The case against Huawei’s participation in bidding for the 5G network in Australia appears to be based on incomplete information, at least as far as the public record allows us to judge.

For a full picture, there are several fields of knowledge we need to understand and reconcile: espionage, computer science, information and communications technology, cyber security, business studies, foreign policy, China studies, political science, international political economy, and globalisation. But there are also political perspectives and biases. The latter issue was rather brilliantly captured in a recent Norwegian study.

This study saw the Huawei challenge, the Snowden revelations about NSA, and the Volkswagen emissions-monitoring scandal as part of a common problem: assurance of supply chain components in the information age. The study concluded that ‘the problem [of supply chain assurance] should therefore receive considerably more attention from the research community as well as from decision makers than is currently the case’.

The consensus of global scholarly opinion on these issues suggests that those in Australia advocating for a ban on Huawei in the 5G network—mimicking the opinion of US intelligence chiefs expressed in February 2018—have not reviewed all of the available information and perspectives. Public policy analysts in Australia should be wary of their own government when it so closely mirrors senior officials in the Trump administration on any issue of intelligence policy, for two reasons.

The first, and most worrying, is the poor record of the US intelligence community on big issues of analysis if they’re highly politicised. Remember Iraqi WMD as one in a 70-year saga of great US intelligence failures. The second is that internal political disputation within the Trump administration and the US Congress on relations with China is at fever pitch.

So what does the study of espionage tell us about the campaign against Huawei?

There’s no doubt that countries like China, the United States, Russia, Israel and France find it easier to implant back doors in commercially available equipment manufactured by companies domiciled in their territories. For this and a variety of other reasons, wise governments, corporations and citizens should assume that all equipment in their supply chains, regardless of the country of origin, can be compromised from a cyber security point of view. The Norwegian study found that such back doors are often very difficult to detect.

We can add to this the overwhelming evidence that vulnerabilities in Microsoft Windows have been responsible for a very large share of security breaches globally, including in Australia. As argued in a study I co-authored with German scholar Sandro Gaycken for the New York-based EastWest Institute in 2014, ‘highly secure computing’ (that is, non-vulnerable systems) has to be the approach.

The national security damage caused by vulnerabilities in Microsoft Windows puts into the shade the unsubstantiated claims (unsubstantiated in the public domain at least) that Huawei equipment has directly produced security breaches. Moreover, NSA cyber weapons based on the vulnerabilities in Windows, such as Eternal Blue, have caused more documented security breaches globally, and in Australia, than any Huawei products. Yet Australia’s Defence Department uses Microsoft Windows.

We also need to assess the relative intelligence value of back doors in Huawei products if they in fact exist. We can assume they do, either by design or by error. But the share of high-grade intelligence collected by this means would be minuscule. Chinese and American spy agencies already have easy access to most unclassified or unencrypted telecommunications from Australia without relying on back doors in telecoms equipment.

If China wanted to use a domiciled company for implanting back doors, it would not rely on the Chinese Communist Party cell in Huawei to set that up. The Huawei party cell would not be in the chain of command for Chinese intelligence operations of this kind. The cell is not oriented towards espionage, though its members would report on internal security issues to the Ministry of Public Security.

If the US wanted to plant back doors in the equipment of a US-domiciled company, it would not need a law to compel the cooperation. It would simply get consent from people at the top of the company, as it did with NSA’s PRISM program, where US telecoms companies, such as AT&T, and information utilities, such as Google, provided a direct feed to NSA headquarters of all communications, according to documents leaked by Snowden.

Beyond intelligence studies, we need industry knowledge. Huawei estimates that 50% of Australians rely on its systems of some kind for their telecommunications. This is probably a radical underestimate—I think it would be closer to 95% if we’re talking about all Chinese-made systems. Most of Australia’s unclassified communications today probably depend on systems using at least one component manufactured in China.

I base this very rough estimate on several considerations. According to a 2018 study on smaller countries like Australia, the bulk of our domestic internet traffic and email is probably routed through foreign servers and internet gateways. A large slice goes to countries like the UK where BT is the provider using Huawei equipment, not to mention other Chinese equipment manufacturers like ZTE. And not to mention the share of our communications traffic to and from China itself. According to a 2018 Chinese study, the diversion of internet traffic through other countries is increasing in spite of intensifying claims to internet sovereignty.

The campaign against Huawei imagines that Australia has a cyber border. It does not. It’s deeply entangled in a globalised laissez-faire ICT economy and diffuse internet traffic pathways. Our public policy is still learning the nature and scope of this reality.

Welcome to The Strategist Six, a feature providing a glimpse into the thinking of prominent academics, government officials, military officers, reporters and interesting individuals from around the world.

1. As a top US cyber specialist, you’ve seen the internet shrink the world by allowing people to communicate over vast distances. It’s given us access to massive amounts of information and allowed oppressed people to unite and force change. But it’s also used by terrorists to encourage attacks and by nations to steal commercial and military secrets. Overall, has the net made the world a better or a more dangerous place?

Every new technology from the beginning of mankind has been seized upon by criminals and others who have tried to exploit it. For better or worse, the internet was never conceived as a secure platform. Instead it was designed to ensure communication, survive and be resilient. On balance, it’s been a tremendous force for good in terms of social interaction, global communication and economic growth. So even with the mounting threats, I would definitely say it has made the world a better place.

However, there’s a wide range of threats and threat actors in cyberspace, including criminals, terrorists who predominantly use the internet to communicate and plan and some nation states who cause disruption and steal sensitive commercial and other information. Cyberspace is also a new domain of warfare where over 100 countries are developing offensive capability. We’ll certainly see these capabilities employed as part of a traditional physical conflict but, as recent cases like the destructive NotPetya worm attributed to Russia illustrate, we’ll also see them outside traditional conflicts. Yet, we don’t have a good idea of what escalation is in cyberspace, what are the bounds of acceptable state behaviour and what the consequences might be if those bounds are breached. We need to work all of those things out.

The US and Australia have been in the vanguard of advancing an international stability framework for cyberspace. That framework includes applying existing international law to cyberspace, getting consensus on certain voluntary norms (or rules of the road) for responsible state action, and transparency and confidence-building measures such as hotlines to help dial down the chances of misperceptions and avert escalation. There has been good progress in promoting this framework but we also need to be better at deterring bad conduct in cyberspace. There have to be timely and credible consequences for bad actors. That means enhancing our law enforcement capabilities and going after more criminals and locking them up to make clear there’s a cost for their actions.

It also means we need to be much better at imposing consequences on disruptive nation states. We must act collectively with like-minded countries, see what tools we have to deter a potential adversary’s behaviour, and be willing to use them. There’s a lot left to do in this area. For example, we still need to explore how existing international law maps to cyberspace, further articulate and gain wider acceptance of voluntary norms and improve collective response.

This work will involve governments, the private sector and civil society. Recently, for example, the Global Commission for the Stability of Cyberspace put forth a proposed norm that stated that state and non-state actors shouldn’t take actions that substantially disrupt the general availability of the global core of the internet.

If we hope to make real progress combatting the threats we face and seizing on the opportunities that cyberspace provides, we need to get away from thinking that cyber is this boutique, technical policy area and ingrain it in how we think about national security, economic security and foreign policy.

2. Where are we going with the internet?

We’re not going to go backwards. It’s not a genie you can put back into the bottle. The web is intertwined with everything we do and it’ll continue to evolve and become more useful. You’ll also have more sophisticated attacks and attackers because of that dependency. We’ll be in a cat-and-mouse game to an extent. There’ll be lots of innovation.

Those who are intent on doing evil or using it for their own purposes will find more sophisticated ways to do that. We’ll do what we can to contain the threats because, ultimately, we have the platform to do good things.

The technology that’s allowed us to communicate worldwide and enabled all this social interaction can also be used by more repressive countries to monitor and control their citizens. There’s a range of challenges that extend to cybersecurity, human rights and how the internet itself is governed in the future. Now that it’s become such a big deal, the natural instinct of many states is to want to control it. We need to be vigilant in ensuring wide participation by all stakeholders to ensure that this technology continues to evolve and thrive.

3. Can it ever be completely controlled by anyone or any state?

I don’t think so. You can imagine scenarios where states try to control their piece of the internet. That obviously undermines its global nature and its value to commerce and other things it enables. There’ll be challenges to the architecture of the internet itself but it would be very hard for any one government to control it. But that doesn’t mean there won’t be governments that try.

4. Have we reached a plateau or will we continue to see the same technological leaps in the cyber area as in the past, and what are your main concerns about the internet and computing generally?

In terms of sheer computing speed, people have often said it’ll slow down because it’s reached its practical limits with the size of circuits. But circuits keep getting smaller—down to the atomic level—and faster and more capable. Every time we think it has reached its limits, someone thinks of new things like stacking chips on top of each other. It hasn’t slowed yet. I think innovation and advancement will continue to accelerate.

Quantum computing could bring a vast increase in capability. In addition, there will continue to be great innovation in terms of the architecture of the internet and the applications that run on top of it. I don’t know what the next big leap will be but I’m confident something will happen.

There are a lot of tensions built into the internet. Obviously it would be useful to have easy attribution of internet traffic to go after bad actors, but that’s bad for human rights and privacy so you have to find middle ground. You have a lot of new things coming on line, including the internet of things and the promise of everything from self-driving cars to autonomous health systems. That’s great and can lead to amazing innovation, but if security isn’t built in as we’re doing this, they could be vulnerable to attack and the results will be physical as well. You won’t just lose your information but something bad may happen in the physical world—including critical infrastructure disruption. I worry about that.

The other thing I really worry about, and this doesn’t get a lot of discussion, is how we preserve the integrity of information. We worry about data being stolen or deleted but we don’t talk enough about what happens when data is made unreliable by a bad actor. For example, if someone gets into your health records and changes your blood type so that the next time you get a transfusion you die, that’s certainly more serious than not being able to access a webpage because of a distributed denial of service attack.

5. Much military equipment relies on satellites. Could a cyber attack render that inoperable?

Anything that relies on computers and computer networks is potentially vulnerable if the right precautions aren’t taken and protections implemented. Militaries need to be cognizant of how dependent they are on systems that ride on the back of networks—secure networks but also just networks. What would they do if they were unavailable? Some militaries try to train for that—a day or a week without cyber.

We need to be keenly aware of how dependent we are. What’s our resilience? What’s our bounce back? Attacks on critical infrastructure may be low in their probability but high in their impact if they happen.

Many people haven’t done the basic hygiene they need to in order to protect themselves and that’s a problem. You can do basic things to protect yourself from most intrusions and attacks. Even when you do that, there are still the dedicated, usually state, actors who can use tools to try to get into your system. But that allows those protecting systems to focus on that smaller set of actors and their tools.

6. How concerned should we be about advances in artificial intelligence? Are machines going to take over?

There are different camps on this. I think AI, as it’s now constituted, is very helpful. Machine learning and the like can lead to great advances. The dystopian movie view has AI with human characteristics and taking over everything. I suppose that’s a possibility but I don’t think we’re anywhere close to that and we can take precautions. I tend to take a more optimistic view. I don’t think we should shy away from exploring AI because it has so many benefits. Who knows what the future will bring but I don’t think it’ll be a binary thing where suddenly, one day they’re running us.

Many people believe that the internet of things (IoT) is aimed simply at supplying consumers with connected household devices. However, data from Intel shows that over 75% of devices are used in manufacturing, retail and healthcare. In short, the ‘vast majority of IoT devices today are used by businesses, not consumers’.

The introduction of industrial internet of things technology offers businesses many benefits, like production-line tracking and remote worksite management. But it also increases the attack surface for malicious actors. I wrote last year in The Strategist about the scary nature of the IoT and the difficulty in developing IoT security standards. Those issues pale in comparison to the havoc that could be caused by industry-level security breaches.

Major attacks on critical infrastructure have already occurred in Ukraine and Germany. In 2010, information about the now infamous Stuxnet virus came to light, detailing how it had been designed to ruin hundreds of centrifuges used in Iran’s uranium enrichment program. It was the first time a digital weapon was intentionally used by a nation-state to physically damage an adversary’s industrial control system.

The US Department of Homeland Security has identified 16 sectors that it considers to be vital components of critical infrastructure, including such things as ‘commercial facilities’—shopping and convention centres, office and apartment buildings, and other sites where large numbers of people gather—emergency and financial services, and information technology. In May 2017, President Donald Trump issued an executive order to further strengthen the cyber security of the nation’s critical infrastructure.

In Australia, our view of critical infrastructure is generally confined to physical systems that enable telecommunication, water and energy services to operate unimpeded. We need to rethink our approach. Our outdated, horizontal understanding of critical infrastructure downplays the co-dependent relationships between sectors. American cybersecurity expert Melissa Hathaway proposes switching the focus to critical services. Using that approach, energy and the internet (or telecommunications as a whole) would sit atop a hierarchy of other services that rely on the first two to operate.

In both the US and Australia, a majority of critical infrastructure is privately owned, making common standards difficult to enforce. In addition, many industrial control systems were constructed in the mid- to late 20th century, when the internet was fresh and cybersecurity wasn’t a major concern. Adapting or replacing legacy systems and protocols presents a serious challenge, which has often been used as an excuse to continue to use outdated and unsafe technology.

A campaign against the use of smart meters was launched in Australia in 2013 after a study from the University of Canberra revealed privacy and safety vulnerabilities in similar devices used overseas. Some smart meters collect personal information that could reveal when users are away from home, and even disclose how often appliances are used. Such devices could also prove dangerous for utility providers. Several years ago, hackers cost the Puerto Rican power company as much as $400 million by compromising smart meters.

So what damage could a cyberattack on Australia’s critical infrastructure inflict? Well, we already know. South Australia’s 2016 statewide blackout had effects similar to a cyberattack. A once-in-50-year storm disrupted crucial services such as energy, telecommunications, finance, transport and the internet. Nearly two million people lost power. Trains and trams stopped working, as did many traffic lights, creating gridlocks on flooded roads. An unknown number of embryos died at a fertility clinic in Flinders Hospital when a backup generator failed. The average financial loss to businesses was $5,000, with total losses of $367 million. The incident highlighted the danger of cascading failures in interconnected critical infrastructure.

Disrupting utilities that power an entire city could cause more damage than traditional terror tactics such as bombings, and can be performed externally with more anonymity. Again, severe storms provide an example: a loss of power can cause more deaths than the physical destruction itself. When Hurricane Irma damaged a transformer, for example, and the air conditioning failed, 12 residents at a Florida nursing home died of suspected heat-related causes.

The risks associated with industrial control systems don’t only affect human safety; they threaten the environment as well. In Australia’s first case of industrial hacking in 2000, Vitek Boden compromised the Maroochy Shire Council water system, sending a million litres of sewage into parks and waterways.

Our heavy reliance on connected devices means that exploitation of internet-dependent platforms can cause not only physical disruption, but also financial chaos. Last week the World Economic Forum revealed that the financial damage caused by an attack against a cloud-computing firm could equal or surpass that caused by Hurricane Katrina. That fact further supports the notion of switching the focus from physical infrastructure to critical services. The Australian government’s creation of the Critical Infrastructure Centre, which includes information technologies and communication networks in its definition of critical infrastructure, is a step in the right direction. And in March, ASPI will publish a report detailing IoT vulnerabilities and critical service protection, along with recommendations to address them.

But it’s clear that to safeguard Australia’s critical services from cyberattack, we need to improve communication and coordination between service providers, and to clarify the roles and responsibilities of cyber agencies. We must also prioritise the introduction and adoption of safety guidelines for IoT devices and strengthen international collaboration in this area.

The threats to energy grids, commercial facilities and online platforms vary significantly, yet all share a similar, frightening susceptibility to cyberattack. It’s a worry that’s not going to go away.

The proliferation of sensors and data sources available to a modern military like the ADF often swamps the ability of the analyst to find what’s truly relevant in the sea of information. The exponential increase in sensors and data sources hasn’t been matched by an increase in human resources to process them. That imbalance makes aspirations of ‘information superiority’ untenable, leaving militaries vulnerable to promises that they’ll have machine solutions for and certainty about what’s an inherently human and uncertain problem: war.

We must be careful about proclaiming a revolution in military analytics and be cognisant of the failed promises of the last ‘revolution’ that occupied Western military attention. ‘Advanced analytics’ is a bet on computers being able to process the data deluge in a meaningful way to support military decision-making. My concern is that we don’t fully understand how difficult that is to achieve, or the significant changes that such a gamble implies for the workforce charged with implementation.

The fallacy of smart computing. Computers are only as smart as we program them to be. In the absence of Skynet-level AI, they can’t interrogate data holdings to generate links between diffuse pieces of information to predict or assess the military actions of a thinking human adversary. Existing software can’t make sense of complex human interactions in the same way, or with the same time-sensitivity, that a well-trained analyst can or should. Much is made of the ability to assist with pattern recognition, and while analytics can certainly assist with that task, it still relies on someone programming the correct patterns to recognise. But understanding what those patterns might look like implies a degree of certainty about the tactical environment that rarely exists on the battlefield.

Workforce design. The quandary we face is whether to design intelligence architecture around unproven advanced analytics platforms to get the most out of the technology, or to design an architecture that supports the analysts to understand the environment in which they work. Currently, with the personnel and technical overheads required to give advanced analytics systems a fighting chance—particularly in the fields of data entry and algorithm development—those two concerns appear mutually exclusive.

Uniqueness of military data. Advanced analytics tools are seductive when designers conduct demonstrations using carefully calibrated data to show their theoretical capability. But military data is rarely clean and is inherently difficult to control. Analysts deal with everything from UAS feeds, to Facebook posts, to scraps of paper and everything in between. Those are unstructured data sources that are ill-suited to the needs of a platform designed to ingest and analyse structured data. Data standards are incredibly hard to control, and ‘cleaning’ data to make it usable is both time-consuming and takes an analyst away from trying to fuse their assessments across data sources. When the ‘data in’ is poor, the ‘data out’ will be wrong. Many of the analytics platforms marketed to the military were developed for finance and industry, where there are limited data sources and the data can be structured to suit the purpose of analysis. That isn’t the case in the land warfare domain, and it’s largely impossible at this point to write an algorithm that can bring order to the chaos that’s inherent to war.

Stovepiped development. Powerful software is available to exploit single-source sensors, but those tools are rarely linked into an all-source fusion tool. Many of those systems are also proprietary software, meaning they can’t be exported into more powerful fusion systems. A sensible approach might be to design the all-source fusion system first and have individual sensor requirements nested underneath. However, that implies a level of capability development and acquisition alignment far in advance of existing stovepiped practice. A continuing challenge will be to find tools that work across the myriad defence systems, classified and unclassified, to provide a unified data environment as part of an enterprise approach to intelligence.

The cognitive shift. Military analysts have traditionally relied on qualitative rather than quantitative skills. Their successes have mainly been based on forming judgements from scraps of disparate information, supported by the intuition that comes from hard-won experience. The skills and aptitude needed to operate advanced analytics are largely the opposite. They rely on programming and coding skills—a quantitative aptitude to order and synchronise data. Those skills are more advanced than simply being technology ‘savvy’. If those tools are to be the centrepiece of any future intelligence, surveillance and reconnaissance enterprise, they’ll require a significant cognitive shift from the intelligence workforce. The questions must be asked: What’s lost in the process? And for what measurable gain?

Tail to wag the dog. Advanced analytics platforms require enormous back-end support to make them work, and maintaining an army of dedicated contractors is beyond the scope of most militaries. Data scientists are the most in-demand profession in today’s job market, and there’s no guarantee the military can access them in sufficient numbers to ensure the functionality of a chosen system.

Militaries must decide what they need advanced analytics to achieve. Only when that understanding is reached can they partner with industry to design the tools to achieve it. This lack of translation between user need and provider solution is the biggest stumbling block to any meaningful progress in the short term. Ultimately, however, we need to understand whether it’s even feasible to expect computers to make sense of war’s inherent unpredictability. After significant work and investment, computers may be able to assist in ordering and sequencing data to make analysis more efficient, but I’ll wager that they’ll be unable to provide any greater certainty than a team of well-trained and experienced analysts who understand the true difficulty of creating order from chaos.

Today the Prime Minister will release the first annual review of Australia’s Cyber Security Strategy, which the PM foreshadowed in an op-ed for The Australian. The PM says that his government is ‘pleased with progress’, noting the success of the first Joint Cyber Security Centre in Brisbane, and higher levels of awareness amongst business leaders. The PM’s confidence in the growing maturity of Australian public and private sector cyber security awareness is supported by the Australian Cyber Security Centre’s 2016 Cyber Security Survey, also released today, which shows that 71% of surveyed organisations have an incident response plan, an increase of 11% on the 2015 result. Also keep an eye out tomorrow for the release of the Australian Cyber Security Growth Network’s Cyber Security Competitiveness Plan.

Kaspersky Lab has published its Cybersecurity Index for the second half of 2016, aggregating the results of 17,377 respondents across the world on their attitudes to cybercrime, their online activity and the cost of cybercrime. The report shows that more people are concerned about cyber security and are taking steps to protect themselves. Overall, 74% of those surveyed didn’t believe that they would be a target for cybercrime, a 5% drop on the result from the first half of 2016. Only 39% of respondents don’t take any cyber security measures on their devices. At the corporate level, new research from Oxford Economics has found that a company’s share price falls by an average of 1.8% on a permanent basis after a major cyber security breach. For a major UK FTSE100 firm this equates to a loss of £120 million.

China’s Cyberspace Administration has released a new draft law on international data transfers. The legislation would require firms to submit to annual security reviews of their international data transfers, and prohibits the international transfer of data on economic, technological or scientific activities overseas that could damage national security. The draft law would also require companies to obtain the express permission of users before transferring their information overseas. According to the Cyberspace Administration the new rules are necessary to secure ‘personal information, the safety of data and to protect internet sovereignty and national security.’ However the vagueness of the draft law, and long-standing concerns about Chinese cyber protectionism and censorship, mean that many outside China interpret the move as another attempt by Beijing to restrict foreign access to the internet in China.

While China increasingly seeks to control access to cyberspace, the G7 issued a declaration last week that repeated its commitment to an ‘accessible, open… [i]nteroperable, reliable and secure cyberspace.’ The declaration on responsible states behaviour in cyberspace largely repeats previous statements from the G7 including commitments to online rights, the application of international law and the norms agreed by the 2015 UN Group of Governmental Experts and the 2015 G20 Leaders’ Communiqué. It also reiterated the G7’s support for the development of confidence building measures through regional forums including the OSCE and ASEAN Regional Forum such as crisis communications channels. Interestingly the declaration includes the statement that a state ‘is free to make its own determination in accordance with international law with respect to attribution of a cyber-act to another State.’ That runs counter to the calls from some, including Microsoft President Brad Smith for an international cyber attribution agency. Meanwhile RT has reported that Russia has provided a draft of a new international convention on cybercrime to the UN, to replace the 2001 Budapest Convention, which Russia hasn’t signed.

Last week’s failed North Korean missile test has prompted renewed speculation on the role of US cyber capabilities in undermining Pyongyang’s missile program, however the US declined to comment. The tensions with North Korea have also reportedly prompted the US Department of Defense to fund work on cyber protection of the US power grid, and the establishment of an emergency communications system. The Defense Advanced Research Projects Agency (DARPA) issued a statement last week on what it calls the ‘Rapid Attack Detection, Isolations and Characterisation System’ (RADICS). The System, being developed in cooperation with BAE Systems, seeks to protect national security capabilities dependent on the power grid. According to BAE Systems, RADICS, which won’t be ready until 2020, should detect attacks before they occur and isolate target networks, such as enterprise systems and power infrastructure, to disrupt malicious cyber attacks.

And in brief news, Europol and Brazil have signed a new agreement to cooperate on cybercrime, and Germany and Israel have taken steps to depend their cyber cooperation, with the first international chapter of the Cyber-Security Council of Germany opening in Israel last week. NASA’s CIO has told Bloomberg that she considers it a ‘matter of time’ before an object in space is hacked, and discussed the challenges of securing decades old equipment orbiting Earth from cyber threats. And in the UK it has been revealed that the Foreign Office has been subjected to a sophisticated phishing campaign by hackers dubbed the ‘Callisto Group’, which targeted personnel working on Eastern European and South Caucasus policy issues.