Tag Archive for: cyber security

Nothing Found

Sorry, no posts matched your criteria

Tag Archive for: cyber security

Nothing Found

Sorry, no posts matched your criteria

Tag Archive for: cyber security

Nothing Found

Sorry, no posts matched your criteria

Tag Archive for: cyber security

ASPI suggests

The world

The United States this week withdrew from the UN Human Rights Council. Vox provides a clear picture of the situation while CNN discusses reactions to the move. This CFR piece investigates how prospects for international development and cooperation are dwindling as Trump continues to retreat from multilateral frameworks.

‘An inconvenient truth’ is usually associated with Al Gore’s 2006 documentary. But World Refugee Day on 20 June, brought the sobering realisation that more people than ever before have been forced to flee persecution or war. New research by UNHCR shows that the number of people forced to flee their homes had risen to 68.5 million at the end of 2017. The US administration has dominated headlines with its policy of separating children from their parents as families, flee violence in Central and South America. Snopes provides an insightful fact check on the legal situation.

Yemen is another country dealing with violent conflict and internally displaced people. For details on recent turning points, see Al Jazeera’s analysis of why the Saudi coalition is attacking Hodeidah and the humanitarian effects involved. Amnesty International has released alarming details about the attack’s impacts on the devastated Yemeni population.

Migration policy also continues to fuel friction in Europe. Germany’s coalition government is in crisis as Interior Minister Horst Seehofer and Chancellor Angela Merkel clashed over immigration policy ahead of elections in Bavaria. As the New York Times reported Donald Trump weighed into the debate again, falsely claiming that immigration increases crime. Merkel hopes to find a pan-European solution at the EU leaders’ meeting next week. Politico takes a closer look at that ‘Mother of all EU summits’, The Economist’s Jeremy Cliff has a great graph showing possible outcomes for Merkel, while Carnegie’s Judy Dempsey looks at the possible effects on future European security.

SIPRI’s new yearbook is out. Key findings include that the number of multinational peacekeepers is declining despite growing demand, and that nuclear weapons are being modernised rather than abandoned. Research by Erin Connolly and Kate Hewitt shows how shockingly little knowledge US students have about nukes, and what they’re doing about it.

With the World Cup in full swing in Russia, Wired has a couple of tips for dealing with Moscow’s approach to cybersecurity. The Atlantic discusses China’s cyber governance plan and intention to dictate the internet’s future rules (and content). This Washington Post article summarises the congressional call to have research collaborations between American universities and Huawei investigated. Sophie-Charlotte Fischer shows in this brief for ETH Zurich’s CSS that China aims to be the world leader in AI by 2030. She argues that Beijing’s drive might set off a new technology race, but that countries should see the potential for mutually beneficial cooperation.

And some more for the cyber fans: As Swedish elections near, the country is preparing for an onslaught of Russian hacking and cyber–election tampering. This ABC radio interview with Erik Brattberg contains all you need to know on the situation. It comes a day after Israeli PM Benjamin Netanyahu addressed Cyber Week at Tel Aviv University about the threats and benefits of cyber to both public and private actors.

The tech geek is on leave, contemplating all things techy and geeky, and will return in July. But we still found satisfying geeky matter: the OCCRP developed a tool to track the travel of the rich and wealthy—a big help for journos and analysts investigating money laundering and the like.

And one last thing on Trump: He wants a space force as the sixth branch of the US Department of Defense. That might violate the Outer Space Treaty of 1967. National Geographic discusses the legal issues and how existing laws provide some back doors. In saying that, Trump’s proposal has been met with plenty of opposition in the US, meaning it may not pass Congress in the first place.

Multimedia

The US Energy Information Administration has published over 600 graphs on Flickr showing a broad variety of numbers and developments of all things petroleum, oil and other liquids.

Sixty-five years after the failed uprising of East Germans on 17 June 1953, this video recounts the demonstrations and violent crackdown that followed. [7:39]

This fascinating episode of Al-Jazeera’s ‘People and Power’ profiles Wahida Mohamed Al-Jamaily, a woman leading a militia in northern Iraq. [25:00]

Podcasts

The APPS Policy Forum podcast talks about the World Cup and its meaning for Russia’s international policy game and about the country’s energy politics and goals in the Asia–Pacific. [56:04]

Pod Save the World hosts former US National Counterterrorism Center chief Nick Rasmussen to discuss the Center’s place in the national security architecture, as well as terrorism propaganda. [50:47, skip the first minute and ads at 16:25-19:50, 34:55-36:45]

The BBC’s How to Invent a Country investigates the beginnings of Amsterdam and how it went from being a swamp to being one of the world’s leading cities in such a short period of time. [30:00]

Caliphate this week interviews an ISIS returnee who has confessed to murder one year after returning to America. [33:00]

Events

Canberra, 24-26 June, ANU Crawford Leadership Forum, ‘Global realities, domestic choices.’ Details here.

Canberra, 27 June, 5.30–7 pm, National Library of Australia, ‘Who will save the world?’ with Jan Fran. More information here.

Sydney, 28 June, 5–6.30 pm, Sydney University, ‘China and global refugee crisis: external and domestic dynamics’. Free registration here.

Canberra, 4 July, 5.30–8 pm, ASPI and Thales, ‘Thales-ASPI Hamel Centenary Oration’, delivered by the incoming Chief of Defence Force, Lieutenant General Angus Campbell, AO, DSC. More here.

The Strategist Six: Chris Painter

Welcome to The Strategist Six, a feature providing a glimpse into the thinking of prominent academics, government officials, military officers, reporters and interesting individuals from around the world.

1. As a top US cyber specialist, you’ve seen the internet shrink the world by allowing people to communicate over vast distances. It’s given us access to massive amounts of information and allowed oppressed people to unite and force change. But it’s also used by terrorists to encourage attacks and by nations to steal commercial and military secrets. Overall, has the net made the world a better or a more dangerous place?

Every new technology from the beginning of mankind has been seized upon by criminals and others who have tried to exploit it. For better or worse, the internet was never conceived as a secure platform. Instead it was designed to ensure communication, survive and be resilient. On balance, it’s been a tremendous force for good in terms of social interaction, global communication and economic growth. So even with the mounting threats, I would definitely say it has made the world a better place.

However, there’s a wide range of threats and threat actors in cyberspace, including criminals, terrorists who predominantly use the internet to communicate and plan and some nation states who cause disruption and steal sensitive commercial and other information. Cyberspace is also a new domain of warfare where over 100 countries are developing offensive capability. We’ll certainly see these capabilities employed as part of a traditional physical conflict but, as recent cases like the destructive NotPetya worm attributed to Russia illustrate, we’ll also see them outside traditional conflicts. Yet, we don’t have a good idea of what escalation is in cyberspace, what are the bounds of acceptable state behaviour and what the consequences might be if those bounds are breached. We need to work all of those things out.

The US and Australia have been in the vanguard of advancing an international stability framework for cyberspace. That framework includes applying existing international law to cyberspace, getting consensus on certain voluntary norms (or rules of the road) for responsible state action, and transparency and confidence-building measures such as hotlines to help dial down the chances of misperceptions and avert escalation. There has been good progress in promoting this framework but we also need to be better at deterring bad conduct in cyberspace. There have to be timely and credible consequences for bad actors. That means enhancing our law enforcement capabilities and going after more criminals and locking them up to make clear there’s a cost for their actions.

It also means we need to be much better at imposing consequences on disruptive nation states. We must act collectively with like-minded countries, see what tools we have to deter a potential adversary’s behaviour, and be willing to use them. There’s a lot left to do in this area. For example, we still need to explore how existing international law maps to cyberspace, further articulate and gain wider acceptance of voluntary norms and improve collective response.

This work will involve governments, the private sector and civil society. Recently, for example, the Global Commission for the Stability of Cyberspace put forth a proposed norm that stated that state and non-state actors shouldn’t take actions that substantially disrupt the general availability of the global core of the internet.

If we hope to make real progress combatting the threats we face and seizing on the opportunities that cyberspace provides, we need to get away from thinking that cyber is this boutique, technical policy area and ingrain it in how we think about national security, economic security and foreign policy.

2. Where are we going with the internet?

We’re not going to go backwards. It’s not a genie you can put back into the bottle. The web is intertwined with everything we do and it’ll continue to evolve and become more useful. You’ll also have more sophisticated attacks and attackers because of that dependency. We’ll be in a cat-and-mouse game to an extent. There’ll be lots of innovation.

Those who are intent on doing evil or using it for their own purposes will find more sophisticated ways to do that. We’ll do what we can to contain the threats because, ultimately, we have the platform to do good things.

The technology that’s allowed us to communicate worldwide and enabled all this social interaction can also be used by more repressive countries to monitor and control their citizens. There’s a range of challenges that extend to cybersecurity, human rights and how the internet itself is governed in the future. Now that it’s become such a big deal, the natural instinct of many states is to want to control it. We need to be vigilant in ensuring wide participation by all stakeholders to ensure that this technology continues to evolve and thrive.

3. Can it ever be completely controlled by anyone or any state?

I don’t think so. You can imagine scenarios where states try to control their piece of the internet. That obviously undermines its global nature and its value to commerce and other things it enables. There’ll be challenges to the architecture of the internet itself but it would be very hard for any one government to control it. But that doesn’t mean there won’t be governments that try.

4. Have we reached a plateau or will we continue to see the same technological leaps in the cyber area as in the past, and what are your main concerns about the internet and computing generally?

In terms of sheer computing speed, people have often said it’ll slow down because it’s reached its practical limits with the size of circuits. But circuits keep getting smaller—down to the atomic level—and faster and more capable. Every time we think it has reached its limits, someone thinks of new things like stacking chips on top of each other. It hasn’t slowed yet. I think innovation and advancement will continue to accelerate.

Quantum computing could bring a vast increase in capability. In addition, there will continue to be great innovation in terms of the architecture of the internet and the applications that run on top of it. I don’t know what the next big leap will be but I’m confident something will happen.

There are a lot of tensions built into the internet. Obviously it would be useful to have easy attribution of internet traffic to go after bad actors, but that’s bad for human rights and privacy so you have to find middle ground. You have a lot of new things coming on line, including the internet of things and the promise of everything from self-driving cars to autonomous health systems. That’s great and can lead to amazing innovation, but if security isn’t built in as we’re doing this, they could be vulnerable to attack and the results will be physical as well. You won’t just lose your information but something bad may happen in the physical world—including critical infrastructure disruption. I worry about that.

The other thing I really worry about, and this doesn’t get a lot of discussion, is how we preserve the integrity of information. We worry about data being stolen or deleted but we don’t talk enough about what happens when data is made unreliable by a bad actor. For example, if someone gets into your health records and changes your blood type so that the next time you get a transfusion you die, that’s certainly more serious than not being able to access a webpage because of a distributed denial of service attack.

5. Much military equipment relies on satellites. Could a cyber attack render that inoperable?

Anything that relies on computers and computer networks is potentially vulnerable if the right precautions aren’t taken and protections implemented. Militaries need to be cognizant of how dependent they are on systems that ride on the back of networks—secure networks but also just networks. What would they do if they were unavailable? Some militaries try to train for that—a day or a week without cyber.

We need to be keenly aware of how dependent we are. What’s our resilience? What’s our bounce back? Attacks on critical infrastructure may be low in their probability but high in their impact if they happen.

Many people haven’t done the basic hygiene they need to in order to protect themselves and that’s a problem. You can do basic things to protect yourself from most intrusions and attacks. Even when you do that, there are still the dedicated, usually state, actors who can use tools to try to get into your system. But that allows those protecting systems to focus on that smaller set of actors and their tools.

6. How concerned should we be about advances in artificial intelligence? Are machines going to take over?

There are different camps on this. I think AI, as it’s now constituted, is very helpful. Machine learning and the like can lead to great advances. The dystopian movie view has AI with human characteristics and taking over everything. I suppose that’s a possibility but I don’t think we’re anywhere close to that and we can take precautions. I tend to take a more optimistic view. I don’t think we should shy away from exploring AI because it has so many benefits. Who knows what the future will bring but I don’t think it’ll be a binary thing where suddenly, one day they’re running us.

Is Australia’s national digital identity vulnerable to manipulation?

Just as we need to protect Australia’s critical infrastructure—our banking systems, power supplies, ports and roads—we must protect our digital information assets, particularly those that make us a nation legally, culturally, socially and historically.

Digital and digitised data is part of what makes us Australian. It underpins our democracy, our law, our society and how we see ourselves. It’s essentially the evidence of who we were, are and, probably, will be.

In early January, I started a project looking at the protection and vulnerability of Australia’s digital national identity assets. As part of a six-month fellowship with ASPI’s International Cyber Policy Centre, I’m asking:

  • What, exactly, are those assets?
  • What would happen if they were attacked, destroyed or manipulated?
  • What impact would that have on the nation, and on you and me?

I’m currently in the research and discovery phase, talking with people to identify key digital assets and collections. Some critical assets are obvious: our registries of births, deaths and marriages; immigration data identifying who has entered the country, when and where from; information about who owns what; Hansard.

I focused first on ‘digitally born’ material, but I’m now considering historical print and other content that’s been digitised: cabinet records; court cases; the national and state archives and libraries; the archives of the ABC, the Fairfaxes, the Packers and the Murdochs; and the enlistment and service records of every Australian who served in World War I. There are many more.

In 2018, a record that isn’t digitised and online might as well not exist, and that brings authenticity and reliability into the frame. How do we know that a digital record is a true copy of the original? If a digital record were destroyed, it could be recreated if the original is intact, but what if that happens the other way round? What if the sole image of a destroyed record has been manipulated digitally and then presented as true? We live in the era of PhotoShop and fake news, so why not fake history?

In the archival world, we continually decide on the importance of information. Based on those decisions, we develop a hierarchy of value, deciding what needs to be kept and for how long. The values change over time—what was important or sensitive years ago might not be now (think of expletives in broadsheet newspapers), and what was unthought of years ago might now be accepted (think of same-sex marriage).

The digital assets that I identify won’t be a definitive list but will be a solid representation of Australia’s critical information infrastructure as it stands today.

In the next part of the project, I’ll identify the ways critical digital records could be destroyed or manipulated. Australia experiences 47,000 cyber incidents a year. Who would benefit, and how, from targeting our digital heritage?

In a third and closely related element, I’ll explore the consequences. What would happen if any, some or all of those digital assets were destroyed? What would happen to our sovereignty, society, law, rights, entitlements and personal identity—who we are and what we own?

If we lost, say, our immigration and births, deaths and marriages data, how could you prove your citizenship? And what if that information were compromised and unreliable? What would then become the authoritative source of information about Australians and their citizenship? We could either throw our hands in the air and close our borders to all, or allow everyone in unless there’s some other proof that they’re not eligible to come.

Everyone I’ve spoken to so far, from heads of agencies to ASPI colleagues corralled in corridor conversations, has shown a genuine interest in and enthusiasm for my project. I have a wide remit, and I want to start a broader conversation about this issue and create awareness and understanding in different government and community sectors. Ultimately, we must get the protection of our critical data—just like our other critical infrastructure—onto the broader national agenda.

If you have further ideas or thoughts about my project, please contact me at annelyons@aspi.org.au.

Rethinking the security of our critical infrastructure

Many people believe that the internet of things (IoT) is aimed simply at supplying consumers with connected household devices. However, data from Intel shows that over 75% of devices are used in manufacturing, retail and healthcare. In short, the ‘vast majority of IoT devices today are used by businesses, not consumers’.

The introduction of industrial internet of things technology offers businesses many benefits, like production-line tracking and remote worksite management. But it also increases the attack surface for malicious actors. I wrote last year in The Strategist about the scary nature of the IoT and the difficulty in developing IoT security standards. Those issues pale in comparison to the havoc that could be caused by industry-level security breaches.

Major attacks on critical infrastructure have already occurred in Ukraine and Germany. In 2010, information about the now infamous Stuxnet virus came to light, detailing how it had been designed to ruin hundreds of centrifuges used in Iran’s uranium enrichment program. It was the first time a digital weapon was intentionally used by a nation-state to physically damage an adversary’s industrial control system.

The US Department of Homeland Security has identified 16 sectors that it considers to be vital components of critical infrastructure, including such things as ‘commercial facilities’—shopping and convention centres, office and apartment buildings, and other sites where large numbers of people gather—emergency and financial services, and information technology. In May 2017, President Donald Trump issued an executive order to further strengthen the cyber security of the nation’s critical infrastructure.

In Australia, our view of critical infrastructure is generally confined to physical systems that enable telecommunication, water and energy services to operate unimpeded. We need to rethink our approach. Our outdated, horizontal understanding of critical infrastructure downplays the co-dependent relationships between sectors. American cybersecurity expert Melissa Hathaway proposes switching the focus to critical services. Using that approach, energy and the internet (or telecommunications as a whole) would sit atop a hierarchy of other services that rely on the first two to operate.

In both the US and Australia, a majority of critical infrastructure is privately owned, making common standards difficult to enforce. In addition, many industrial control systems were constructed in the mid- to late 20th century, when the internet was fresh and cybersecurity wasn’t a major concern. Adapting or replacing legacy systems and protocols presents a serious challenge, which has often been used as an excuse to continue to use outdated and unsafe technology.

A campaign against the use of smart meters was launched in Australia in 2013 after a study from the University of Canberra revealed privacy and safety vulnerabilities in similar devices used overseas. Some smart meters collect personal information that could reveal when users are away from home, and even disclose how often appliances are used. Such devices could also prove dangerous for utility providers. Several years ago, hackers cost the Puerto Rican power company as much as $400 million by compromising smart meters.

So what damage could a cyberattack on Australia’s critical infrastructure inflict? Well, we already know. South Australia’s 2016 statewide blackout had effects similar to a cyberattack. A once-in-50-year storm disrupted crucial services such as energy, telecommunications, finance, transport and the internet. Nearly two million people lost power. Trains and trams stopped working, as did many traffic lights, creating gridlocks on flooded roads. An unknown number of embryos died at a fertility clinic in Flinders Hospital when a backup generator failed. The average financial loss to businesses was $5,000, with total losses of $367 million. The incident highlighted the danger of cascading failures in interconnected critical infrastructure.

Disrupting utilities that power an entire city could cause more damage than traditional terror tactics such as bombings, and can be performed externally with more anonymity. Again, severe storms provide an example: a loss of power can cause more deaths than the physical destruction itself. When Hurricane Irma damaged a transformer, for example, and the air conditioning failed, 12 residents at a Florida nursing home died of suspected heat-related causes.

The risks associated with industrial control systems don’t only affect human safety; they threaten the environment as well. In Australia’s first case of industrial hacking in 2000, Vitek Boden compromised the Maroochy Shire Council water system, sending a million litres of sewage into parks and waterways.

Our heavy reliance on connected devices means that exploitation of internet-dependent platforms can cause not only physical disruption, but also financial chaos. Last week the World Economic Forum revealed that the financial damage caused by an attack against a cloud-computing firm could equal or surpass that caused by Hurricane Katrina. That fact further supports the notion of switching the focus from physical infrastructure to critical services. The Australian government’s creation of the Critical Infrastructure Centre, which includes information technologies and communication networks in its definition of critical infrastructure, is a step in the right direction. And in March, ASPI will publish a report detailing IoT vulnerabilities and critical service protection, along with recommendations to address them.

But it’s clear that to safeguard Australia’s critical services from cyberattack, we need to improve communication and coordination between service providers, and to clarify the roles and responsibilities of cyber agencies. We must also prioritise the introduction and adoption of safety guidelines for IoT devices and strengthen international collaboration in this area.

The threats to energy grids, commercial facilities and online platforms vary significantly, yet all share a similar, frightening susceptibility to cyberattack. It’s a worry that’s not going to go away.

Obstacles for the cyber kangaroo

In mid-October, Dan Tehan, the minister assisting the prime minister on cyber security, announced that the Australian government is considering introducing new legislation on the internet of things (IoT; for an introduction to this topic, see my previous post). Under the proposed legislation, IoT device makers would have to include a security rating on their products. The concept is similar to an energy efficiency rating, which became mandatory for certain appliances in Australia in 2012. Introducing a ‘cyber kangaroo’ (PDF) rating is an appealingly practical measure that, if it’s done well, could improve consumer awareness of cybersecurity issues and encourage industry to adhere to minimum security standards. But there are several reasons why it would be more difficult to implement than an energy rating and could potentially increase consumers’ susceptibility to attack.

First, the vulnerability of an IoT device is likely to vary over its lifetime as weaknesses are discovered and then patched. The energy efficiency of a refrigerator or washing machine, by contrast, is relatively fixed. When UK police chief Mike Barton suggested a security rating for IoT devices earlier this year, tech editor Samuel Gibbs correctly noted that ‘a device’s resilience to attack from cyber criminals can change over time’. Cybercrime is an ever-evolving discipline and new vulnerabilities are constantly being exposed. At best, a security rating would only reflect the security information about a device at the time of manufacture.

The firmware in modern cars is one example of a product whose security may change over time.  In 2015, Charlie Miller and Chris Valasek hacked a 2014 Jeep Cherokee and were able to remotely control the steering and brakes and drive the car into a ditch. A notionally safe car had been rendered provably insecure. The vulnerability was then patched, making the car ‘safe’ again, until Miller and Valasek hacked the same car a year later (albeit not remotely). This cycle of hacks and patches could render an initial security rating meaningless and shows that the vulnerabilities of a particular device (or set of devices on wheels) can’t accurately be defined by a manufacturer’s sticker.

Another obstacle that the cyber kangaroo would need to hop over is the variation in IoT products. A Jeep Cherokee and a baby monitor present vastly different dangers, but compromise of either can have serious consequences. While there’s no doubt that the IoT needs security standards, some categories of devices that are safety-critical probably require commensurately robust security features. It will be difficult and expensive to come up with a cyber roo that appropriately rates all the different categories of IoT devices.

Finally, a cyber rating might lull consumers into a false sense of security by negating their own role in protecting themselves from attack. Knowing that they purchased an approved device could make consumers less likely to download updates or change the original password. Humans are often the weakest link in the cybersecurity chain. The idea of placing warning labels on IoT devices has been raised and amusingly compared to the warnings on Australian cigarette packages. While increasing the public’s cybersecurity awareness is important and this idea has merit, it would need to be done in a way that doesn’t create legal loopholes for industry to forgo built-in security.

With these concerns in mind, there seem to be four possible avenues for the cyber roo:

  • a pass/fail score that assesses compliance with baseline standards. For example, a product could receive a tick of approval if it has changeable passwords, uses encryption, and uses only approved communication protocols (or whatever the agreed-upon standards are)
  • a pass/fail score that assesses compliance with baseline standards and also tries to assess whether device security will be acceptable in the future. That could include assessing updateability, support lifetimes and a company’s commitment to providing regular and timely updates
  • a graded score that assesses manufacturers’ preparedness to meet basic security principles. For example, 0 = device cannot be patched, 1 = manual capability to patch exists but has never been used in practice, 2 = manufacturer patches occasionally, 3 = manufacturer investigates and patches vulnerabilities promptly
  • a security database that is combined with a warranty repair and recall system. This would involve assigning a virtual rating to a device that is adjustable through its lifetime to take account of the latest vulnerabilities. Customers could be notified of updates or recalls by a subscription service. While it would be expensive to implement, a changeable security rating would encourage manufacturers to provide lifelong security for their devices.

The cyber roo concept is so fresh that details about how it might work are scarce, which makes it challenging to definitively support or oppose the move. An advisory committee composed of industry representatives has until the end of 2017 to present ideas to the government about how the security rating system could be adopted.

Ultimately, a well-reasoned IoT rating system has the potential to add value to the cybersecurity domain in Australia. Consequently, though, a simplistic rating system that fails to differentiate between manufacturers’ and consumers’ responsibilities will have a negligible impact and waste resources. Estimates indicate that 20.4 billion devices will be connected globally by 2020, so the longer it takes to implement a security rating system the more insecure devices we’ll have in our lives. There are numerous ways that this concept could be executed, but not all paths lead to the same destination. A well-thought-out security rating system will require research and funds, and will involve much more than simply slapping a kangaroo sticker on our kitchen appliances.

You can’t write an algorithm for uncertainty: why advanced analytics may not be the solution to the military ‘big data’ challenge

The proliferation of sensors and data sources available to a modern military like the ADF often swamps the ability of the analyst to find what’s truly relevant in the sea of information. The exponential increase in sensors and data sources hasn’t been matched by an increase in human resources to process them. That imbalance makes aspirations of ‘information superiority’ untenable, leaving militaries vulnerable to promises that they’ll have machine solutions for and certainty about what’s an inherently human and uncertain problem: war.

We must be careful about proclaiming a revolution in military analytics and be cognisant of the failed promises of the last ‘revolution’ that occupied Western military attention. ‘Advanced analytics’ is a bet on computers being able to process the data deluge in a meaningful way to support military decision-making. My concern is that we don’t fully understand how difficult that is to achieve, or the significant changes that such a gamble implies for the workforce charged with implementation.

The fallacy of smart computing. Computers are only as smart as we program them to be. In the absence of Skynet-level AI, they can’t interrogate data holdings to generate links between diffuse pieces of information to predict or assess the military actions of a thinking human adversary. Existing software can’t make sense of complex human interactions in the same way, or with the same time-sensitivity, that a well-trained analyst can or should. Much is made of the ability to assist with pattern recognition, and while analytics can certainly assist with that task, it still relies on someone programming the correct patterns to recognise. But understanding what those patterns might look like implies a degree of certainty about the tactical environment that rarely exists on the battlefield.

Workforce design. The quandary we face is whether to design intelligence architecture around unproven advanced analytics platforms to get the most out of the technology, or to design an architecture that supports the analysts to understand the environment in which they work. Currently, with the personnel and technical overheads required to give advanced analytics systems a fighting chance—particularly in the fields of data entry and algorithm development—those two concerns appear mutually exclusive.

Uniqueness of military data. Advanced analytics tools are seductive when designers conduct demonstrations using carefully calibrated data to show their theoretical capability. But military data is rarely clean and is inherently difficult to control. Analysts deal with everything from UAS feeds, to Facebook posts, to scraps of paper and everything in between. Those are unstructured data sources that are ill-suited to the needs of a platform designed to ingest and analyse structured data. Data standards are incredibly hard to control, and ‘cleaning’ data to make it usable is both time-consuming and takes an analyst away from trying to fuse their assessments across data sources. When the ‘data in’ is poor, the ‘data out’ will be wrong. Many of the analytics platforms marketed to the military were developed for finance and industry, where there are limited data sources and the data can be structured to suit the purpose of analysis. That isn’t the case in the land warfare domain, and it’s largely impossible at this point to write an algorithm that can bring order to the chaos that’s inherent to war.

Stovepiped development. Powerful software is available to exploit single-source sensors, but those tools are rarely linked into an all-source fusion tool. Many of those systems are also proprietary software, meaning they can’t be exported into more powerful fusion systems. A sensible approach might be to design the all-source fusion system first and have individual sensor requirements nested underneath. However, that implies a level of capability development and acquisition alignment far in advance of existing stovepiped practice. A continuing challenge will be to find tools that work across the myriad defence systems, classified and unclassified, to provide a unified data environment as part of an enterprise approach to intelligence.

The cognitive shift. Military analysts have traditionally relied on qualitative rather than quantitative skills. Their successes have mainly been based on forming judgements from scraps of disparate information, supported by the intuition that comes from hard-won experience. The skills and aptitude needed to operate advanced analytics are largely the opposite. They rely on programming and coding skills—a quantitative aptitude to order and synchronise data. Those skills are more advanced than simply being technology ‘savvy’. If those tools are to be the centrepiece of any future intelligence, surveillance and reconnaissance enterprise, they’ll require a significant cognitive shift from the intelligence workforce. The questions must be asked: What’s lost in the process? And for what measurable gain?

Tail to wag the dog. Advanced analytics platforms require enormous back-end support to make them work, and maintaining an army of dedicated contractors is beyond the scope of most militaries. Data scientists are the most in-demand profession in today’s job market, and there’s no guarantee the military can access them in sufficient numbers to ensure the functionality of a chosen system.

Militaries must decide what they need advanced analytics to achieve. Only when that understanding is reached can they partner with industry to design the tools to achieve it. This lack of translation between user need and provider solution is the biggest stumbling block to any meaningful progress in the short term. Ultimately, however, we need to understand whether it’s even feasible to expect computers to make sense of war’s inherent unpredictability. After significant work and investment, computers may be able to assist in ordering and sequencing data to make analysis more efficient, but I’ll wager that they’ll be unable to provide any greater certainty than a team of well-trained and experienced analysts who understand the true difficulty of creating order from chaos.

Cyber wrap

It’s been a big week in cybersecurity. The twin giants of #infosec conferences, Black Hat and DEF CON, has just wrapped up in Las Vegas, and a DefCon Beijing beta event has been announced. The show-stealer was the open challenge, in which five different types of voting booths were left in a room for DEF CON attendees as a challenge. The first booth was hacked after 90 minutes, and the exercise demonstrated a number of poor security procedures, such as the default administrator passwords for the booths being unchanged and available online. They were not able to change votes, however. For a great write-up of the other keynote events and lectures, see here. In equally momentous news, yesterday marked the fourth anniversary of the launch of ASPI’s International Cyber Policy Center. Happy birthday, @ASPI_ICPC!

Russia has taken steps to pass a law that will ban the use of virtual private networks (VPNs) and other anonymisation technologies in the country. It will enter into force on 1 November 2017. Other legislation is set to come in early next year that will force messaging app companies to identify users by phone numbers by 1 January 2018. Edward Snowden, ex-NSA ‘whistleblower’ (and current Moscow resident), has publicly criticised the ban on VPNs, and noted it’s the second of such bans this week, with Apple reportedly removing VPN apps from its App Store in the Chinese market. While the exact cause of the removal was initially unclear, Apple has since released a relatively short statement taking responsibility for the removals, saying that the VPNs were not licensed under Chinese law. More than 60 VPNs have been affected so far.

Singapore’s privacy commission has proposed changes to the country’s personal data protection laws to provide mandatory data breach notification. Data breaches have remained topical elsewhere in the world, as Sweden’s nationwide motor registry data breach crisis has claimed the jobs of two Swedish ministers, Interior Minister Andres Ygeman and Infrastructure Minister Anna Johansson, and has saddled the prime minister with the possibility of facing a vote of no confidence. Data breaches have affected television as well. HBO’s internal databases were breached (again) and 1.5 terabytes of data exfiltrated. It’s not clear whether the data includes yet-unreleased episodes from season 7 of the hit TV show Game of Thrones, but written material from next week’s fourth episode has been released online.

Elon Musk and Mark Zuckerberg have had a public disagreement about whether we should welcome or fear our new artificial intelligence (AI) ‘overlords’. While Zuckerberg has described Musk’s concerns of an AI-led apocalypse as ‘irresponsible’, Musk has fired back that Zuckerberg’s understanding of the subject is ‘limited’. Commentators have suggested that it’s more about a difference of time scales, or a difference of branding, than a difference of opinion. In what might be a point for Musk, Facebook has gone back to the drawing board on one of its AI projects after two chatbots in the projects began communicating in their own language consisting of shorthand English strung together nonsensically, to humans at least.

A New York Times piece has outlined how China is aiming to become a leader in AI technology research and development by 2030, and how its spending billions of dollars to foster innovation. By contrast, the US has yet to create a national strategy for continued innovation in AI. There are programs and projects no doubt, like this week’s announcement that the US Air Force is looking at using AI to monitor Twitter and social media networks, but there’s an increasing risk that the US might find itself on the wrong side of the innovation offset.

Innovation remains high on the agenda for the Australian government. The Digital Transformation Agency and the Australian Public Service Commission are currently looking to find and place 250 cadets and apprentices in Australian government agencies to start off their brilliant careers in IT. On the senior side of the career spectrum, the Department of Defence’s chief information officer, Peter Lawrence, has come to the end of his five-year term after steering the department through a number of major programs and reforms. The Australian Communications and Media Authority will be conducting a review of the NBN and its 21 contractors and subcontractors by compelling all of the companies involved to provide data about why the NBN has been underperforming. And the South Australian government is allegedly introducing laws that would compel child exploitation website operators to provide their passwords so that law enforcement can access personal data held in their computers or personal clouds. The news has ignited some concern, though details remain scarce.

Adobe is killing off its Flash media player by 2020. Most have speculated that the reason for the closure is security, as Flash has been an infamous (and growing) source of many critical vulnerabilities. The move has been long predicted, as the functions that Flash provided have largely been replaced by the more secure and well-developed standards. Several major tech companies, including Microsoft, Facebook, Apple, Google and Mozilla have laid out roadmaps for how they’ll be moving on from Flash, and it looks like the change won’t be a big deal.

It’s been a good week for any ‘mooches’ looking for some free but good anti-virus software. Cybersecurity company ESET is offering a free 12-month subscription to its internet security service in partnership with PC Tech Authority Australia; it’s available here. Similarly, Kaspersky has begun offering a free version of its anti-virus software. In addition to improving the baseline security of users, one of the reasons the company is offering the software for free is that free installs of the software that encounter malware will provide more data points to improve Kaspersky’s threat-intelligence machine-learning systems.

Cyber wrap

Today the Prime Minister will release the first annual review of Australia’s Cyber Security Strategy, which the PM foreshadowed in an op-ed for The Australian. The PM says that his government is ‘pleased with progress’, noting the success of the first Joint Cyber Security Centre in Brisbane, and higher levels of awareness amongst business leaders. The PM’s confidence in the growing maturity of Australian public and private sector cyber security awareness is supported by the Australian Cyber Security Centre’s 2016 Cyber Security Survey, also released today, which shows that 71% of surveyed organisations have an incident response plan, an increase of 11% on the 2015 result. Also keep an eye out tomorrow for the release of the Australian Cyber Security Growth Network’s Cyber Security Competitiveness Plan.

Kaspersky Lab has published its Cybersecurity Index for the second half of 2016, aggregating the results of 17,377 respondents across the world on their attitudes to cybercrime, their online activity and the cost of cybercrime. The report shows that more people are concerned about cyber security and are taking steps to protect themselves. Overall, 74% of those surveyed didn’t believe that they would be a target for cybercrime, a 5% drop on the result from the first half of 2016. Only 39% of respondents don’t take any cyber security measures on their devices. At the corporate level, new research from Oxford Economics has found that a company’s share price falls by an average of 1.8% on a permanent basis after a major cyber security breach. For a major UK FTSE100 firm this equates to a loss of £120 million.

China’s Cyberspace Administration has released a new draft law on international data transfers. The legislation would require firms to submit to annual security reviews of their international data transfers, and prohibits the international transfer of data on economic, technological or scientific activities overseas that could damage national security. The draft law would also require companies to obtain the express permission of users before transferring their information overseas. According to the Cyberspace Administration the new rules are necessary to secure ‘personal information, the safety of data and to protect internet sovereignty and national security.’ However the vagueness of the draft law, and long-standing concerns about Chinese cyber protectionism and censorship, mean that many outside China interpret the move as another attempt by Beijing to restrict foreign access to the internet in China.

While China increasingly seeks to control access to cyberspace, the G7 issued a declaration last week that repeated its commitment to an ‘accessible, open… [i]nteroperable, reliable and secure cyberspace.’ The declaration on responsible states behaviour in cyberspace largely repeats previous statements from the G7 including commitments to online rights, the application of international law and the norms agreed by the 2015 UN Group of Governmental Experts and the 2015 G20 Leaders’ Communiqué. It also reiterated the G7’s support for the development of confidence building measures through regional forums including the OSCE and ASEAN Regional Forum such as crisis communications channels. Interestingly the declaration includes the statement that a state ‘is free to make its own determination in accordance with international law with respect to attribution of a cyber-act to another State.’ That runs counter to the calls from some, including Microsoft President Brad Smith for an international cyber attribution agency. Meanwhile RT has reported that Russia has provided a draft of a new international convention on cybercrime to the UN, to replace the 2001 Budapest Convention, which Russia hasn’t signed.

Last week’s failed North Korean missile test has prompted renewed speculation on the role of US cyber capabilities in undermining Pyongyang’s missile program, however the US declined to comment. The tensions with North Korea have also reportedly prompted the US Department of Defense to fund work on cyber protection of the US power grid, and the establishment of an emergency communications system. The Defense Advanced Research Projects Agency (DARPA) issued a statement last week on what it calls the ‘Rapid Attack Detection, Isolations and Characterisation System’ (RADICS). The System, being developed in cooperation with BAE Systems, seeks to protect national security capabilities dependent on the power grid. According to BAE Systems, RADICS, which won’t be ready until 2020, should detect attacks before they occur and isolate target networks, such as enterprise systems and power infrastructure, to disrupt malicious cyber attacks.

And in brief news, Europol and Brazil have signed a new agreement to cooperate on cybercrime, and Germany and Israel have taken steps to depend their cyber cooperation, with the first international chapter of the Cyber-Security Council of Germany opening in Israel last week. NASA’s CIO has told Bloomberg that she considers it a ‘matter of time’ before an object in space is hacked, and discussed the challenges of securing decades old equipment orbiting Earth from cyber threats. And in the UK it has been revealed that the Foreign Office has been subjected to a sophisticated phishing campaign by hackers dubbed the ‘Callisto Group’, which targeted personnel working on Eastern European and South Caucasus policy issues.

Cyber wrap

For the final two cyber wraps of 2016, ICPC will review some of the biggest cyber stories to make headlines over the last twelve months so that we can all laugh, cry and reflect on the year that was together.

On the home front, 2016 was a big year. Australia’s Cyber Security Strategy was released in April by Prime Minister Malcolm Turnbull. The Strategy committed a total of $230 million to new initiatives to strengthen Australia’s cyber security, in addition to the $400 million funding already allocated to cyber security efforts in the 2016 Defence White Paper. The Strategy also created a new ministerial position for cyber issues, with two new positions—a Special Adviser to the PM, and a Cyber Ambassador—joining the existing ACSC Coordinator. Work has commenced on new capital city threat sharing centres and academic Centres of Excellence, as have preparations to move the ACSC from within ASIO HQ to new digs that will be more accessible to private sector partners and cyber workers with lower levels of security clearance. While those are all promising signs for the implementation of the Strategy, there’s been some criticism from industry about the pace of implementation. Full steam ahead for 2017.

Australia’s offensive cyber capability, which is being housed in the Australian Signals Directorate HQ, was also announced in the Strategy. While there understandably isn’t much detail available, the PM revealed that Australia’s capabilities have been engaged against Daesh’s cyber efforts in the Middle East. Other Australian highlights for 2016 include the second annual ACSC Threat Report which revealed a state actor was behind the hack of the Australia’s Bureau of Meteorology which took place last year.

2016 also saw a major change in how the internet is managed worldwide, with the transition of the Internet of Assigned Numbers Authority (IANA) from a US Department of Commerce contract to a standalone multi-stakeholder-led institution. The move was the culmination of a policy plan which stretches back to the Clinton administration, which was spurred along by the Snowden disclosures and increasing international concern about the US’s role in internet governance. The transition was delayed several times as the multi-stakeholder community struggled to implement a plan to take on the function, and was nearly further delayed by court action initiated by US Senator Ted Cruz. However, the move was eventually successful on 1 October. While the average Internet user wouldn’t have noticed any difference, the transition is a win for proponents of the multi-stakeholder model of internet governance.

Several other countries released new cyber strategies in 2016, with Britain, Germany,  New Zealand and Singapore providing some interesting policy contrasts to Australia’s effort. Britain’s government is taking a stronger position in protecting its citizens online, Germany is increasingly concerned about privacy, New Zealand is focused on cybercrime and education, and Singapore remains set on maximising digital growth’s full potential.

Cyber security incidents also remained weekly news in 2016. The fallout from the Dyn DDoS incident back in October continues to reverberate as other attempts to exploit security vulnerabilities of IoT infrastructure have followed—including one affecting Germany’s Deutsch Telekom earlier last month. In the US, the revelation that Yahoo! had hidden a 2014 data breach complicated the planned Verizon takeover. Other big breaches this year include the DNC hack (which we’ll cover next week), the US$81 billion dollar compromise of the SWIFT network through Bangladesh’s Central Bank, and Australia’s largest ever data breach—when the Red Cross Blood Service accidentally leaked the personal information of more than 550,000 donors.

We’ll see you next Wednesday for part two of our wrap-up of the year that was!

Cyber maturity 2016: digital growth in our neighbourhood

The Asia–Pacific’s rapid online growth has contributed to its rise as the world’s new economic centre of gravity. With the majority of the world’s internet users now living in the Asia–Pacific, the region abounds with both digital opportunities and vulnerabilities. Asian governments are increasingly looking to cyberspace to facilitate better governance and critical national infrastructure delivery, and citizens are using it to connect with each other and new digital business opportunities. As individuals, businesses and governments in the Asia–Pacific become more reliant on the benefits of cyberspace, cybersecurity will become an essential ingredient for regional and international stability. As such, developing behavioural norms and confidence building measures for cyberspace, while also improving awareness of the regional threat landscape, must be a high priority for all parties concerned.

ASPI’s third annual cyber maturity report emphasises that countries in the Asia–Pacific are adopting markedly different approaches to cyber security, stability, crime and digital growth, and with varying levels of maturity in their comprehension of risks and opportunities.

The countries of the Asia–Pacific are unevenly developed, with many within their populations remaining illiterate and poor. There’s significant scope for new technologies to advance the rate at which the least-developed countries attain significant goals in the growth of their economy, the education of their people, and their ability to earn. However, many regional governments view the unimpeded flow of information across borders as a threat to their power and seek to constrain it in order to ensure a monopoly on information. Beyond the detrimental effect that has to freedom of expression, those regulations are also inhibiting the emergence of local digital economies, which harms the ability of many to work their way out of poverty.

For some countries, legacy fixed-line telecommunications infrastructure doesn’t have the footprint required to enable widespread internet access, however mobile connectivity brings cyberspace to more people each year. For example, in Cambodia, only 0.5% of people have a fixed broadband connection while 42% have a mobile broadband connection. The emergence of cheap handsets and new apps in local languages is assisting otherwise disconnected individuals to engage with cyberspace: a small step towards closing the digital divide. As access to cyberspace grows, first-time users will be exposed to the potential dangers that cyberspace poses to the uninformed or uneducated, and more work will be required to support the security of new internet users.

Unfortunately, the cost of connectivity remains prohibitive for many in the region and programs to enable cheaper access, such as Facebook’s Free Basics program, have been praised by some but opposed by others for violating principles of net neutrality. For example, the Solomon Islands’ size and remote location makes a submarine cable connection uneconomical for commercial operators. In its absence, expensive satellite connections remain the only option. In other countries, such as Bangladesh, substandard infrastructure is inhibiting digital growth, with unstable power supply leaving connections unreliable.

At the other end of the spectrum, the region offers up some of the world’s most cyber-savvy and network-dependant countries. Japan and South Korea are among the most connected in the world, with over 100 mobile broadband connections per 100 people in both countries. The ubiquity of cyberspace and its importance to their citizens, government and economy, and the vulnerability of their geo-strategic situation means that those countries lead the region in the importance placed on attaining cybersecurity. Similarly, Singapore sits near the top of the rank table. The island nation’s mature cyber policies are informed not only by its understanding of online risks and opportunities, but also by a strategic culture of economic reliance on technology and strong defence posture that highlights the strategic benefits of cyberspace.

Cyberspace, with the potential it offers to enhance development and open new opportunities, will be a key enabler of a secure, stable and prosperous Asia–Pacific. Preserving regional cybersecurity will require coordinated efforts by capable like-minded countries to support emerging norms of behaviour and confidence building mechanisms for cyberspace. Capacity building in the form of providing policy, legislative and technical support to rapidly developing countries is also an essential endeavour for international partners. Creating a region that engages in cyberspace in a mature way is a daunting task, but one that’s increasingly critical to global security and must be led by the major economies of the region.