of high-impact research output and the number of leading institutions the dominant country has. The number of technologies classified as ‘high risk’ has jumped from 14 technologies last year to 24 now. China is the lead country in every one of the technologies newly classified as high risk—putting a total of 24 of 64 technologies at high risk of a Chinese monopoly. Worryingly, the technologies newly classified as high risk includes many with defence applications, such as radar, advanced aircraft engines, drones, swarming and collaborative robots and satellite positioning and navigation.

In terms of institutions, US technology companies, including Google, IBM, Microsoft and Meta, have leading or strong positions in artificial intelligence (AI), quantum and computing technologies. Key government agencies and national labs also perform well, including the National Aeronautics and Space Administration (NASA), which excels in space and satellite technologies. The results also show that the Chinese Academy of Sciences (CAS)—thought to be the world’s largest S&T institution5—is by far the world’s highest performing institution in the Critical Tech Tracker, with a global lead in 31 of 64 technologies (an increase from 29 last year, see more on CAS in the breakout box on page 19).

The results in this report should serve as a reminder to governments around the world that gaining and maintaining scientific and research excellence isn’t a tap that can be turned on and off. Too often, countries have slowed or stopped investing in, for example, research and development (R&D) and manufacturing capability, in areas in which they had a long-term competitive advantage (5G technologies are an example6). In a range of essential sectors, democratic nations risk losing hard-won, long-term advantages in cutting-edge science and research—the crucial ingredient that underpins much of the development and advancement of the world’s most important technologies. There’s also a risk that retreats in some areas could mean that democratic nations aren’t well positioned to take advantage of new and emerging technologies, including those that don’t exist yet.

Meanwhile, the longitudinal results in the Critical Tech Tracker enable us to see how China’s enormous investments and decades of strategic planning are now paying off.7

Building technological capability requires a sustained investment in, and an accumulation of, scientific knowledge, talent and high-performing institutions that can’t be acquired through only short-term or ad hoc investments.8 Reactive policies by new governments and the sugar hit of immediate budget savings must be balanced against the cost of losing the advantage gained from decades of investment and strategic planning. While China continues to extend its lead, it’s important for other states to take stock of their historical, combined and complementary strengths in all key critical technology areas.

This report is made up of several sections. Below you’ll find a summary of the key country and institutional findings followed by an explanation of why tracking historical research performance matters. We then further analyse the nuances of China’s lead and briefly explain our methodology (see Appendix 2 for a detailed methodology). We also look more closely at 10 critical technology areas, including those relevant to AI, semiconductors, defence, energy, biotechnology and communications. Appendix 1 contains visual snapshots of top 5 country rankings in the 64 critical technologies.

We encourage you to visit ASPI’s Critical Technology Tracker website (https://techtracker.aspi.org.au) and explore the new data.

What is ASPI’s Critical Technology Tracker?

ASPI’s Critical Technology Tracker is a unique dataset that allows users to track 64 technologies that are foundational for our economies, societies, national security, defence, energy production, health and climate security. It focuses on the top 10% of the most highly cited research publications from the past 21 years (2003–2023).9 The new dataset is analysed to generate insights into which countries and institutions—universities, national labs, companies and government agencies—are publishing the greatest share of innovative and high-impact research. We use the top 10% because those publications have a higher impact on the full technology life cycle and are more likely to lead to patents, drive future research innovation and underpin technological breakthroughs.10

Critical technologies are current or emerging technologies that have the potential to enhance or threaten our societies, economies and national security. Most are dual- or multi-use and have applications in a wide range of sectors. By focusing early in the science and technology (S&T) life cycle, rather than examining technologies already in existence and fielded, the Critical Technology Tracker doesn’t just provide insights into a country’s research performance, but also its strategic intent and potential future S&T capability. It’s only one piece of the puzzle, of course: it must be acknowledged that actualising and commercialising research performance into major technological gains, no matter how impressive a breakthrough is, can be a difficult, expensive and complicated process. A range of other inputs are needed, such as an efficient manufacturing base and ambitious policy implementation.

The Tech Tracker’s dataset has now been expanded and updated from five years of data (previously, 2018–2022)11 to 21 years of data (2003–2023). This follows previous attempts to benchmark research output across nations by focusing on quality over quantity, key technology areas and individual institutions, as well as short-term, long-term and potential future trends. This update continues ASPI’s investment in creating the highest quality dataset of its kind.12

Both the website and two associated reports (this one included) provide decision-makers with an empirical methodology to inform policy and investment decisions, including decisions on which countries and institutions they partner with and in what technology areas. A list of the 64 technologies, including definitions, is on our website.13 Other parts of this project include:

  • the Tech Tracker website: ASPI’s Critical Technology Tracker14 contains an enormous amount of original data analysis. We encourage you to explore these datasets online as you engage with this report. Users can compare countries, regions or groupings (the EU, the Quad, China–Russia etc.) and explore the global flow of research talent for each technology.
  • the 2023 report: We encourage readers to explore the original report, ASPI’s Critical Technology Tracker: the global race for future power.15 In addition to analysing last year’s key findings, it outlined why research is vital for S&T advances and it examined China’s S&T vision. The report also made 23 policy recommendations, which remain relevant today.16
  • visual snapshots: Readers looking for a summary of the top 5 countries ranked by their past five years of performance in all 64 technologies (see example below) can jump to Appendix 1.
Example of the visual snapshots depicted further in the report.

Data source: ASPI Critical Technology Tracker.

Full Report

For the full report, please download here.

  1. Critical Technology Tracker, ASPI, Canberra. ↩︎
  2. Jamie Gaida, Jennifer Wong Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: the global race for future power, ASPI, Canberra, 1 March 2023. ↩︎
  3. 21-year dataset with improved search terms and institution cleaning, see Methodology for more details. ↩︎
  4. In the early years, such as 2003–2007, some of the 64 technologies have not yet emerged and the credits assigned to top countries or institutions are too low to be statistically significant. Where this is the case we have avoided pulling key insights from the rankings of countries and institutions in these technologies. ↩︎
  5. Bec Crew, ‘Nature Index 2024 Research Leaders: Chinese institutions dominate the top spots’, Nature, 18 June 2024. ↩︎
  6. Elsa B Kania, ‘Opinion: Why doesn’t the US have its own Huawei?’, Politico, 25 February 2020. ↩︎
  7. See, for example, Zachary Arnold, ‘China has become a scientific superpower’, The Economist, 12 June 2024.
    ‘China’, Nature, 9 August 2023, https://www.nature.com/collections/efchdhgeci ;
    ‘China’s science and technology vision’ and ‘China’s breakout research capabilities in defence, security and intelligence technologies’ in Gaida et al.
    ASPI’s Critical Technology Tracker: The global race for future power, 14–20; Tarun Chhabra et al., ‘Global China: Technology’, Brookings Institution, April 2020, https://www.brookings.edu/articles/global-china-technology/ ;
    Jason Douglas and Clarence Leong. “The U.S. Has Been Spending Billions to Revive Manufacturing. But China Is in Another League”, The Wall Street Journal, August 3, 2024, https://www.wsj.com/world/china/the-u-s-has-been-spending-billions-to-revive-manufacturing-but-china-is-in-another-league-75ed6309 . ↩︎
  8. Eva Harris, ‘Building scientific capacity in developing countries’, EMBO Reports, 1 January 2004, 5, 7–11. ↩︎
  9. These technologies were selected through a review process in 2022–23 that combined our own research with elements from the Australian Government’s 2022 list of critical technologies, and lists compiled by other governments. An archived version of the Australian Government’s list is available: Department of Industry, Science and Resources, ‘List of critical technologies in the national interest’, Australian Government, 28 November 2022.
    In May 2023, the Australian Government revised their list: Department of Industry, Science and Resources, ‘List of critical technologies in the national interest’, Australian Government, 19 May 2023, https://www.industry.gov.au/publications/list-critical-technologies-national-interest .
    A US list is available from National Science and Technology Council, ‘Critical and emerging technologies list update’, US Government, February 2022, https://www.whitehouse.gov/wp-content/uploads/2022/02/02-2022-Critical-and-Emerging-Technologies-List-Update.pdf .
    On our selection of AUKUS Pillar 2 technologies, see Alexandra Caples et al., ‘AUKUS: three partners, two pillars, one problem’, TheStrategist, 6 June 2023, https://www.aspistrategist.org.au/aukus-three-partners-two-pillars-one-problem/ . ↩︎
  10. Felix Poege et al., ‘Science quality and the value of inventions’, Science Advances, 11 December 2019, 5(12):eaay7323;
    Cherng Ding, et al., ‘Exploring paper characteristics that facilitate the knowledge flow from science to technology’, Journal of Informetrics, February 2017, 11(1):244–256, https://doi.org/10.1016/j.joi.2016.12.004 ;
    Gaida et al., ASPI’s Critical Technology Tracker: The global race for future power, 9. ↩︎
  11. Jamie Gaida, Jennifer Wong Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: The global race for future power. ↩︎
  12. See more details in the full methodology in Appendix 2. ↩︎
  13. ‘List of technologies’, Critical Technology Tracker. ↩︎
  14. Critical Technology Tracker ↩︎
  15. See Jamie Gaida, Jennifer Wong-Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: the global race for future power. ↩︎
  16. Jamie Gaida, Jennifer Wong-Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: the global race for future power, 44. ↩︎

Negotiating technical standards for artificial intelligence

The Australian Strategic Policy Institute (ASPI) is delighted to share its latest report – the result of a multi-year project on Artificial Intelligence (AI), technical standards and diplomacy – that conducts a deep-dive into the important, yet often opaque and complicated world of technical standards.

At the heart of how AI technologies are developed, deployed and used in a responsible manner sit a suite of technical standards: rules, guidelines and characteristics that ensure the safety, security and interoperability of a product.

The report authors highlight that the Indo-Pacific, including Australia and India, are largely playing catch-up in AI standards initiatives. The United States and China are leading the pack, followed by European nations thanks to their size, scope and resources of their national standardisation communities as well as their domestic AI sectors.

Not being strongly represented in the world of AI governance and technical standards is a strategic risk for Indo-Pacific nations. For a region that’s banking on the opportunities of a digital and technology-enabled economy and has large swathes of its population in at-risk jobs, it’s a matter of national and economic security that Indo-Pacific stakeholders are active and have a big say in how AI technologies will operate and be used.

Being part of the conversations and negotiations is everything, and as such, governments in the Indo-Pacific – including Australia and India – should invest more in whole-of-nation techdiplomacy capabilities.

Authored by analysts at ASPI and India’s Centre for Internet and Society, this new report ‘Negotiating technical standards for artificial intelligence: A techdiplomacy playbook for policymakers and technologists in the Indo-Pacific’ – and accompanying website (https://www.techdiplomacy.aspi.org.au/) – explains the current state of play in global AI governance, looks at the role of technical standards, outlines how agreements on technical standards are negotiated and created, and describes who are the biggest ‘movers and shakers’.

The authors note that there are currently no representatives from Southeast Asia (except Singapore), Australia, NZ or the Pacific Islands on the UN Secretary-General Advisory Body on AI – a body that’s tasked to come up with suggestions on how to govern AI in a representative and inclusive manner with an eye to achieving the UN Sustainable Development Goals.

The capacity of the Indo-Pacific to engage in critical technology standards has historically been lower in comparison to other regions. However, given the rapid and global impact of AI and the crucial role of technical standards, the report authors argue that dialogue and greater collaboration between policymakers, technologists and civil society has never been more important.

It is hoped this playbook will help key stakeholders – governments, industry, civil society and academia – step through the different aspects of negotiating technical standards for AI, while also encouraging the Indo-Pacific region to step up and get more involved.

Truth and reality with Chinese characteristics

ChineseFrench and Spanish translations are now available.

Executive Summary

The Chinese Communist Party (CCP) is leveraging its propaganda system to build a toolkit to enable information campaigns. Its objective is to control communication and shape narratives and perceptions about China in order to present a specific version of truth and reality, both domestically and internationally. Ultimately, the CCP aims to strengthen its grip on power, legitimise its activities and bolster China’s cultural, technological, economic and military influence.

The CCP seeks to maintain total control over the information environment within China, while simultaneously working to extend its influence abroad to reshape the global information ecosystem. That includes not only controlling media and communications platforms outside China, but also ensuring that Chinese technologies and companies become the foundational layer for the future of information and data exchange worldwide.

This research report finds that the CCP seeks to harvest data from various sources, including commercial entities, to gain insights into target audiences for its information campaigns. We define an information campaign as a targeted, organised plan of related and integrated information operations, employing information-related capabilities (tools, techniques or activities) with other lines of operation to influence, disrupt, corrupt or manipulate information — including the individual or collective decision making based on that information — and deliberately disseminated on a large scale. The party also invests in emerging technologies such as artificial intelligence (AI) and immersive technologies that shape how people perceive reality and engage with information. The aim is to gain greater control, if not dominance, over the global information ecosystem.

To understand the drivers, tools and outcomes of that process, this report and its accompanying website (ChinaInfoBlocks.aspi.org.au) examine the activities of the People’s Republic of China (PRC) in the information domain, particularly its investments in technology and research and development (R&D) companies that might serve as ‘building blocks’ for the party’s information campaigns.

Specifically, this research comprehensively maps the CCP’s propaganda system, highlighting the linkages between the Central Propaganda Department, state-owned or -controlled propaganda entities and data-collection activities, and technology investments in Chinese companies, many of which now operate globally.

This research illustrates the various ways in which the party-state is leveraging the propaganda system and commercial entities to gain access to data that it deems strategically valuable for the propaganda system and its ongoing information operations. It also shows how the propaganda system uses new and emerging technologies, including generative AI, mobile gaming and immersive technologies, to establish and maintain control of the narrative and continuously refine its toolbox and techniques.

It’s imperative that policymakers develop robust defences and countermeasures against future disruptive information campaigns from Beijing and to ensure an open and secure global information environment. In mapping those companies linked to China’s propaganda system that are seeking market dominance in key technologies, and how their activities may support CCP efforts to shape the global information environment, this project aims to inform government and industry decisions on digital supply-chain security, supporting policies for safer and more secure digital technologies.

The first section of this report lays out the fundamentals of CCP theory that have, over decades, defined the party-state’s strategy in the information domain. A theoretical understanding of how the CCP conceptualises its goals is important in unpacking the different tools used to achieve them. The second section outlines the CCP’s complex and vast propaganda system and how it works. Later sections expand on the ways in which CCP theory underpins the propaganda system and its activities, including through practical examples and case studies.

This report is accompanied by a website that offers detailed network diagrams of the relationships between China’s propaganda system and the companies associated with it: directly, through a state-ownership structure linking back to the propaganda system, or indirectly, through significant state support. The website also hosts case studies relevant to the report findings. The map can be explored on the website, Identifying The Building Blocks of China’s Information Campaigns (ChinaInfoBlocks.aspi.org.au).

figure 1
Source: Screenshot of ChinaInfoBlocks.aspi.org.au dataset, ASPI.

Research methodology

The CCP’s propaganda efforts on social media have been widely studied, enabling a baseline understanding of common narratives and tactics. Previous ASPI research, for example, has tracked a persistent, large-scale influence campaign linked to Chinese state actors on Twitter and Facebook.1 Several other research institutes have published important research on how the Chinese party-state attempts to control the information environment globally.2

China’s propaganda system is a vast structure. Under its direct control or with its direct support are a web of additional entities whose portfolio contributes to the party’s ability to meet its strategic aims in the information environment. Countries that understand the ‘invisible architecture’ of the CCP’s propaganda system and technologies will be better able to address and respond to its global efforts to skew the information environment.

Important research questions remain understudied. In particular, research on the building blocks that need to be in place to support and inform successful efforts to shape the information environment is limited. What’s the Chinese party-state doing to build its capacity to control ‘truth’ and influence how external audiences perceive, engage with and question reality?

To bridge that knowledge gap, this project examines how the party-state is leveraging the propaganda system:

  1. through commercial entities, by collecting data or gaining access to datasets that it deems strategically valuable that could be used for propaganda purposes, including potentially for current or future information operations (for example, undertaking data-collection activities that build the party-state’s capacity to generate insights on current or potential targets of information operations)
  2. through state support, by investing in R&D and access to new and emerging technology to shape or distort the information environment both domestically and globally.

Our project is based on ASPI’s 2019 report, Engineering global consent. That report first identified Global Tone Communications Technology (GTCOM), a machine-translation company that’s controlled by the CCP Central Propaganda Department. GTCOM claims that it accesses data from social media and has downstream access to datasets of the internet of things (IoT) and software products that it supplies, mainly to other PRC technology companies, to generate insights to support China’s state security and propaganda work.3

Building on Engineering global consent, we’ve sought to identify and explain how the Chinese party-state’s expansive propaganda system exploits new and emerging technologies and seeks to shape or distort the information environment both domestically and globally. To answer these questions, we generated network graphs describing the relationships between companies in our dataset, which are mostly Chinese state-owned or backed by state funds, with direct links to the propaganda system and other entities. We used that research to better understand areas of business activity associated with the PRC’s propaganda system, especially when such activity is related to data collection, aggregation and processing.

Our research effort involved identifying entities linked to the Propaganda Department of the Chinese Communist Party’s Central Committee (‘the Central Propaganda Department’), provincial-level propaganda departments, or other party-state bodies linked to the propaganda system, such as the Ministry of Culture and Tourism. This project began with a months-long effort to build a network graph of companies that were directly and indirectly linked to the Central Propaganda Department. Our research included looking for subsidiaries, shareholders and strategic cooperation and MoU partners of the companies we identified. Our information sources focused on PRC-based company databases and shareholders, and included company websites, company press releases and corporate disclosure documents. We then narrowed the scope of our research to focus on the specific case studies covered in this report.

Party-state news and publishing outlets were included in our research because the Central Propaganda Department is responsible for the supervision of news and publishing work, and those outlets are key platforms for disseminating information. However, rather than simply mapping out the names of media and publishing outlets, and their publication outputs domestically in China and overseas, our research emphasis was on identifying where those outlets are establishing branches or partnerships that expand their business activity into areas of business related to new and emerging technology.

While this research has revealed large amounts of previously inaccessible information on Chinese companies with links to the CCP’s propaganda institutions, it relies on publicly available information sources that are accessible outside mainland China. Continued research on these connections, as well as on connections between these types of companies and other parts of the party-state bureaucracy, is required.

Key findings

The report places the PRC’s propaganda system in the context of the CCP’s overall strategic frameworks, which are filtered down to specific policy outputs. Key findings are as follows:

  • The Chinese party-state sees data as central to its ability to modernise its propaganda efforts in the global information environment. Unlike the legislation of other state actors, China’s 2021 Data Security Law clearly articulates a vision for how data and data exchanges contribute to an overall national strategy (see ‘The propaganda system and its feedback loop’ at page 13). It prioritises data access and the regulation of data flows as part of its efforts to ensure control.
     That data is global. For example, China’s People’s Public Opinion Cloud combines about half a million information sources across 182 countries and 42 languages to support the Chinese Government’s and PRC enterprises’ international communication needs.4 The platform has both government and corporate applications and provides tools for public-security agencies to monitor the information environment and public sentiment on sensitive events and topics.5
  • The CCP sees emerging technology, such as e-commerce, virtual reality and gaming, as a means to promote a CCP-favoured perspective on truth and reality that supports the official narrative that the CCP seeks to project (even if those technologies may also be potentially hazardous to the party’s interests). This is especially true in relation to the CCP’s ability to conduct information campaigns and shape global information standards and foundational technologies.
     The CCP’s national key cultural export enterprises and projects lists (both the 2021–22 and 2022–2023 versions), name dozens of mobile gaming companies and mobile games that receive state support (see ‘The perception of reality’ at page 19), including subsidies, so that they can continue to enjoy global success and help advance the mission to boost China’s cultural soft power.
     In e-commerce, for example, companies such as Temu (which became the most-downloaded free iPhone app in the US in 20236) also collect large amounts of data that’s likely to be shared with the PRC’s propaganda system.7 In gaming, popular video games such as Genshin Impact, the developers of which receive Chinese state support linked to the propaganda system, create similar security risks due to the strategic value of the user data that they generate and collect.
  • Under Xi Jinping’s leadership, the CCP has renewed its emphasis on a national strategy of media convergence that brings together traditional and ‘emerging’ media across various dimensions—content, channels, platforms, operations and management—to enhance the agility of propaganda initiatives in responding to real-time shifts in public sentiment.8 Media convergence is directly linked to the perception that an absence of guidance on public opinion risks China’s security and stability. The party uses digital media, particularly the data resources that digital media help to generate, to improve its ability to use media effectively in its communications strategy and to create feedback loops in China and internationally.9

Policy recommendations

Policymakers face two key challenges: first, to apply the CCP’s way of thinking to efforts to counter information campaigns, before they’re conducted; and, second, to resist China’s efforts to shape global information standards and core foundational technologies for Web 2.0 and beyond.10

Informed by the findings contained in this report, we make the following recommendations for governments, civil society, social-media platforms and hardware and software developers and vendors:

  1. Governments should exert pressure on technology companies to conduct more thorough reviews of their digital supply chains to ensure that their Web 2.0 and future Web 3.0 foundations, and the companies and technologies that they rely on, are transparent and secure. Improving due diligence, transparency, trust and security by design in the digital supply chain, at both the technology and systems/applications layers, must be considered, especially for companies engaged in government procurements. That can be achieved by imposing more stringent reporting requirements, developing high-risk vendor frameworks, imposing and enforcing privacy and data requirements, and developing consistent data-minimisation approaches. Already the US and partner nations have sought to enhance software security by requiring companies working with governments to provide software ‘bills of materials’. The Quad Cybersecurity Partnership’s ‘joint principles for secure software’11 is an excellent template for considering enhanced transparency regulation.
     Technology companies, including vendors, platforms and developers should commit and adhere to the Cybersecurity Tech Accord, develop security by design standards, and impose greater moderation and fact-checking standards across online platforms, social media, etc. to reduce the potential for attacks on the availability, confidentiality, and integrity of data, products, services, and networks and highlight mis- and dis-information and propaganda. As China’s information campaigns seek to weaponise truth and reality, increasing vigilance, verification and veracity must be asserted to ensure information consumers are offered the best chance of identifying mis- and dis-information influences.
  2. Governments must exert significantly more policy attention to the regulation of technologies used for surveillance and related immersive technologies. Few governments have developed broad definitions of those technologies or studied their privacy and data-security impacts. As a consequence, their regulation hasn’t been effective or focused on their future societal and national-security implications. More specifically:
     Governments should define machine learning and cloud data as surveillance or dual-use goods. For example, the European Union has identified dual-use applications of AI systems as an area of concern in their assessment process as part of the Ethics Guidelines for Trustworthy AI.12 The Council of Europe has also raised concerns with the Pegasus surveillance software.13 The US has identified cloud data as an export under the Export Administration Regulations that may attract dual-use controls. While these efforts are significant, regulation still lags the use of machine learning and cloud data by companies and governments, resulting in inconsistent application, a situation rife for exploitation by authoritarian regimes. Governments should standardise and tighten regulation on the technologies and services not traditionally understood as surveillance or dual-use (data) products, including data-generating products and services in e-commerce gaming industries. Doing so would enable them to apply traditional tool sets for preventing access to goods of that nature, such as export controls, technologies and services not traditionally understood as surveillance or dual-use (data) products, including data-generating products and services in e-commerce gaming industries.
     Additionally, increased transparency in regard to which technology actors and entities, whether they’re involved in R&D activities or product sales, are acting on behalf of state interests could clarify what data is used for surveillance purposes and what data can be used to undermine another state’s sovereignty.
  3. To further increase transparency, governments should also more clearly define which individual actors and entities are required to register under foreign-agent registration schemes. That includes Australia’s Foreign Influence Transparency Scheme, the US Foreign Agents Registration Act (FARA) and emerging equivalents elsewhere, such as the UK’s upcoming foreign influence registration scheme. The US, for example, used FARA to force PRC state-owned media companies such as Xinhua and CGTN to register as state agents.14Based on the same logic, any technology company linked directly to China’s propaganda system or receiving state support to facilitate the party-state’s propaganda efforts could be required to register.
  4. Internationally, governments should work to standardise the ways in which data is shared, and proactively regulate how it can be produced and stored. Efforts thus far have failed to reach accord, and many have been siloed within specific functional domains (such as meteorological data, social services, food and agriculture, finance and so on). Such efforts can reduce opportunities for authoritarian regimes to collect, use and misuse data in ways that harm ethnic communities, disparage and denigrate alternative perspectives and silence dissent in the global information environment. The International Organization for Standardization, together with the UN Centre for Trade Facilitation and Electronic Business, among others, should establish joint government–industry standardisation mechanisms.
  5. Multilaterally, democratic governments should work together to develop a stronger institutional understanding of the future vulnerabilities and risks of new technologies, particularly in the digital technology ecosystem. That understanding should guide the development of new standards for emergent technologies and assist industry to commercialise those technologies with the goal of safety and security by design. The Quad Principles on Critical and Emerging Technology Standards are a good example of work that needs to occur on the future vulnerabilities and risks of new technologies.
  6. Locally, governments and civil society should establish guardrails against the negative impacts of CCP efforts to shape the information environment, including through information campaigns such as media literacy and critical thinking campaigns targeting individuals and communities. Efforts should not only help users understand what’s ‘real’ and what’s ‘fake’, but also ensure that they have broader awareness of how entities supporting foreign information campaigns may be present in their supply chains, so that risks associated with them are identified and more reliably controlled.

Full Report

For the full report, please download here.

QR Code to download this report in English

Chinese translation is available here.

QR Code to download this report in Chinese

French translation is available here.

QR Code to download this report in French

Spanish translation is available here.

QR Code to download this report in Spanish
  1. Tom Uren, Elise Thomas, Jacob Wallis, Tweeting through the Great Firewall, ASPI, Canberra, 3 September 2019, online; Jacob Wallis, Tom Uren, Elise Thomas, Albert Zhang, Samantha Hoffman, Lin Li, Alexandra Pascoe, Danielle Cave, Retweeting through the Great Firewall, ASPI, Canberra, 12 June 2020, online; Albert Zhang, Tilla Hoja, Jasmine Latimore, Gaming public opinion, ASPI, Canberra, 26 April 2023, online. ↩︎
  2. Freedom House, for example, found in its survey of CCP media influence in 30 countries that ‘the Chinese government and its proxies are using more sophisticated, covert, and coercive tactics—including intensified censorship and intimidation, deployment of fake social media accounts, and increased mass distribution of Beijing-backed content via mainstream media—to spread pro-CCP narratives, promote falsehoods, and suppress unfavourable news coverage.’ See ‘Beijing’s global media influence 2022: Authoritarian expansion and the power of democratic resilience’, Freedom House, 8 September 2022, online; ‘New report: Beijing is intensifying its global push for media influence, turning to more covert and aggressive tactics’, Freedom House, 8 September 2022, online. The National Endowment for Democracy’s work on sharp power has similarly examined how the PRC and authoritarian states engage in activities that undermine media integrity; see Christopher Walker, Jessica Ludwig, A full-spectrum response to sharp power the vulnerabilities and strengths of open societies, Sharp Power and Democratic Resilience series, National Endowment for Democracy, June 2021, online; Sharp power: rising authoritarian influence, National Endowment for Democracy, December 2017, online. ↩︎
  3. Samantha Hoffman, Engineering global consent: the Chinese Communist Party’s data-driven power expansion, ASPI, 14 October 2019, online. ↩︎
  4. ‘People’s Public Opinion Cloud’ [人民舆情云], People’s Cloud, no date, online. ↩︎
  5. ‘People’s Public Opinion Cloud’ [人民舆情云], People’s Cloud, no date, online. ↩︎
  6. Sarah Perez, ‘Temu was the most-downloaded iPhone app in the US in 2023’, TechCrunch, 13 December 2023, online. ↩︎
  7. Temu has also reportedly engaged in controversial business practices, such as forced and exploitative labour practices, and copyright infringement. See Nicholas Kaufman, Shein, Temu, and Chinese e-commerce: data risks, sourcing violations, and trade loopholes, US–China Economic and Security Review Commission, 14 April 2023, online. ↩︎
  8. Patrick Boehler, ‘Two million “internet opinion analysts” employed to monitor China’s vast online population’, South China Morning Post, 3 October 2013, online. ↩︎
  9. ‘CMP dictionary: media convergence’, China Media Project, 16 April 2021, online. ↩︎
  10. Web 2.0 refers to a shift in the way websites and web applications are designed and used, characterised by user-generated content, interactivity and collaboration, marking a departure from static web pages to dynamic platforms facilitating social interaction and user participation. See Ashraf Darwish, Kamaljit Lakhtaria, ‘The impact of the new Web 2.0 technologies in communication, development, and revolutions of societies’, Journal of Advances in Information Technology, November 2011, online. ↩︎
  11. Quad Senior Cyber Group, ‘Quad Cybersecurity Partnership: joint principles for secure software’, Department of the Prime Minister and Cabinet, Australian Government, 20 May 2023, online. ↩︎
  12. High Level Expert Group on Artificial Intelligence, ‘Ethics guidelines for trustworthy AI’, European Union, 8 April 2019, online. ↩︎
  13. ‘Pegasus spyware and its impacts on human rights’, Council of Europe, 20 June 2022, online. ↩︎
  14. National Security Division, ‘Obligation of CGTN America to register under the Foreign Agents Registration Act’, Department of Justice, US Government, 20 December 2018, online; National Security Division, ‘Obligation of Xinhua News Agency North America to register under the Foreign Agents Registration Act’, Department of Justice, US Government, 18 May 2020, online. ↩︎

What do Australia’sparliamentarians thinkabout cybersecurityand critical technology?

Preface

In 2020, the then Director of ASPI’s International Cyber Policy Centre, Fergus Hanson, approached me to research the views of the 46th Parliament on a range of cybersecurity and critical technology issues. The resulting data collection was then conducted in two parts across 2021 and 2022, with the results analysed and written up in 2022 and 2023. Those parliamentarians who ‘opted in’ completed and provided an initial quantitative study, which I then followed up on with an interview that explored an additional set of qualitative questions. The results, collated and analysed, form the basis of this report.

This research aims to provide a snapshot of what our nation’s policy shapers and policymakers are thinking when it comes to cybersecurity and critical technologies. What are they worried about? Where are their knowledge gaps and interests? What technologies do they think are important to Australia and where do they believe policy attention and investment should focus in the next five years?

This initial study establishes a baseline for future longitudinal assessments that could capture changes or shifts in parliamentarians’ thinking. Australia’s ongoing cybersecurity challenges, the fast-moving pace of artificial intelligence (AI), the creation of AUKUS and the ongoing development of AUKUS Pillar 2—with its focus on advanced capabilities and emerging technologies (including cybertechnologies)—are just a few reasons among many which highlight why it’s more important than ever that the Australian Parliament be both informed and active when engaging with cybersecurity and critical technologies.

We understand that this in-depth study may be a world first and extend our deep and heartfelt thanks to the 24 parliamentarians who took part in it. Parliamentarians are very busy people, and yet many devoted significant time to considering and completing this study.

This was a non-partisan study. Parliamentarians were speaking on condition of strict anonymity, without any identifiers apart from their gender, chamber, electorate profile and backbench or frontbench status. Because of that, the conversations were candid, upfront and insightful and, as a result, this study provides a rich and honest assessment of their views.

Tag Archive for: Cyber

Red tape that tears us apart: regulation fragments Indo-Pacific cyber resilience

The fragmentation of cyber regulation in the Indo-Pacific is not just inconvenient; it is a strategic vulnerability.

In recent years, governments across the Indo-Pacific, including Australia, have moved to reform their regulatory frameworks for cyber resilience. Though well-intentioned, inadequate coordination with regional partners and stakeholder consultations have created a situation of regulatory fragmentation—the existence of multiple regulatory frameworks covering the same subject matter—within and among Indo-Pacific jurisdictions.

This inconsistency hinders our ability to collaboratively tackle and deter cyber threats, essentially fragmenting the cyber resilience of the Indo-Pacific.

Regulatory fragmentation threatens regional security for three key reasons.

Firstly, it impedes technical efficiency. While we tend to think of cyberspace as borderless, its composite parts are designed, deployed and maintained on the territory of states that enact their own laws and regulations. Factors such as threat perception, the organisation of the given state and its agencies, and regulatory culture shape these frameworks. The degree to which the state provides essential services and owns physical and digital infrastructure also influences framework development.

As governments introduce complex regulatory obligations for cyber resilience, most digital services providers and ICT manufacturers will have to divert resources from efforts that would otherwise enable them to prepare for and respond to threats more effectively and across jurisdictions. Ironically, this undermines the effectiveness of regulatory regimes for cyber resilience in the first place.

In addition, complex and confusing nation-specific requirements push regulatees to follow a checkbox approach to cyber resilience, rather than a holistic, risk-informed and agile one. Boards may prioritise meeting the bare minimum of regulatory requirements instead of maintaining a risk management posture commensurate with the rapidly evolving threat environment.

Secondly, regulatory fragmentation undermines innovation. Complex regulatory regimes—especially for government procurement and for critical infrastructure operators—can seriously undermine competition and innovation. Startups and smaller vendors (looking to sell to such entities) have to divert scarce resources away from research, development and innovation to fund compliance with a maze of obligations. This is especially problematic for small and medium enterprises in sectors reliant on innovation—such as cyber resilience and advanced manufacturing—as regulatory risk mitigation can deny these firms the ability to scale and expand into new markets.

Thirdly, regulatory fragmentation impedes trust in partnerships. A jurisdiction’s regulatory robustness in relation to cyber resilience is a key factor in determining the suitability of partners in sensitive policy domains.

For example, while Japan has taken steps to invest in its national cyber resilience, particularly after Chinese hackers compromised government networks, the United States has remained cautious about Japan’s ability to protect sensitive information. Through sections 1333 and 1334 of the National Defense Authorization Act for Fiscal Year 2025, the US Congress tasked the Departments of State and Defense with reporting on issues such as: the effectiveness of Japanese cyber policy reforms since 2014; Japanese procedures for protecting classified and sensitive information; and how Japan ‘might need to strengthen’ its own cyber resilience ‘in order to be a successful potential [AUKUS Pillar 2] partner’.

Collaboration requires trust. That trust hinges not just on the quality and harmonisation of regulatory frameworks; it also depends on whether they’re enforced and underpinned by a shared appreciation of the cyber threat environment, including in relation to state-sponsored actors looking to preposition themselves in critical infrastructure assets and steal intellectual property.

That trust also relies on a shared appreciation of the importance of removing unnecessary impediments to innovation, including the growth of allied and partner capability, and threat mitigation by stakeholders, which is itself contingent on shared political will.

After all, regulatory fragmentation is politically driven. Leaders, ministers, officials and regulators each seek to satisfy constituents at home and exert influence abroad over cyber policy. They may prefer to clean the cobwebs through visible operational reactions rather than kill the spider through holistic, long-term preparation.

Such political considerations may disregard commercial and technical realities when regulatory parameters are determined in the interests of digital sovereignty, including when it comes to (not) banning technology vendors.

Fixing this is a tall order but not impossible. Australia and its partners could consider establishing a baseline degree of regulatory harmonisation and reciprocity. This could include factors such as:

—Definitions of the subjects and objects of cyber regulation;

—Thresholds and deadlines for reporting breaches of cyber resilience to the state;

—Standards and controls that regulatees must implement, and outcomes they must achieve;

—Technology supply chain risk management requirements, including methods to assess whether procuring technology from certain vendors is too risky;

—Types of penalties for non-compliance; and

—Powers of the state to gather information or intervene in the operations of regulatees.

Allies and partners must better align their regulatory frameworks. Be it via multi-stakeholder collaboration or multilateral regulatory diplomacy, tackling regulatory fragmentation will make the Indo-Pacific more cyber-resilient.

Let us tear away the red tape that tears us apart.

The five-domains update

Sea state

Australian assembly of the first Multi Ammunition Softkill System (MASS) shipsets for the Royal Australian Navy began this month at Rheinmetall’s Military Vehicle Centre of Excellence in Redbank, Queensland. The ship protection system, which uses launched decoy projectiles to defeat incoming sensor-guided missiles, will be integrated into Australia’s ANZAC-class frigates and Hobart-class destroyers. The system has already been operated by New Zealand’s two ANZAC-class frigates for about 10 years.

Last week, Defence announced upgrades to the main transmitter at the Harold E Holt Communication Station near Exmouth, Western Australia—the first major overhaul since the facility was commissioned by the US navy in 1967. The Australian-operated very-low-frequency antenna array contributes to US nuclear deterrent through long-range communication with US ballistic-missile submarines. Maintenance will be carried out on a rolling schedule, to ensure the station remains in operation.

Flight path

China’s J-36 stealth fighter was back in the sky for its second test flight, this time flying solo. The test flights seemingly reveal two unique features: a diverterless supersonic inlet design that assists in regulating air flow and a three-engine layout. Both features suggest supersonic speed capabilities. The timing of its debut signals China’s readiness to challenge the United States’ aerial dominance in the Asia-Pacific region. Last weekend the US made a surprise announcement awarding the Next Generation Air Dominance contract to Boeing for the F-47 fighter jet.

Canada will become the first buyer of Australia’s Jindalee Operational Radar Network (JORN). The world-leading radar technology system can detect and track targets thousands of kilometres away by refracting high frequency radio signals. Its sale could be Australia’s biggest defence export to date. The surprise announcement from new Canadian Prime Minister Mark Carney comes despite the US’s long-held interest in acquiring the technology.

Rapid fire

The first two of 42 planned High Mobility Artillery Rocket Systems (HIMARS) vehicles were delivered to Australia this week. The Albanese government accelerated the acquisition of the US-made precision-strike platform. The systems will be fielded by the 10th Fires Brigade and improve army capabilities. The delivery follows the signing of a memorandum of understanding between Australia and the US in March for co-assembly of Guided Multiple Rocket Launch System (GMLRS) munitions for use with HIMARS platforms. Assembly will begin at Orchard Hills in Western Sydney later this year.

At the end of February, Defence Minister Richard Marles inspected the first batch of the Australian army’s new AS9 self-propelled artillery and AS10 armoured ammunition resupply vehicles. The South Korean designs will be manufactured by Hanwha at its Armoured Vehicle Centre of Excellence at Avalon. Australian supply chain partners are already producing components to support delivery. The AS9 is the army’s first self-propelled artillery piece. The army currently operates M777 towed artillery.

Final frontier

An Australian-made nanosatellite was successfully launched into low-Earth orbit as part of Defence’s Buccaneer project. Weighing less than ten kilograms, Buccaneer Main Mission was a collaboration between Adelaide-based Inovor Technologies and the Defence Science and Technology Group. Over its 12-month operational lifespan, the nanosatellite will gather data on how radio waves propagate through the upper atmosphere, potentially improving Australia’s over-the-horizon radar capabilities.

At the end of last month, US-based Varda Space Industries retrieved its Winnebago-2 space capsule after re-entry over remote South Australia. The landing site, Koonibba Test Range, is about 500km north-west of Adelaide. It is operated by Australian firm Southern Launch in partnership with the Koonibba Community Aboriginal Corporation. As the first commercial return to a commercial spaceport anywhere in the world, this is a landmark moment for Australia’s space industry.

Wired watchtower

Microsoft has released research showing that Russian state-sponsored hacking groups are expanding cyber operations to target critical infrastructure and governmental organisations in Western countries, including Australia. The BadPilot campaign is associated with Russian state actor Seashell Blizzard, and intrusions have targeted sectors such as energy, telecommunications and defence manufacturing. Hackers exploit known but unpatched vulnerabilities in widely used IT management and remote access software platforms. Once they gain access, they maintain their presence in compromised networks using legitimate remote-access tools such as Atera Agent and Splashtop remote services.

The Australian Securities and Investments Commission is taking fixed-income broker FIIG Securities to court after a 2023 cyberattack. The attack affected FIIG’s entire IT network and resulted in the theft of approximately 385 gigabytes of confidential data, potentially exposing the personal information of around 18,000 clients. ASIC alleged that FIIG failed to update and patch its software and lacked sufficient cybersecurity measures, leaving its systems exposed to intrusion and data theft. This breach contributed to growing concerns over Australia’s cybersecurity resilience and was part of a broader pattern of intrusions, including those attributed to state-backed groups.

The threat spectrum

 

Information operations

Australia has banned cybersecurity software Kaspersky from government use because of risks of espionage, foreign interference and sabotage. The Department of Home Affairs said use of Kaspersky products posed an unacceptable security risk to the Australian government, networks and data. Government agencies have until 1 April 2025 to remove the software from all systems and devices. The ban follows a February decision to ban Chinese-owned AI platform DeepSeek from all government systems and devices.

Among members of the Five Eyes intelligence partnership, Canada, Britain and the United States had already announced restrictions on use of Kapersky products. The US banned sales and licensing of Kaspersky products within the US or by US citizens last year over fears of Russian control and influence over the company. Kaspersky said the US decision arose from the current geopolitical climate rather than technical assessments of its products.

Follow the money

Talks in Canberra last week over the future of Darwin Port and its lease to Chinese infrastructure operator Landbridge Group ended in a fizzle. Northern Territory officials met with federal counterparts after federal Labor member of parliament Luke Gosling said the government was examining options for buying back the 99-year lease. The federal opposition supported that proposal, citing the strategic significance of the port for Australian and US defence posture in the country’s north.

But last week’s meeting ended with no clear pathway forward. Northern Territory Infrastructure Minister Bill Yan expressed dismay that the federal government, citing election timing, declined to make concrete commitments about the port.

The meeting followed recent uncertainty over Darwin Port’s finances. Last November the Port disclosed a $34 million net loss for the financial year 2023–24. The port company also said Landbridge had defaulted on corporate bonds worth $107 million and might sell some of its Chinese assets in coming months.

Terror byte

A new report from Australia’s eSafety Commissioner reveals that between April 2023 and February 2024 Google received 258 user reports of suspected deepfake terrorist content made using its own AI software, Gemini. Commissioner Julie Inman Grant characterised these and other gaps in Google’s content moderation as ‘deeply concerning’.

The commissioner issued transparency reporting notices to Google, Meta, WhatsApp, X, Telegram and Reddit in March 2024 requiring each company to report on its progress in tackling harmful content and conduct online. X challenged the notice in the Administrative Review Tribunal, and Telegram has been fined over $950,000 for its delayed response. The commissioner’s report, released last week, finds Big Tech’s progress on content moderation unsatisfactory, highlighting slow response times, flawed implementations of automated moderation, and the limited language coverage of human moderators.

The eSafety commissioner has repeated calls for platforms to implement stronger regulatory oversight and increase transparency on harm minimisation efforts. This follows the latest annual threat assessment from the Australian Security Intelligence Organisation, which stressed the importance of stricter content regulation in prevention against radicalization and highlighted the role that tech companies can play in this domain.

Democracy watch

The New South Wales state government introduced new hate-crime laws into parliament in response to rising antisemitic and Islamophobic violence, including a 580 percent increase in Islamophobic incidents and threats against places of worship. These laws, which the parliament passed, expanded offences of advocating or threatening violence, imposed mandatory minimum sentences and strengthened measures to prevent ideologically motivated attacks. While intended to safeguard public safety and national stability, they have sparked concerns regarding possible infringement of democratic principles, particularly freedom of expression.

While these laws aim to curb hate-fueled violence, critics argue that they may limit free expression. Others say they create loopholes. The legislation permits individuals to cite religious text in discussions, shielding certain forms of extremist rhetoric from prosecution. Additionally, the introduction of mandatory minimum sentences has been criticized for potentially undermining judicial discretion and disproportionately affecting marginalised groups.

Planet A

Tropical Cyclone Sean forced Rio Tinto to shut down Dampier port in Western Australia for five weeks in early 2025, costing 13 million metric tons in lost exports. In 2019, Cyclone Veronica closed Port Hedland, reducing Rio Tinto’s iron ore production for the year by an estimated 14 million metric tons. More recently, in February 2025, Cyclone Zelia closed Port Hedland and Dampier, disrupting iron ore shipments and halting operations at BHP, Rio Tinto, and Fortescue Metals.

An ASPI report released on the 50th anniversary of Cyclone Tracy recommended that disaster resilience must go beyond infrastructure reinforcement. To mitigate climate risks, the country also needs advanced predictive technologies, such as satellite monitoring, and early warning systems.

Reaction isn’t enough. Australia should aim at preventing cybercrime

Australia’s cyber capabilities have evolved rapidly, but they are still largely reactive, not preventative. Rather than responding to cyber incidents, Australian law enforcement agencies should focus on dismantling underlying criminal networks.

On 11 December, Europol announced the takedown of 27 distributed platforms that offered denial of service (DDoS) for hire and the arrest of multiple administrators. Such a criminal operation allows individuals or groups to rent DDoS attack capabilities, which enable users to overwhelm targeted websites, networks or online services with excessive traffic, often without needing technical expertise.

The takedown was a result of Operation PowerOFF, a coordinated and ongoing global effort targeting the cybercrime black market. While the operation has demonstrated the evolving sophistication of international law enforcement operations in tackling cyber threats, it has also exposed persistent gaps in Australia’s cyber enforcement and resilience. To stay ahead of the next wave of cyber threats, Australia must adopt a more preventative approach combining enforcement with deterrence, international cooperation, and education.

Operation PowerOFF represents a shift in global cybercrime enforcement, moving beyond traditional reactive measures toward targeted disruption of cybercriminal infrastructure. Unlike previous efforts, the operation not only dismantled illicit services; it also aimed to discourage future offenders, deploying Google and YouTube ad campaigns to deter potential cybercriminals searching for DDoS-for-hire tools. This layered strategy—seizing platforms, prosecuting offenders and disrupting recruitment pipelines—serves as a best-practice blueprint for Australia’s approach to cybercrime.

The lesson from Operation PowerOFF is clear: Australia must shift its cyber strategy from defence to disruption, ensuring that cybercriminals cannot operate with impunity.

One of the most effective elements of Operation PowerOFF is its focus on dismantling the infrastructure of cybercrime, rather than just arresting individuals. By taking down major DDoS-for-hire services and identifying more than 300 customers, Europol and its partners effectively collapsed an entire segment of the cybercrime market.

This strategy is particularly relevant for Australia. Cybercriminal operations frequently exploit weak legal frameworks and enforcement gaps in the Indo-Pacific region. Many DDoS-for-hire services, ransomware networks and illicit marketplaces are hosted in jurisdictions with limited enforcement capacity, allowing criminals to operate across borders with little fear of prosecution.

Australia must expand its collaboration with Southeast Asian law enforcement agencies on cybercrime, ensuring that cybercriminal havens are actively targeted rather than passively monitored. Without regional cooperation, Australia risks becoming an isolated target rather than a leader in cybercrime enforcement.

Beyond enforcement, Australia must integrate preventative strategies into its cybercrime response. The low barriers to entry for cybercrime mean that many offenders—particularly young Australians—are lured in through gaming communities, hacking forums and social media.

Targeted digital deterrence, including algorithm-driven advertising campaigns, could disrupt this pipeline, steering potential offenders toward legal cybersecurity careers instead of cybercrime. An education-first approach combined with stronger penalties for repeat offenders, will help prevent low-level offenders from escalating into hardened cybercriminals, while helping to ensure that those cybercriminals face consequences.

Australia’s cybercrime laws must also evolve to address the entire cybercriminal supply chain, not just the most visible offenders. Operation PowerOFF showed that cybercrime is not just about the hackers who launch attacks, but also the administrators, facilitators, and financial backers who enable them.

Australian law enforcement should target financial transactions supporting cybercrime, using crypto-tracing and forensic financial analysis to dismantle cybercriminal funding networks. Harsher penalties for those who fund or facilitate DDoS-for-hire services could create a more hostile legal environment for cybercriminal enterprises, ensuring that they cannot simply relocate to more permissive jurisdictions. At the same time, youth diversion programs should be expanded, offering first-time cyber offenders rehabilitation options rather than immediate prosecution, preventing them from becoming repeat offenders.

Operation PowerOFF’s success is a win for international cybercrime enforcement, demonstrating that proactive, intelligence-driven disruption can dismantle even the most entrenched criminal networks.

But it is also a warning: without continuous vigilance, cybercriminals will regroup, rebrand, and relaunch. Australia must act now to strengthen its cyber enforcement, combining international cooperation, legal reform and preventative education to ensure that cybercriminals see Australia as a hostile environment for their activities, not a soft target.

States vulnerable to foreign aggression embrace the cloud: lessons from Taiwan

Taiwan is among nations pioneering the adoption of hyperscale cloud services to achieve national digital resilience.

The island faces two major digital threats: digital isolation, in which international connectivity is intentionally severed or significantly degraded (for instance, if all submarine cables are cut), and digital disruption, in which local infrastructure, such as data centres, is inoperable.

To counter this, Taipei is shifting critical public systems and government data to global cloud platforms, and turning global cloud providers Microsoft, Google, and Amazon into partners in national resilience. But this reliance on foreign tech giants raises questions about sustained sovereignty in times of crisis.

Taiwan has learned from Ukraine’s digital survival before and right after Russia’s full-scale invasion in 2022. When threats to Ukraine’s physical and digital critical infrastructure escalated, the government in Kyiv rushed through amendments to its data protection law, permitting government data to be stored on public cloud platforms. This amendment allowed Ukraine to shift critical data and services to cloud infrastructure across Europe. So essential government functions, public services and important private sector functions remained available even when its local physical infrastructure was under siege.

Building on these insights, Taiwan in 2023 launched a four-year, NT1.34 billion ($65.7 million) plan to transition 18 critical civilian government information systems to the cloud in 2023. This includes services such as national health insurance, vehicle management and border control systems. The effort is intended to ensure continuity of essential digital services during disasters and emergencies and to enable swift operational recovery in the case of outages.

According to a press release, this involves ‘cryptographic splitting and data backup mechanisms’. Although details are scarce, the Taiwanese government is presumably distributing encrypted backups of critical national data offshore stored across various cloud providers and retaining exclusive access to the decryption key. As part of this effort, former minister of the Ministry of Digital Affairs Audrey Tang suggested Taiwan would conduct contingency drills that would involve rerouting operations to alternative locations, such as Japan or Australia.

While hyperscale cloud services offer resilience against cyber and physical threats, they prompt questions around data sovereignty and personal data protection: how can a government keep control over data and services managed through foreign commercial infrastructure? How can privacy laws be enforced when data is outside of a nation’s physical jurisdiction?

Taiwan has taken a pragmatic approach, allowing data-holding entities to use foreign cloud infrastructure as long as they can strictly adhere to Taiwan’s privacy requirements. For instance, in 2023 the Financial Supervisory Commission amended its rules to allow the financial industry to use foreign cloud platforms for some operations, provided they met information security regulations, particularly regarding de-identification processes and personal data protection.

Cloud providers are acutely aware of contentions around digital sovereignty and have responded by offering ‘sovereign hyperscale cloud’ solutions. These involve security controls specifically implemented to meet local regulations and requirements, such as restricting data access and management to security-cleared local personnel operating from their national jurisdiction. The Australian Department of Defence is one enterprise that intends to implement sovereign hyperscale cloud, alongside sovereign cloud from domestic cloud providers as part of its cloud strategy. The willingness of global hyperscale cloud providers to adapt their offerings reflects their increasing role in national security.

In Taiwan, the Ministry of Digital Affairs is taking advantage of this adaptability. They have worked to bring the three major cloud providers (Google, AWS, Microsoft) into Taiwan and are actively encouraging them to build local partnerships with the satellite communication vendors to create locally resilient systems that can switch to satellite communications during emergencies and prioritise essential data transmission. These measures are particularly important for a country that imports 98 percent of its energy and faces regular challenges from natural disasters, such as earthquakes and typhoons, as well as military and hybrid threats. By establishing redundant systems through cloud and satellite infrastructure, Taiwan can maintain critical government functions even when local systems are compromised.

Cloud providers face operational risks when supporting nations vulnerable to aggression. When AWS and Azure took over the hosting of Ukraine’s critical systems and data, their cloud infrastructure became a target of state and non-state cyberattacks. Yet this exposure provides valuable cyber threat intelligence, which is then used to improve security products, benefitting other customers.

The deepening integration of technology in national security and digital resilience introduces new dynamics to the relationship between states and global technology providers. These companies are no longer just technology providers; they are custodians of critical national assets. This shift demands a mature framework of collaboration: one that considers tech companies as potentially essential partners in national resilience, including as part of the digital supply chain. This inherently comes with mutual commitments centred around trust, accountability, oversight and responsibility that are sustainable during times of crisis.

Taiwan’s integration of hyperscale cloud into their national resilience strategy shows how nations can leverage leading global technological capabilities while maintaining oversight over their critical systems and sensitive data. This model may well define strategic autonomy in an age where digital resilience depends on foreign-provider infrastructure.

ASEAN cyber norms need broad stakeholder engagement

As Malaysia assumes the chairmanship of the Association of Southeast Asian Nations in 2025, the government wants to make its mark on the region’s cybersecurity cooperation framework. Malaysia is keen to develop the third iteration of the cybersecurity cooperation strategy, which will guide ASEAN’s collaborative efforts in cyberspace. But to be truly effective, cooperation must remain a multistakeholder affair.

The landmark release of ASEAN’s cyber norms checklist in October last year, championed by Malaysia and Singapore, translated the United Nations’ eleven norms of responsible state behaviour in cyberspace into practical steps. ASEAN member states now have a structured way to implement cyber norms, focussing on political endorsements and safeguarding critical infrastructure.

However, the real challenge isn’t adoption; it’s implementation. Making these principles work in the real world requires more than government buy-in; it demands broad cooperation across sectors and countries.

As I have argued, one of the biggest hurdles is embedding these norms into the operations of defence, law enforcement and intelligence agencies. Southeast Asia’s cyber capabilities are expanding, but transparency remains a sticking point. Militaries, intelligence agencies and law enforcement are embracing cyber tools, but are reluctant to discuss operations and strategies. These institutions see cyber norms as constraints rather than mechanisms for stability. Without transparency, trust erodes as states struggle to gauge each other’s cyber intentions and capabilities.

Recognising these challenges, in August 2024, ASPI brought together experts from Australia, ASEAN member states and Timor-Leste in a civil society dialogue in Kuala Lumpur sponsored by the Australia-ASEAN Centre. Discussions on the shifting cyber threat landscape, regional progress on cyber norms and strategies for strengthening cooperation highlighted one thing—transparency, information sharing and collaborative threat assessments reduce misperceptions and strengthen trust among ASEAN members.

But governments cannot implement cyber norms alone. They must collaborate with those who build, manage and depend on digital infrastructure and with those who advocate for digital rights, privacy and cybersecurity. Private sector actors, particularly technology firms that manage critical information infrastructure, need to be engaged to ensure that cyber norms are not only socialised but policies or initiatives that come out of them are practical, enforceable and aligned with the rapidly evolving cyber landscape. Industry-driven initiatives, such as sector-specific security standards for critical infrastructure, can support government-led efforts by introducing adaptable and enforceable cybersecurity measures.

Academia and think tanks also play a role by supporting capacity-building programs and offering research and policy insights that help shape decision-making. They can help assess the success of policy measures, including progress in norms operationalisation, and can function as informal intermediaries between governments seeking to communicate issues indirectly.

For ASEAN’s cyber norms to take root, multistakeholder engagement must be institutionalised through regular dialogues that include government and non-government actors. ASEAN has long used these mechanisms to navigate complex security challenges. Applying them to cyber governance will ensure that all member states, regardless of their cyber capabilities, have a say in shaping the region’s approach to cybersecurity.

Beyond dialogues, ASEAN needs a regional model of cyber norms maturity to measure their progress in implementing UN cyber norms. Such a model would consider factors such as cybersecurity infrastructure, legal frameworks and policy development. A structured roadmap would enable ASEAN states to move from basic compliance to advanced implementation, creating a stronger, more cohesive approach to cybersecurity.

Engaging local stakeholders is just as important. Cyber norms shouldn’t just be the domain of policymakers; they must resonate with businesses, academics and local communities. Bringing small and medium-sized enterprises, universities and civil society groups into the conversation ensures that cyber norms are implemented in ways that are practical, relevant and responsive to local challenges. Regular feedback loops will help refine these norms over time, keeping them relevant and adaptive.

In addition, discussions on cyber norms must break out of traditional security silos. Cybersecurity challenges intersect with issues such as environmental protection, trade, human rights and even cultural heritage. ASEAN should take a broader, interdisciplinary approach and incorporate insights from diverse fields to craft comprehensive solutions. For example, protecting critical infrastructure, such as submarine cables, shows that cyber resilience is interconnected with economic and environmental stability.

As a long-standing ASEAN partner, Australia has a key role to play. Recognising that cyber threats do not respect borders, Australia has been a strong advocate for regional cybersecurity cooperation in Southeast Asia. Australia can offer technical expertise, capacity-building programs and legal assistance to help ASEAN member states bridge cyber capability gaps and build a resilient digital ecosystem.

ASEAN’s adoption of the cyber norms checklist is a promising step, but real progress will depend on sustained implementation, capacity-building and advocacy. Multistakeholder collaboration, including between ASEAN and Australia, will ensure these norms move from paper to practice. Through inclusive engagement and cooperative action, the region can take decisive steps toward a secure, resilient and rules-based Indo-Pacific cyber landscape.

Economic cyber-espionage: a persistent and invisible threat

Economic cyber-espionage, state-sponsored theft of sensitive business information via cyber means for commercial gain, is an invisible yet persistent threat to national economies. As more states use cyber tools to secure economic and strategic advantages, a growing number of countries, particularly emerging economies, are vulnerable.

In response, G20 members agreed in 2015 that no country should engage in cyber-enabled theft of intellectual property (IP) for commercial gain.

That resulted in expectations that states could provide assurances that their cyberspace activities didn’t seek foreign IP for unfair economic advantage, that they could provide IP holders with a protective framework, and that they could attain a level of cybersecurity maturity for protection of IP-intensive sectors.

Unfortunately, the reality is different. The number of cyber operations targeting private forms has quadrupled since 2015. As technological capabilities become central to national power, states are increasingly seeking shortcuts to competitiveness. Cyber operations seemingly offer an effective and attractive means.

The shift in cyber-espionage to target emerging economies is evident in the data analysed by ASPI. Our first report, State-sponsored Economic Cyber-espionage for Commercial Purposes: Tackling an invisible but persistent risk to prosperity, noted that in advanced economies accounted for 60 percent of reported cyber-espionage cases in 2014. By 2020, that proportion had reversed, with emerging economies now bearing most campaigns.

Two follow-up reports, released today, shed light on how countries confront this growing threat. In State-sponsored Economic Cyber-Espionage: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, we evaluated the readiness of 11 major emerging economies to counteract cyber-enabled IP theft: Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. They represent some of the fastest-growing innovative economies in the world. Many are rapidly expanding in knowledge-intensive sectors such as biotech, advanced manufacturing and digital services. However, the report’s findings are concerning.

Most countries in South Asia, Southeast Asia and Latin America don’t recognise cyber threats to innovation and knowledge sectors as a major issue. This stance is reflected at the political-diplomatic level, where no government of an emerging economy has weighed in on these threats to innovation. Indonesia, India and Brazil, during their G20 presidencies, refrained from including cyber-enabled IP theft on the forum’s agenda.

When authorities in South and Southeast Asia and Latin America have strengthened their capacities to investigate and prosecute IP theft cases, it’s been driven by efforts to achieve conformity with World Trade Organization standards. But most governments struggle to live up to expectations in terms of securing and respecting higher-end IP, particularly when cases involve trade secrets and sensitive business information and when threat actors are believed to operate from foreign jurisdictions.

While no economy is safe from the risk of economic cyber-espionage, some are likelier targets, and some are more prepared to withstand the threat. Defending against economic cyber-espionage is an exercise in matching a response posture with an ongoing assessment of an economy’s risk profile

In our second report, State-sponsored Economic Cyber-espionage: Governmental practices in protecting IP-intensive industries, we looked at measures that governments in various parts of the world have taken to defend their economic crown jewels and other important knowledge-intensive industries from cyber threats.

Most prominently, in October 2023 the heads of the Five Eyes’ major security and intelligence agencies appeared together in public for the first time. In front of a Silicon Valley audience, they called China out as an ‘unprecedented threat’ to innovation across the world. That was followed up in October 2024 with a public campaign, Secure Innovation, which mirrored similar efforts by European and Japanese governments.

But still, IP-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure, despite accounting for the bulk of GDP growth, innovation and future employment.

Defending against economic cyber-espionage is complex. It involves defending against other states, or groups operating with their consent. These actors tend to be well resourced or insulated from consequences. At the coalface of those malicious cyber activities stand private and public companies—big and small—as well as research labs and universities. They’re the first line of defence against many cyber threats, including state-sponsored threat actors.

Governments can and must play an outsized role in shaping standards for making a country’s innovation ecosystem more cyber and IP secure. This involves strengthening domestic enforcement mechanisms. The issue must also be re-energising in forums such as the World Trade Organization, United Nations General Assembly and ministerial meetings under such organisations as the Quad and Association of Southeast Asian Nations. Interventions must focus on measures that prevent IP theft. After all, once IP is stolen, it’s stolen for good—along with all research and development investments made up to that point.

Editors’ picks for 2024: ‘Exclusive: Inside Beijing’s app collecting information from Belt and Road companies’

Originally published on 27 September 2024.

China’s Ministry of Foreign Affairs operates a secure digital platform that connects it directly with Chinese companies operating abroad, requiring participating companies to submit regular reports about their activities and local security conditions to the government, internal documents reveal.

The documents obtained and verified by ASPI’s China Investigations and Analysis team show how the platform, called Safe Silk Road (平安丝路), collects information from companies participating in the Belt and Road Initiative (BRI), Chinese leader Xi Jinping’s signature foreign policy initiative. The BRI has facilitated Chinese infrastructure projects and other investment in more than 100 countries, particularly developing regions. The Safe Silk Road platform was initially launched in 2017 and is now used by at least dozens of Chinese companies across several continents.

By tapping into the extensive network of Chinese companies engaged in projects around the world, the platform demonstrates how Beijing is finding new ways of improving its global information and intelligence collection to better assess risks, and ultimately protect its interests and its citizens, even in the most remote corners of the world. The Safe Silk Road platform is one more building block in the growing global infrastructure that seeks to place the Chinese government at the center of the Chinese experience abroad, and that replicates some of the structures of information collection and surveillance that have now become ubiquitous within China.

The MFA’s External Security Affairs Department (涉外安全事务司), which operates the Safe Silk Road, has said the platform is a direct response to the difficulty of obtaining information relevant to Chinese companies abroad. The information the app collects feeds into the department’s assessments. The platform is also part of a trend across Chinese government ministries of creating apps to facilitate some of the work they were already doing.

ASPI is the first organisation to report on the Safe Silk Road platform. It is mentioned on some regional Chinese government websites but has not been covered by Chinese state media. The platform operates through a website and an associated mobile app that can only be accessed with registered accounts.

The platform is not available for download in app stores. The documents state that the platform is only intended for companies’ internal use, and that users are strictly prohibited from circulating information about it online. Companies can apply for an account through the MFA’s External Security Affairs Department or their local consulate and, once approved, designate an official contact person within the company, called a ‘company liaison officer’ (公司联络员), who is authorized to submit reports and use the app’s full functionality. The MFA provides companies with a QR code to download the app and requires companies to use the platform’s bespoke VPN with the app and desktop version.

 

 

Companies are asked to submit quarterly reports through the app. Those reports include basic information such as the name, national ID number and contact information of the owner, the region in which the company operates, its sector or industry, the amount of investment in US dollars, the number of Chinese and local employees, and whether it has registered with a local Chinese embassy or consulate, according to internal company documents viewed by ASPI analysts.

The app has a feature called ‘one-click report’ for ‘sudden incidents’ (突发事件) that allows users to report local security-related incidents directly to the MFA, according to the documents and other materials. The reporting feature includes the following categories: war/unrest, terrorist attack, conflict between Chinese and foreign workers, protest, kidnapping, gun shooting, production safety accident, contagion/epidemic, flood, earthquake, fire, tsunami, and other. The user can then provide more information including date, location and other details about the incident.

The reporting form also asks the company to provide information about its ‘overseas rights protection object’ (海外权益保护对象) and ‘police resources database object’ (警务资源库对象). An ‘overseas rights protection object’ may refer to patents, trademarks, and copyrights held by the company; the Chinese government has made protecting the intellectual property of Chinese companies a key focus in recent years. ‘Police resources database object’ is a vague term that may refer to security contractors, Chinese overseas police activity, or physical assets or company personnel that need protecting.

Users can subscribe to real-time security updates for their region and register to attend online safety training classes. There is even a video-conference feature within the app that allows embassy officials to call the app user directly. It is common for foreign ministries to create digital services that provide information and security alerts for their citizens abroad—such as Australia’s ‘Smartraveller’, the US Smart Traveler Enrollment Program (STEP), and China’s own ‘China Consul’ (中国领事).

The Safe Silk Road platform, however, is different. It is not public-facing, it is tailored specifically for BRI companies and, most importantly, it asks for detailed information from those companies about their own activities and local conditions, rather than just offering helpful information. For some companies, participation may even be compulsory.

ASPI’s analysis of the Safe Silk Road platform underscores Beijing’s determination to safeguard its global infrastructure and investment power play under the BRI. As China’s investment in developing regions has grown, so has Beijing’s emphasis on protecting its citizens, companies, and assets abroad.

As of December 2023, about 150 countries had joined the BRI. According to the official Belt and Road Portal, China has 346,000 workers dispatched overseas. BRI-affiliated companies often run projects in regions with underdeveloped infrastructure, high poverty, poor governance, lack of quality medical care, domestic political instability, violent crime, and terrorist attacks. Private security contracting companies are increasingly offering their services to Chinese companies abroad. The number of Chinese private security contractors has expanded dramatically in recent years as BRI companies have faced growing security challenges.

Several events over the past few years, including the pandemic and a string of attacks in Pakistan in 2021 targeting Chinese nationals supporting BRI projects, have underscored to Beijing the need for better security measures. At the third Belt and Road symposium in 2021, Xi Jinping said China needed ‘an all-weather early warning and comprehensive assessment service platform for overseas project risks’. The External Security Affairs Department said the same year that ‘the difficulty of obtaining security information is one of the major problems faced by companies who “go out”’, referring to Chinese companies that invest overseas. To address this concern, the department ‘launched the Safe Silk Road website and the related mobile app to gather information about security risks in Belt and Road countries to directly serve company personnel engaged in projects overseas’. The department said that in 2021 the app was used to disseminate 13,000 pieces of information, including more than 2,800 early warnings.

More broadly, the platform is illustrative as a digital tool to help Beijing protect its interests abroad. The External Security Affairs Department was established in 2004 in response to a perceived increase in kidnappings and terrorist attacks targeting Chinese nationals abroad, but its role in China’s security policy has expanded since then.

The department’s leading role in ‘protecting China’s interests abroad’ (中国海外利益保护) meets an objective increasingly found in official Chinese Communist Party documents and Chinese law. This objective appears in China’s National Security Strategy 2021–2025, the new Foreign Relations Law 2023, and new regulations on consular protection and assistance passed in 2023. The party’s ability and readiness to protect China’s interests abroad is considered one of the historic achievements of the party, according to a resolution it passed in 2021.

But the exact scope of China’s interests abroad is still a matter of debate in the public commentary among Chinese national security and foreign policy academics and analysts. Are China’s interests just the physical security of Chinese nationals and commercial or strategic assets in foreign countries? Or do they also include ‘intangible interests’ (无形利益), such as protecting China’s national image and reputation, and anything else that should be within China’s national interest as a major global power? How the Chinese government currently defines China’s interests abroad is probably somewhere in the middle, and may broaden.

China has a widely recognised deficiency: gaps in its overseas intelligence collection capabilities. Safe Silk Road is part of the toolbox that the External Security Affairs Department uses to extend the range and effectiveness of Beijing’s information-gathering and to better understand the situation on the ground everywhere that China has interests.

CrowdStrike glitch sounds a cybersecurity alarm we cannot ignore

The recent CrowdStrike outage was not just a technical hiccup; it was a seismic tremor that exposed the brittle foundations on which Australia’s digital economy stands. 

A faulty security update, a false positiveand suddenly thousands of businesses worldwide found their digital defences compromised. It wasn’t a cyberattack, but it provided a glimpse into the chaos that could follow if a widespread cyber attack were launched against critical infrastructure.

As such, the CrowdStrike incident exposed several glaring weaknesses in our current approach and has underscored the need for a fundamental shift in our cybersecurity culture. To mitigate these risks, Australia must adopt a proactive and multi-faceted approach to cybersecurity, moving beyond reactive measures and embracing a culture of resilience. 

Many organisations still underestimate the gravity of cyber threats, viewing them as an IT problem rather than a strategic business risk. This complacency is a dangerous luxury we can no longer afford. Cybersecurity is not just about firewalls and antivirus software; it’s about building a resilient organisation that can withstand and recover from cyberattacks.

CrowdStrike, a cybersecurity behemoth, found itself red-faced as its Falcon platform, designed to safeguard clients from cyber threats, ironically turned into the threat itself. The faulty update meant Falcon misidentified legitimate files as malicious, crippling endpoint protection and meaning clients could only continue operating if they disabled their security, which would leave them vulnerable to intrusions.

In Australia and around the world, airlines, financial services, supermarkets and ports were disrupted and in some cases forced temporarily to shut down.

This incident is far from an isolated event. In 2017, British Airways suffered a catastrophic IT failure that grounded flights worldwide, causing chaos for hundreds of thousands of passengers. The 2021 Fastly outage took down major websites, including Amazon, Reddit, and The New York Times, for hours. 

The CrowdStrike outage once again showed the vulnerability of our digital ecosystem. We are tethered to a complex web of interconnected systems, each with its potential points of failure.

Our digital economy, while a marvel of innovation and efficiency, is also a sprawling attack surface for malicious actors. The increasing sophistication of cyber threats, from ransomware attacks to state-sponsored espionage, demands a robust and multi-layered defence strategy.

The first clear problem is our over-reliance on a single vendor for critical security services. When that vendor stumbles, the impact can be disproportionate. The lack of redundancy and backup systems in many organisations leaves them vulnerable to operational paralysis in the event of a disruption.

We must dismantle this dangerous reliance on single vendors for critical services. Instead of putting all our eggs in one basket, we must diversify our cybersecurity providers to reduce the impact of any single vendor’s failure and also foster a more competitive and innovative market for security solutions. 

This could involve distributing critical functions across multiple providers, ensuring that a disruption in one doesn’t cripple the entire system.

We must invest heavily in redundancy and backup systems. Our critical infrastructure, from banking systems to power grids, should be designed with multiple layers of redundancy, ensuring that even if one component fails, the system can continue to operate seamlessly. Regular backups of data and critical applications are non-negotiable. This includes not just storing backups onsite but also maintaining secure off-site copies to protect against physical disasters or targeted attacks.

Second, the incident highlights the need for more comprehensive and agile incident response plans. Organisations need to be able to quickly identify and address disruptions, minimizing the impact on their operations and customers. 

They need comprehensive, well-documented plans that are regularly tested and refined. These plans should clearly delineate roles and responsibilities, establish robust communication channels, and detail escalation procedures for different types of incidents. The goal is to create a well-oiled machine that can spring into action at the first sign of trouble, minimizing downtime and mitigating damage.

Third, Australia needs to adopt a zero-trust approach to cybersecurity. This means assuming that every user and device, even those within the network perimeter, could be compromised. This approach necessitates continuous monitoring and verification of all users and devices, micro-segmentation of networks to limit lateral movement, and the use of multi-factor authentication to secure access to sensitive data.

Finally, we must foster a culture of cyber awareness that permeates all levels of society, from the boardroom to the classroom. This means educating not just IT professionals but also business leaders, policymakers, and the general public about the evolving cyber threat landscape. Regular training and awareness programs should be mandatory for all employees, emphasizing the importance of vigilance, secure practices, and prompt reporting of suspicious activity.

By embracing these measures, Australia can transform its digital economy from a house of cards into a fortress. We can create a system that is not just resilient to cyberattacks and technical glitches but also adaptable to the ever-evolving threat landscape. This is not just about protecting our economic interests; it’s about safeguarding our way of life in the digital age. 

The CrowdStrike outage is a wake-up call—a reminder that our digital economy is not invincible.  The question is not whether another incident will occur, but when. 

The time for complacency is over. We need to act now to safeguard our digital future.  The stakes are too high to ignore.

Australia needs to talk more openly about offensive cyber operations

Australia’s 2023 cybersecurity strategy makes clear that most of the things we need to do to protect ourselves in cyberspace are essentially defensive. The strategy is usefully organised according to six ‘shields’.

But sometimes we also need a sword. Offensive cyber is the pointy end of cybersecurity. It can be understood expansively as encompassing all the threats that defensive cyber is, in the strategy’s terms, trying to ‘block’. ASPI’s cyber, technology and security program defines offensive cyber as operations that ‘manipulate, deny, disrupt, degrade or destroy targeted computers, information systems or networks’. Offensive cyber is usually—but contestably—distinguished from operations whose main goal is to collect intelligence.

Offensive cyber is fraught with risk. The long list of unintended potential consequences includes spillovers, blowback and escalation. One of the earliest and most successful offensive cyber operations was the US–Israeli attack on Iran’s nuclear program. The Stuxnet virus destroyed Iranian centrifuges but probably went on to infect more than 100,000 computers around the world before it was stopped. The attack also accelerated the development—and destructive use—of Iran’s offensive cyber capabilities.

Liberal democracies are much more interested than states like Iran in preventing cyberspace from becoming a battlespace and, more broadly, in maintaining the integrity of the global information environment. The decisions they make about when and how to engage in offensive cyber operations involve fundamental questions about international order and the future of the digital information revolution. They demand extremely complex assessments of cause and effect.

Leading Western cyber powers are developing more sophisticated doctrines and concepts to guide these decisions. After Stuxnet, President Barack Obama’s administration put the United States Cyber Command on a tight leash. That was reversed by Donald Trump, who promulgated a defend-forward doctrine. Joe Biden’s administration has embraced that approach: USCYBERCOM’s more assertive posture probably blunted the Russian cyber offensive that accompanied the invasion of Ukraine. The UK is developing its own concept of responsible cyber operations accompanied by a doctrine of cognitive effects.

This work is unfinished. The issues are complex and consequential. Compelling arguments have been made that there’s no meaningful distinction between offensive and defensive cyber operations or even between information and cyber operations. Importantly, much of this discussion and debate is taking place in public.

Offensive cyber operations are usually undertaken covertly. But that’s precisely why democratic governments need to be clear with their citizens about how decisions to undertake them are made. Debating these matters publicly also allows for better consideration of the big issues involved, especially because a wider range experts can be engaged.

Australia shouldn’t be a bystander to these debates. The Australian Signals Directorate’s REDSPICE project, announced by the previous government, includes a tripling of Australia’s offensive cyber capability. The new cybersecurity strategy promises to ‘build world-class innovative offensive cyber capabilities that can deliver real world impact to deter, disrupt, degrade and deny cybercrime’. The strategy commits an additional $587 million from 2023 to 2030 for cybersecurity. That’s in addition to the $10 billion that REDSPICE will add to ASD’s budget over 10 years.

So, what is Australia’s concept of offensive cyber? Despite promising to make Australia a ‘world leader’ in cybersecurity, the strategy sheds little light. It commits to ‘transparency about the rights and obligations that govern’ the use of offensive cyber capabilities but doesn’t say much more than that Australia will comply with existing laws and help develop new ones. The best sources are the speeches of ASD’s directors-general. Since Prime Minister Malcolm Turnbull first revealed Australia’s offensive cyber capability in 2016, these speeches have incrementally disclosed more about what ASD does and why.

Australia frequently reiterates that its use of offensive cyber complies with international and domestic law. Notably, ASD’s current director-general, Rachel Noble, has emphasised that Australia defines offensive cyber operations conducted by other countries against Australia as criminal activity to which Australia may respond in kind. But international norms are unclear, are contested and lag rapid technological change. Saying that Australia complies with them therefore doesn’t reveal much about when and how it uses offensive cyber capabilities.

Following the release of ASD’s November 2023 threat report, Defence Minister Richard Marles was asked whether Australia was ‘striking back’ at cyber attackers. He responded only that, ‘We have a full range of capabilities in the Australian Signals Directorate and we’re making sure that we are as capable as we can be.’ He could have provided a much more useful and informative answer if Australia had, as the US and UK have done, developed a public offensive cyber doctrine. Australians should be told more.

The government’s public discussion of its approach to offensive cyber still falls well short of those of its Five Eyes partners. The charge that Australia has put ‘capability before concept’ in its decision to acquire nuclear-powered submarines can be more accurately applied to its approach to offensive cyber. But fixing this doesn’t require Australia to reinvent the wheel. It can and should build on intellectual work already undertaken by its Five Eyes partners.

Australia will be compelled by an increasingly complex and contested world to compete more in the grey zone. Decision-makers will face tough choices. A stronger and more public offensive cyber doctrine would keep them tethered to Australia’s values and interests as they make those decisions.

Tag Archive for: Cyber

‘Amusing ourselves to death’ in age of TikTok

Forty years ago, in a seminal masterpiece titled Amusing Ourselves to Death, American author Neil Postman warned that we had entered a brave new world in which people were enslaved by television and other technology-driven entertainment. The threat of subjugation comes not from the oppressive arm of authoritarian regimes and concentration camps but from our own willing submission and surrender.

“Big brother does not watch us, by his choice. We watch him, by ours,” Postman wrote in 1985.

“There is no need for wardens or gates or Ministries of Truth. When a population becomes distract­ed by trivia, when cultural life is redefined as a perpetual round of entertainments, when serious public conversation becomes a form of baby-talk, when, in short, people become an audience and their public business a vaudeville act, then a nation finds itself at risk; culture-death is a clear possibility.”

Postman’s insight would have been spot-on had he written this today about TikTok. Postman was mostly thinking about mass media with a commercial imperative. People would be enslaved to superficial consumerism. But add a technologically advanced authoritarian power with platforms that – unlike terrestrial TV – are essentially borderless and can reach around the globe, and you have George Orwell’s Big Brother put together with Aldous Huxley’s cultural and spiritual entropy.

Addictive digital entertainment can be corrosive even without a malign puppeteer. But with an entity such as the Chinese Communist Party fiddling the algorithms, it could be catastrophic.

Just in 2025, we have seen much of the Western world so spellbound by TikTok that the thought of living without it brought on the anguish normally reserved for the impact of conflict. “TikTok refugees” became a description, as though they had been displaced like Jews fleeing Europe or Yazidis escaping Islamic State.

Postman noted that we were innately prepared to “resist a prison when the gates begin to close around us … But what if there are no cries of anguish to be heard? Who is prepared to take arms against a sea of amusements?”

The cries of anguish were depressingly muted as TikTok built up a following in Western countries that now means four in 10 Americans aged under 30 get their “news” from TikTok, according to a recent survey by the Pew Research Centre.

When a ban was flagged, the cries came from those who couldn’t bear to give up the platform and from free speech absolutists who believed any rules amounted to government overreach. If our most popular radio stations had been based in Germany in the late 1930s, the Soviet Union during the Cold War or Syria during the ISIS caliphate, our leaders would have protected the public, regardless of popularity and notwithstanding that it would constitute government intervention in the so-called free market of ideas.

In fact, the market isn’t free because powerful actors can man­ipulate the information landscape.

Billionaire Elon Musk gives free-speech advocates a bad name by posting not just different opinions but promoting false content on issues such as Ukraine on his platform X. But more sinister is a platform such as TikTok, which is headquartered in authoritarian China and ultim­ately at the control of the CCP, with algorithms that have been demonstrated to manipulate audiences by privileging posts that serve Beijing’s strategic interests and downgrading content that does not.

Despite such threats, we have no clear framework to protect ourselves from powerful information platforms, including the newest generative artificial intelligence models such as DeepSeek, which will be increasingly available – and, thanks to their affordability, attractive – despite operating under Chinese government control. As a US court declared in upholding the congressional ban on TikTok, giving a foreign power a vector to shape and influence people’s thinking was a constraint on free speech, not an enabler of it.

Freedoms of speech and expression are core democratic principles but they need active protection. This means the involvement of governments.

US Vice-President JD Vance told the Munich Security Conference that Donald Trump represented a “new sheriff in town” who would defend free speech and “will fight to defend your right to offer it in the public square, agree or disagree”. It was an admirable derivative of the quote attributed to Evelyn Beatrice Hall describing Voltaire’s principle of “I may not agree with what you say, but I will defend to the death your right to say it”. But just as we have regulators for financial and other markets, we need regulation of our information markets.

By all means, speech should be as free as possible. Awful mustn’t equal unlawful, to borrow ASIO boss Mike Burgess’s phrase. Speech that hurts the feelings of others or advocates unpopular views cannot be the threshold for censorship. Such lazy and faint-hearted policymaking creates only a more brittle society. But that doesn’t mean we should make ourselves fish in a barrel for malign foreign powers.

Anarchy is not freedom. Governments need to brave the minefield that is modern information technology. If a platform poses risks that cannot be avoided, as with TikTok, it should be banned.

Other platforms that sit within democratic nations’ jurisdictions should be subjected to risk mitigations such as content moderation to deter and punish criminal activity. X, Facebook, Instagram and YouTube can be used as avenues for information operations, as shown by Russia buying advertisements on Facebook or CCP-backed trolls posting on X and YouTube, or be used as vectors for organised crime. Even the most ardent free-speech advocates would agree that drug trafficking, child abuse or joining a terrorist group are illegal offline and therefore should be illegal online.

No marketplace remains free and fair when governments overregulate or abdicate responsibility.

The once-free markets of trade and investment have been eroded by China to such an extent that just this week Trump issued a foreign investment policy to protect American “critical technology, critical infrastructure, personal data, and other sensitive areas” from “foreign adversaries such as the PRC”, including by making “foreign investment subject to appropriate security provisions”.

A key principle of the new presidential policy is that “investment at all costs is not always in the national interest”.

In other words, security measures and rules keep American critical infrastructure free.

While it has not yet gained much media attention, it is among the most important economic security policies ever taken to counter Beijing’s objective to “systematically direct and facilitate investment in United States companies and assets to obtain cutting-edge technologies, intellectual property and leverage in strategic industries”, and all of America’s allies and democratic partners should publicly support it and implement it domestically.

We like to think that technologies are neutral mediums that are only vehicles for improvement. As Postman wrote, this belief often rises to the status of an ideology or faith.

“All that is required to make it stick is a population that devoutly believes in the inevitability of progress,” he wrote. “And in this sense … history is moving us toward some preordained paradise and that technology is the force behind that movement.”

Science and technology have of course delivered extraordinary improvements to our health, our economic productivity, our access to information and our ability to connect with other people regardless of geography – provided we engage with it wisely. We must not become cynical about technology entirely, which is why we must maintain control over it and ensure it serves our interests.

The ultimate solution is knowledge and participation. As Postman concluded, the answer must be found in “how we watch”. With no discussion on how to use technology, there has been no “public understanding of what information is and how it gives direction to a culture”.

Postman wrote that “no medium is excessively dangerous if its users understand what its dangers are”. He insisted we were “in a race between education and disaster”.

Some light amid the enduring cyber nightmares

The  cyber security strategy released last week by the Albanese government is about collaboration and communication, not about conjuring our worst national security nightmares. It’s focused on industry and consumers.

The government, industry and citizens must work together with trust for Australia to make real change in our cyber security, and this strategy recognises that.

One of Cyber Security Minister Clare O’Neil’s objectives seems to be humanising cyber and making it appealing and accessible to everyday Australians.

Of the six “cyber shields” in the strategy, “strong businesses and citizens” is number one. The first actions out of the gate are directly helping small and medium-sized businesses with free cyber health checks and the establishment of a small business cyber security resilience service to give advice.

Arguably, these are things the Australian Cyber Security Centre should be doing already, but the $7.2 million health checks and $11 million advice program have been welcomed by industry groups.

The government is also inviting business to “co-design options” for regulation or legislative changes that affect industry.

These include a ransomware reporting obligation, a new cyber incident review board, a code of practice for cyber incident response providers, mandatory standards for smart devices, a voluntary labelling scheme for smart devices and a code of practice for software development.

It’s great that the government is including industry in the conversation, but open-ended “co-design” risks delaying real action. These phases must be strictly controlled with defined end dates.

More broadly, the strategy isn’t revolutionary. On a generous assessment, perhaps eight of the 48 prescribed actions are new initiatives. The rest Australia has tried before, or has already introduced.

This shows that, even in a constantly moving cyber security landscape, there are enduring problems. It also shows that the government is willing to build on what has been done before rather than wipe the slate clean for the sake of politics.

The two most important enduring problems that frustrate Australia’s cyber security are information sharing and cyber workforce shortages, and each has a “cyber shield” dedicated to it.

Information asymmetries between consumers, companies and governments makes stopping threats and incident responses slow, ineffective and expensive. The strategy seeks to improve information-sharing by creating better motivations and opportunities to share.

Share prices drops, reputation risks and legal ramifications are among the reasons companies avoid reporting cyber incidents to the government. Sometimes it’s honest confusion about when and how to report. The strategy proposes a range of actions to create the right environment to motivate information-sharing.

The “no fault, no liability” ransomware reporting proposal and a proposed “limited use obligation” that clarifies how the Australian Signals Directorate and the cyber security co-ordinator may use cyber incident reporting will give companies greater peace of mind. Clarifying cyber security reporting obligations under existing security of critical infrastructure legislation will remove ambiguity about how and when to report.

The strategy also creates opportunities and platforms to foster industry-government threat intelligence sharing through a cyber executive council, streamlining ASD’s reporting portal and establishing or scaling-up Information Sharing and Analysis Centres (ISACs) – a model that has worked fairly effectively in the United States for 20 years.

The co-led Microsoft-ASD Cyber Shield (MACS) – although presently opaque – should also enhance national threat intelligence sharing and capabilities. It will focus on detecting, analysing and defending against sophisticated nation-state cyber threats.

Australia’s cyber workforce, however, is the fly in the ointment. Our workforce shortage has been around for decades and is only getting bigger.

The problem is even more acute in government, where below-market salaries and onerous security requirements are additional barriers to an adequate cyber workforce.

The strategy refers to building the local cyber skills pipeline through better workforce analysis, vocational training, changes to the primary and secondary curriculum and providing additional higher education Commonwealth supported places.

These are good but existing policies. The strategy’s only real new action is increasing skilled migration. In the same breath, questions of detail are shifted to the government’s upcoming migration strategy to answer.

Australia is not alone in the global struggle to attract talent, and skilled migration settings are difficult to get right. It also raises complex questions about other major policy areas, not least of which are housing, infrastructure and the cost of living.

There is a sense that increasing migration is an easy answer to what should be a more expensive and difficult conversation on how to build on the existing policies. One moonshot would be to redirect some of the $15 billion National Reconstruction Fund into subsidising education to get tens of thousands of young Australians into cyber training and careers.

As with all strategies, implementation is essential. An action plan naming lead agencies offers welcome accountability.

The strategy’s two-year “horizons” also create a realistic runway with what should be built-in evaluation and pivot points.

And we should expect to pivot, given the degrading security environment and the rate of development of transformational technologies like artificial intelligence. On these, the strategy’s actions are unlikely to put Australia ahead of the curve, being limited to “embedding cyber security” into ongoing work and updating the Information Security Manual.

In many ways, the Department of Home Affairs and the broader Australian government are well-placed to move forward on cyber security.

As the strategy itself states, we have robust regulation in the recent Security of Critical Infrastructure legislation and strong offensive and defensive capabilities with ASD’s REDSPICE funding of $9.9bn over 10 years. Australia is a trusted partner sitting within a powerful set of multilateral arrangements, including the five eyesAUKUS, the Quad dialogue and the Pacific Islands Forum.

Home Affairs has also established the new cyber security co-ordinator’s office, a separate team to manage the strategy’s implementation, and a detailed Action Plan to execute.

On the other hand, the department is still reeling from the departures of Secretary Mike Pezzulo in September, and cyber security co-ordinator Darren Goldie last week, after only four months in the job.

Dennis Richardson’s scathing review of Home Affairs’ handling of offshore detention was leaked around the same time Goldie’s recall was announced. One of the unspoken actions of this strategy’s first horizon out to 2025 will be navigating Home Affairs’ leadership uncertainty, fiscal constraint and external scrutiny.

The Role of the Private Sector in Cyber Competition

The Lawrence Livermore National Laboratory’s Center for Global Security Research (CGSR) workshop on ‘The future of cyber competition’ was held to further an understanding of what lessons the US, and its allies, could take from how cyber has been used during Russia’s war on Ukraine. Discussion between senior US government officials, private sector experts and academia over the two days was key in highlighting that it is important to define what successful public-private partnerships look like, and how effective relationships can be built to best prepare for future conflict.

The importance of public-private partnership is at the forefront of policy debate as global technology competition continues to intensify. The passing of legislation in the United States, such as the CHIPS and Science Act 2022, aimed at securing semiconductor supply chains, and inquiries by Senators into Elon Musk reportedly thwarting a drone attack on Russian targets by denying the use of SpaceX’s Starlink satellites, is indicative of the undeniable presence of the private sector in strategic competition and global conflict. Going forward, US and allied governments need to make considerations around the normative parameters for collaboration and private sector engagement in cyber conflict, particularly given critical digital infrastructure and large troves of personal data is largely operated and managed by private sector entities.

A point raised throughout the CGSR workshop, was that strengthening and encouraging the private sector’s ability to act in geostrategic competition is not necessarily a status quo that should be reinforced. ‘Big tech’ companies are in some instances, operating with the scale and influence of countries, as is the case with SpaceX, which has been central in providing critical communication infrastructure during the Ukraine war. These companies are not bound to national interests and typically view themselves as international organisations headquartered around the world with their primary activities driven by commercial interests. This perspective was raised in conjunction with the point that while Ukraine has demonstrated an adept ability to use soft power to harness private sector support, this is not necessarily replicable in future conflicts. The US and allies need to consider if it is within their interests to normalise the independent involvement of private sector entities with the capacity to function on the scale of a combatant country during conflict particularly in a scenario where a large private entity might aid a foreign adversary.

Regardless, while the nuances of the normative parameters for private sector involvement in geostrategic competition are still developing, the private sector will continue to hold an integral role in cyber and technology competition. Another key point emphasized during the workshop, was the importance of developing a roadmap for engagement and timely communication between government and the private sector. The war in Ukraine has highlighted the need to have these strategies in place prior to a conflict, as opposed to being built mid-flight. Related to this, is the importance of building the skills within both public and private sectors to effectively communicate in technical areas to non-technical audiences, and vice versa when it comes to explaining strategic policy priorities and how the technical capabilities of the private sector might support them. Cyber is a multidisciplinary field, and having individuals that can act as a conduit between technical and high level geostrategic or commercial audiences is vital, and is a function that should exist ahead of a cyber conflict scenario. The private sector is not a uniform entity, and trust and relationships at an individual level need to be built between public and private entities if constructive collaboration is to occur. Building these relationships will also help identify scenarios where collaboration is needed, and the degree of risk appetite and priorities for both the government and private sector entities. This feeds into a need for public-private partners to candidly understand each other’s unique incentives, which the CSGR workshop was clear in highlighting as important for ensuring partnerships of value can be built.

This is where there is an opportunity for greater collaboration between allies and learning from different approaches for public-private engagement in cyber. Notably, Australia is at the forefront of public-private collaboration in scenario planning for major cyber incidents. In 2023, the Australian government held war gaming exercises with major banks and financial service companies to test response strategies to cyberattacks that target critical infrastructure assets. How allies can execute similar programs to work in tandem with global companies to drill scenarios and understand the capabilities, intentions, and limits of private sector entities will help lay the groundwork when real-time responses are needed.

For the private sector, engaging in these activities does not necessarily commit them to supporting a government position during a conflict, but enables them to define the parameters of their willingness to collaborate prior to the fact, build useful relationships and trust, and think through any legal and public relations considerations they might face.

The CSGR workshop was key in highlighting that in the man-made domain of cyber, collaboration is vital, both with allies and the private sector. As geostrategic competition in the Indo-Pacific continues to intensify, China will also be looking to the lessons of Russia’s invasion of Ukraine to determine where improvements to their utilization of cyber as a tool for information warfare and disruption can be improved. China’s relationship with the private sector differs greatly to the US and its allies, where China has a higher degree of integration. While the discussion at the CSGR workshop raised the point that this reduces China’s private sector’s ability to act quicky, be agile and innovative in their activities and responses, it did not diminish the fact that the US and partners should continue to collaborate to improve their readiness in the ever-changing cyber domain.

Tag Archive for: Cyber

Status update: Responsible state behaviour in cyberspace

2025 is a pivotal year for international cyber governance. Not only is it the tenth anniversary of the international community’s agreement to a global framework for responsible state behaviour in cyberspace, but it is also the year that the UN Open-Ended Working Group on security of and in the use of information and communications technologies will conclude its mandate. This sets the stage for the establishment of a more permanent mechanism for global cyber discussions.

To discuss these developments and reflect on how states around the world have interpreted and operationalised responsible state behaviour in cyberspace, ASPI’s Gatra Priyandita speaks with two leading cyber experts, Farlina Said from the Institute of Strategic and International Studies in Malaysia, and Louise Marie Hurel, from the Royal United Services Institute in London. 

Stop the World: Building cyber resilience with Lieutenant General Michelle McGuinness

In this episode of Stop the World, ASPI’s Executive Director Justin Bassi speaks with Australia’s National Cyber Security Coordinator Lieutenant General Michelle McGuinness CSC to discuss her role and how it helps protect Australians online.  

LTGEN McGuinness explores the dual role that the National Office of Cyber Security plays in preparing for and responding to increasing cyber incidents, the importance of building resilience to respond efficiently and effectively to them, and how preventative measures such as using multi-factor authentication can mitigate over 80 percent of cyber risks.  

Justin and LTGEN McGuinness also discuss the role that attribution plays in deterring malicious cyber activity and how attribution can improve mitigation strategies, drive norms and establish that Australia does not tolerate unacceptable behaviour in cyberspace. 

Guests: 

Lieutenant General Michelle McGuinness

Justin Bassi

Stop the World: TSD Summit Sessions: How to navigate the deep fake and disinformation minefield with Nina Jankowicz

The Sydney Dialogue is over, but never fear, we have more TSD content coming your way! This week, ASPI’s David Wroe speaks to Nina Jankowicz, global disinformation expert and author of the books How to Lose the Information War and How to Be a Woman Online.

Nina takes us through the trends she is seeing in disinformation across the globe, and offers an assessment of who does it best, and whether countries like China and Iran are learning from Russia. She also discusses the links between disinformation and political polarisation, and what governments can do to protect the information domain from foreign interference and disinformation.

Finally, Dave asks Nina about her experience being the target of disinformation and online harassment, and the tactics being used against many women in influential roles, including US Vice President Kamala Harris and Australia’s eSafety Commissioner Julie Inman Grant, in attempts to censor and discredit them.

Guests:
⁠David Wroe
⁠Nina Jankowicz

Stop the World: TSD Summit Sessions: Defence, intelligence and technology with Shashank Joshi

In the final lead-in episode to the Sydney Dialogue (but not the last in the series!), ASPI’s Executive Director, Justin Bassi, interviews Shashank Joshi, Defence Editor at the Economist.  

They discuss technology, security and strategic competition, including the impact of artificial intelligence on defence and intelligence operations, the implications of the no-limits partnership between Russia and China and increasing alignment between authoritarian states. They also cover the challenge of protecting free speech online within a framework of rules which also protects public safety.

They talk about Shashank’s latest Economist report ‘Spycraft: Watching the Watchers’, which explores the intersection of technology and intelligence, and looks at the history of intel and tech development, including advancements from radio to the internet and encryption.

The Sydney Dialogue (TSD) is ASPI’s flagship initiative on cyber and critical technologies. The summit brings together world leaders, global technology industry innovators and leading thinkers on cyber and critical technology for frank and productive discussions. TSD 2024 will address the advances made across these technologies and their impact on our societies, economies and national security.

Find out more about TSD 2024 here: ⁠https://tsd.aspi.org.au/⁠    

Mentioned in this episode: ⁠https://www.economist.com/technology-quarterly/2024-07-06⁠  

Guests:
⁠Justin Bassi⁠
Shashank Joshi

Stop the World: TSD Summit Sessions: Technology innovation and investment with Gilman Louie

The Sydney Dialogue (TSD) is just weeks away.

To help our listeners prepare for the forthcoming discussions at TSD, we are bringing you an interview with Gilman Louie, who was the first CEO of In-Q-Tel— set up in 1999 by the CIA as an independent, not-for-profit strategic investment firm —and Commissioner on the National Security Commission on Artificial Intelligence from 2018-2021. Gilman is co-founder and partner at Alsop Louie Partners, and he is also a co-founder and CEO of the America’s Frontier Fund, so there is no one better placed to talk about strategic competition, innovation and investment.

Director of the Sydney Dialogue, Alex Caples, asks Gilman about the role of technology as a component of state power, how the innovation landscape has changed in the United States and how the government and private sector are working together on innovation and investment in the design and manufacturing of technologies.

TSD is ASPI’s flagship event for cyber and critical technologies. The summit brings together world leaders, global technology industry innovators and leading thinkers on cyber and critical technology for frank and productive discussions. TSD 2024 will address the advances made across these technologies and their impact on our societies, economies and national security.

Find out more about TSD 2024 here: ⁠https://tsd.aspi.org.au/⁠

Guests:

⁠Dr Alexandra Caples⁠

⁠Gilman Louie

Stop the World: TSD Summit Sessions: Countering hybrid threats with NATO Deputy Assistant Secretary General James Appathurai

The countdown to the Sydney Dialogue (TSD) is on!  
 
In the second episode of ASPI’s TSD Summit Sessions, Justin Bassi, Executive Director of ASPI, speaks to James Appathurai, NATO’s Deputy Assistant Secretary General for Innovation, Hybrid and Cyber on all things tech, innovation, security and democracy.  
 
Justin and James discuss hybrid threats in the context of challenges in Europe and the Indo-Pacific, and how democracies in both regions need to work together to prevent and respond to these increasing activities. They explore the impact of technological innovation on security, the rise of artificial intelligence and deep fakes and the risks to democracies, including in elections.  
 
They discuss the challenges posed by Russia and China and how they are harnessing technology to achieve their goals. The conversation canvasses the need for a strategy of deterrence, not just in relation to conflict, but to counter threats below the threshold of war. Such a strategy will require some offence, not just defence, to protect both domestic democratic processes and the international rules-based order.  
 
Note: This episode was recorded prior to the NATO Summit, which took place in Washington DC on 9-11 July.  
 
Guests:  
Justin Bassi 
James Appathurai

Mapping China’s data harvesting and global propaganda efforts

ASPI has released a groundbreaking report that finds the Chinese Communist Party seeks to harvest user data from globally popular Chinese apps, games and online platforms in a likely effort to improve its global propaganda.

The research maps the CCP’s propaganda system, highlighting the links between the Central Propaganda Department, state-owned or controlled propaganda entities and data-collection activities, and technology investments in Chinese companies.

In this special short episode of Stop the World, David Wroe speaks with ASPI analyst Daria Impiombato about the key takeaways from this major piece of research.

Mentioned in this episode:
Truth and reality with Chinese characteristics

Guests:
David Wroe
Daria Impiombato