This collection of short papers developed by the Australian Institute for Machine Learning (AIML) at the University of Adelaide and the Australian Strategic Policy Institute (ASPI) offers a refreshing primer into the world of artificial intelligence and the opportunities and risks this technology presents to Australia.
AI’s potential role in enhancing Australia’s defence capabilities, strengthening alliances and deterring those who would seek to harm our interests was significantly enhanced as a result of the September 2021 announcement of the AUKUS partnership between the US, the UK and Australia. Perhaps not surprisingly, much public attention on AUKUS has focused on developing a plan ‘identifying the optimal pathway to deliver at least eight nuclear-powered submarines for Australia’.
This AIML/ASPI report is a great starting point for individuals looking to better understand the growing role of AI in our lives. I commend the authors and look forward to the amazing AI developments to come that will, we must all hope, reshape the world for a more peaceful, stable and prosperous future.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/14215243/SR183-ai-questions_banner.jpg5441632nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2022-04-11 06:00:002025-03-06 14:16:20Artificial intelligence: Your questions answered
ASPI’s International Cyber Policy Centre has launched the Understanding Global Disinformation and Information Operations website alongside this companion paper. The site provides a visual breakdown of the publically-available data from state-linked information operations on social media. ASPI’s Information Operations and Disinformation team has analysed each of the data sets in Twitter’s Information Operations archive to provide a longitudinal analysis of how each state’s willingness, capability and intent has evolved over time. Our analysis demonstrates that there is a proliferation of state actors willing to deploy information operations targeting their own domestic populations, as well as those of their adversaries. We find that Russia, Iran, Saudi Arabia, China and Venezuela are the most prolific perpetrators. By making these complex data sets available in accessible form ASPI is broadening meaningful engagement on the challenge of state actor information operations and disinformation campaigns for policymakers, civil society and the international research community
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/14221110/infoops_snap.png4501350nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2022-03-30 06:00:002024-12-14 22:13:26Understanding Global Disinformation and Information Operations: Insights from ASPI’s new analytic website
Guidance on implementation for Member States of ASEAN
Foreword
Global digital growth is continuing to fundamentally transform the lives of people, businesses and institutions, bringing people out of poverty, increasing wider prosperity, welfare and enabling new ways for governments and citizens to engage with each other. It is also creating a more connected world and supporting globalisation with greater access to free markets, democratic systems, prosperity and innovation.
But as we become more reliant on cyberspace, malicious cyber activity has grown in intensity, complexity and severity over recent years, with rising incidents of cybercrime and hostile states targeting critical national infrastructure, democratic institutions, business and media. There is too much at risk to allow cyberspace to become a lawless world and we need to continue to work together to identify the rules of the road in how international law applies to state behaviour in cyberspace just as it does to activities in other domains.
The 11 norms, as part of the UN framework of responsible state behaviour in cyberspace, is a way to help develop those rules of the road and the UK, as part of our outreach, is committed to supporting partners across all continents be better able to both implement the norms but also be better empowered to join in the international debate in the UN.
This ASPI programme has provided an insight into meaningful measures being put in place across ASEAN to deliver the norms, showcasing the region as trailblazing good practice and policies. Sharing and communicating these is in itself a confidence building measure and the examples shared in this report will have an impact across the global debate.
The UK, as a responsible democratic cyber power is proud to have supported this report and we look forward to future activity in the ASEAN region and globally to help shape the future frontiers of an open and stable international order in cyberspace.
– Will Middleton, Foreign, Commonwealth and Development Office, UK
Advances in cyber and critical technology underpin our future prosperity but they also have the potential to harm national and economic security interests and undermine democratic values and principles. The countries that can harness the current wave of innovation while mitigating its risks will gain significant economic, political and security advantages and will be at the forefront of 21st century leadership.
As states increasingly exert power and influence in cyberspace, it is important that there are clear rules in place. In other words, cyberspace is not the Wild West, all countries have agreed that existing international law applies in cyberspace and all countries have endorsed UN norms of responsible state behaviour.
The Plan of Action to Implement the ASEAN Australia Strategic Partnership 2020–2024 details our joint commitment to an open, secure, stable, accessible and peaceful ICT environment. Australia will continue to work closely with our ASEAN partners to deepen understanding and implementation of longstanding agreements of international law and norms in cyberspace.
This report, produced by APSI in partnership with Australia’s Cyber and Critical Technology Cooperation Program and the UK Foreign, Commonwealth and Development Office, is the result of a multi-year cyber-capacity building program focused on supporting the effective implementation of UN norms throughout ASEAN.
These 11 norms lay the groundwork for collective expectations for state behaviour in cyberspace. They are the bedrock on which regional and bilateral agreements around state behaviour in cyberspace are built and create a mutually reinforcing set of agreements and expectations.
Australia is grateful for ASPI’s tireless work on this important cyber-capacity building project helping to kickstart the process of understand and actioning the norms and behaviours which are central to an open, free, safe and secure cyberspace.
– Dr Tobias Feakin, Ambassador for Cyber Affairs and Critical Technology, Australia
Introduction
This document is the result of a multi-year cyber capacity-building program by ASPI in partnership with the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade (Cyber and Critical Technology Cooperation Program). Through the project, the partners sought to support member states of the Association of Southeast Asian Nations (ASEAN) with the implementation of the United Nations (UN) norms of responsible state behaviour in cyberspace. The content of this publication is primarily based on experiences, inputs and outputs from activities run under this program.
What are norms?
Norms in international affairs are generally defined as ‘a collective expectation for the proper behaviour of actors with a given identity’.
Norms are norms for the following reasons:
They are widely shared and agreed among a large group of states; norms exist only because we all believe they exist and apply.
They exert a moral attractiveness for states to conform to norms; states prefer to be seen to endorse, follow and promote norms, and to be responsible members of the international community.
They assign specific duties and obligations, albeit non-legal, for specific actors; most norms in cyberspace are regulative in character at the national level, as they recommend that states prescribe, prohibit or permit certain activities.
They are dynamic; they develop as expectations and opinions in society about what’s responsible and acceptable change over time.
People, organisations and states will—from time to time—contest or violate norms; this doesn’t mean that a norm does not exist as long as the norm remains accepted by a large and influential enough community, and the violator is held to account.
Source: Based on Martha Finnemore, Cybersecurity and the concept of norms, Carnegie Endowment for International Peace, 30 November 2017, pp. 1–2.
The UN norms were first agreed by a UN group of governmental experts in 2015. The group’s report was subsequently endorsed by consensus at the UN General Assembly in 2015 through resolution 70/237. It called on all member states ‘to be guided in their use of ICTs’ by the 2015 report. The focus on the operationalisation and implementation of the UN norms was also front and centre in the 2019–2021 round of UN First Committee negotiations. The report of the OEWG recommended that states ‘further support the implementation and development of norms’. The 2021 UNGGE report offers an additional layer of understanding to help governments with their implementation.
In 2018, the ASEAN leaders expressed a commitment to operationalise the UN norms as a core element in ASEAN’s approach to promoting regional stability in cyberspace. That same year, the ASEAN ministers responsible for cybersecurity subscribed in principle to the norms. At the 2019 ASEAN Ministerial Conference on Cybersecurity, they agreed to establish a working committee to develop a framework for implementation.
Participants reaffirmed the importance of a rules-based cyberspace as an enabler of economic progress and betterment of living standards,and agreed in-principle that international law, voluntary and non-binding norms of State behaviour, and practical confidence building measures are essential for stability and predictability in cyberspace.
– Chairman’s statement of the third ASEAN Ministerial Conference on Cybersecurity, 2018.
In compiling this document, ASPI intends to contribute to the ongoing UN and ASEAN working groups, and offer participants region-specific perspectives based on real and observed examples of good practice. The information was gathered through various regional workshops and training activities that took place between 2019 and 2021, and supplemented with open-source research.
This document consists of two main parts:
An explanation of the norms implementation process.
Practical guidance on implementation with examples from the ASEAN region.
Each government is responsible for its own pathway to implementation and for informing other states of its efforts. Expectations of national and regional implementation will alter as states start to focus on local implementation and as understanding of the norms’ meaning grows.
This document should help kickstart that process of understanding and actioning. It should be considered a living document that supports a gradually maturing regional approach.
This document will help policymakers and state officials answer questions such as:
What examples can governments consider to demonstrate their efforts in implementing the UN norms?
How can a state demonstrate that it is implementing and following the UN norms of responsible state behaviour in cyberspace?
Where can a state find advice, assistance and support to advance further implementation efforts?
PART A – THE IMPLEMENTATION PROCESS EXPLAINED
Part A: the implementation process explained
In this first part of the document, the process for implementation of the UN cyber norms is explained. It starts with a clarification of the concept of international norms, how the cyber norms work and what practical steps make up an implementation effort. Examples of mechanisms and tools to demonstrate implementation efforts are also provided. At the end, we elaborate on the reasons why states would want to make an effort to implement the UN norms of responsible state behaviour in cyberspace.
Full text of the UN cyber norms
Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICTdependent infrastructure;
States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.
What are the UN norms of responsible state behaviour in cyberspace?
The UN norms of responsible state behaviour in cyberspace (Figure 1) are 11 voluntary and non-binding rules that describe what states should and should not be doing in cyberspace.
Figure 1: The UN norms of responsible state behaviour in cyberspace
The content of the 11 norms reflects the expectations that the broader international community has of each state and regional organisation.1 They express a common opinion of what is considered to be responsible behaviour by states. Naturally, this collective opinion of what is responsible and what is irresponsible behaviour develops over time as understanding of cybersecurity deepens, incidents occur, and more governments contribute to the process.
The purposes of the norms as reflected in UNGA Resolution 70/237 are to reduce risks to international peace and security, and to contribute to conflict prevention.2 They have been crafted to deal with state-to-state actions that could potentially carry the highest risks to international peace and security and the welfare of citizens.
Norms in international affairs are political agreements. They do not infringe on a state’s sovereignty or impose legal obligations on states.3 In fact, the norms provide a common basis for a state to design strategic direction, develop capabilities and execute actions in a responsible manner.
The UN norms process
International efforts to establish norms of responsible state behaviour in cyberspace concentrate around the work of two groups: the UNGGE and the OEWG.
The first UN group of governmental experts convened between 2004 and 2005, and a sixth round of negotiations concluded in 2021. Four rounds concluded with consensus reports, in 2010, 2013, 2015 and 2021. The OEWG was first established in 2019, and a second round has commenced in 2021 for a period of five years.
The UNGGE and OEWG are predominantly intergovernmental negotiation processes with—at times—opportunities for consultations with non-government organisations and civil society. Those consultations have, however, a non-official character.
The UN cyber groups
UN Group of Governmental Experts (UNGGE) on Developments in the Field of Information and Telecommunications in the Context of International Security
UN Group of Governmental Experts (UNGGE) on Advancing responsible state behaviour in cyberspace in the context of international security
2019-21
UN Open-ended working group (UN OEWG) on developments in the field of information and telecommunications in the context of international security
2019-21 ֍ 2021-25
Member states of ASEAN have been participating in all the meetings of the UNGGE and the OEWG that have convened since 2004. Figure 5 shows ASEAN member states’ participation in the UNGGE and OEWG since 2004. Stars indicate a country’s membership of the UNGGE, and its active participation in the OEWG as determined by written submissions or oral statements.
Figure 5: ASEAN member states’ participation in UN norms processes 2004-2021.
Notes: * Although Brunei has not participated in the UNGGE or the OEWG, it did offer a national views document in 2017; it was the first ASEAN member state to do so. # Although Vietnam did not offer written submissions or made any statements, representatives formally attended OEWG meetings in New York.
In parallel to the UN-facilitated intergovernmental negotiation processes, various multistakeholder and other government-led initiatives have formed too. Examples include:
Cyber Tech Accord: a commitment of 150+ companies to work together and follow a set of principles that seeks to protect and empower users and customers
Paris Call for Trust and Security in Cyberspace: a multistakeholder commitment to work together to reduce risks to the stability of cyberspace and to build up confidence, capacity and trust
Agreement on Cooperation in the Field of ICTs: a proposal by the Shanghai Cooperation Organisation’s six member countries for an international code of conduct
World Wide Web Foundation Contract for the Web: an internet community-led initiative to advance principles of accessibility, affordability, availability and rights-based principles of respect for human rights and privacy for all in the operations of the internet.
What do norms do?
Norms typically codify existing state practice. The UN norms, as introduced in UNGA Resolution 70/237, set the standards of what the international community considers responsible on the basis of observed behaviour by state actors in the past and currently. With these agreed norms, activities and intentions of states can be subjected to assessments. States can be complimented on their response to an incident, or national practices can be heralded as global good practice. Also, states can be reprimanded if they haven’t done enough to prevent an incident, or if they have used cyber capabilities in an irresponsible manner.
In practice, governments will use international norms, such the UN norms of responsible state behaviour in cyberspace, in three ways:
To serve as a point of reference to reassure other states of their good intentions and to demonstrate that they are constructive members of the international community.
To serve as a point of reference to guide national cybersecurity policy and national cybersecurity investments.
To serve as a point of reference to hold other actors responsible for behaviour that is not in line with the UN norms for responsible state behaviour.
Governments that embrace the UN norms and can report on their efforts contribute to predictability, trust and confidence in cyberspace.
How do norms work?
The implementation of internationally agreed political agreements is always challenging. As they have been crafted through an intergovernmental negotiation process, their language and terminology can be ambiguous. For that reason and in the absence of an overall blueprint, it is important that states find their own way and form their own view and approach to embracing the UN’s normative framework.
Figure 2: The four components that make up the UN framework of responsible state behaviour in cyberspace.
The 11 norms should be seen in their entirety and not as a ‘pick-and-choose’ menu. It is important that governments review their efforts in a comprehensive manner covering aspects that touch on issues of national (cyber)security, security of ICTs as well as on constructive inter-state relations.
Furthermore, governments need to keep in mind that the 11 norms are part of a broader framework that also includes the recognition that international law applies to state conduct in cyberspace, a set of confidence-building measures and a commitment to coordinated capacity building.4 Together, those four components make up the UN framework of responsible state behaviour in cyberspace (Figure 2).
In general, the more states show commitment to the norms and actively engage in their implementation, the more robust the norms become and the more compelling the call for compliance becomes.
What does the implementation of international norms involve?
States can demonstrate their implementation of international norms of behaviour in various ways (see figure 3). Typically, implementation occurs at three different levels: at the level of political endorsement, national laws and policies, and actions on the ground (Figure 3).
First, political endorsement can be demonstrated, for example, through voting in favour of relevant resolutions at the UN General Assembly, by subscribing to ASEAN leaders’ statements and by (prime) ministerial statements.
Second, states can integrate or internalise norms (explicitly or implicitly) in national legal frameworks, strategies and national policies.
Third, a state can demonstrate implementation by referring to its government practices in the form of its institutional capabilities, doctrine and procedures, and actions. Those practices can offer de facto evidence of a state’s effort to follow norms of responsible behaviour, as they demonstrate an ability and willingness to act.
Implementation of international norms of responsible state behaviour
Figure 3: A framework for the implementation of norms. Source: The author.
Responsibility for the implementation of the UN norms rests with governments. In practice, however, meaningful implementation will rely on individual governments’ ability and willingness to consult and collaborate with industry, civil society organisations, the internet technical community and academia, and on governments’ ability to ensure a whole-of-government approach.
Meaningful implementation requires the involvement of multiple stakeholders and a whole-of-government approach.
For the purpose of including views, expertise and capabilities of non-government stakeholders, mechanisms such as a national action plan or a national road map are proven methods that help build a national or whole-of-economy approach to cybersecurity.
A National Action Plan is an effective method to form an integrated approach to implementation.
What’s a trajectory for the implementation of norms?
Building a national approach to cybersecurity let alone the implementation of the UN norms is neither straightforward nor instant. Typically, stakeholders go through a step-by-step process of gradually increasing their understanding, maturity and comfort with the topic (see figure 4).
A first step is to build awareness across the government of its international responsibilities. This could be achieved through a dedicated training program or awareness campaign on the UN norms.
This should lay the foundation for a cross-governmental recognition that the government is committed to the UN’s normative approach and is willing to be guided by it in its national and international cybersecurity activities.
What follows could be an assessment of where the country stands in its implementation efforts. Such a baseline assessment could be done by a third party or through a whole-of-government mapping process. Figure 4: A step-by-step process towards implementation.
The outcome of the baseline assessment will inform the government of its strengths and areas for improvement.
This could then lead to domestic investments in particular areas of cybersecurity, to requesting assistance from the global cyber capacity-building community, or to offers of expertise to others.
At the end of these steps, one can presume a state to be implementing the UN norms commensurate with its own means and capabilities.
The implementation of norms is a dynamic process that evolves as a country’s maturity in cybersecurity grows over time. At the same time, it’s unlikely that any state will ever reach a state of ‘full implementation’, just as no state will ever be 100% cybersecure.
How can governments demonstrate implementation?
For the purpose of the UN norms (to reduce risks to international peace and security, and to contribute to conflict prevention), it is critical that states demonstrate what they’re doing and what they intend to do. Therefore, documenting and reporting are critical in implementation.
There are several ways for states to make their views, achievements and known capacity shortfalls known.
1. Reporting through the UN Secretary-General
On regular occasions, the UN Secretary-General invites member states to share their views and assessments (see figure 6). Governments can share their ‘general appreciation of the issues of information security; efforts taken at the national level to strengthen information security and promote international cooperation in this field; the content of concepts such as the application of international law; and possible measures that could be taken by the international community to strengthen information security at the global level’.
Figure 6: UN member states’ views and assessments
2. Submissions through UN working groups
As part of the ongoing OEWG process, member states are encouraged to provide written submissions or statements to the working group. The statements are shared by the UN Secretariat to other member states, the chair(s) and non-government stakeholders. States are also encouraged to participate in a UN-facilitated survey of their national efforts and experiences.
3. ASEAN Regional Forum
The ARF’s semi-annual Inter-Sessional Meeting on ICT Security offers participants an opportunity to exchange their views on the regional and global ICT landscape and their efforts and initiatives. For the ARF’s annual security outlook, member countries are asked to submit a contribution that includes a section for ‘cyber/ICT security’.
4. Recognition by third party/ies
A state can engage third-party organisations to perform an external assessment and prepare a report. This could be done through a capacity-building relationship, such as ASPI’s national norms implementation reports (see figure 7). ASEAN member states can also make use of their academic and think-tank organisations such as those represented in ASEAN–ISIS and the Council for Security Cooperation in the Asia Pacific (CSCAP).
Figure 7: ASPI national norms implementation reports
Why would states make an effort to implement the UN cyber norms?
There are a few reasons why states would make the effort to implement international norms, such as the UN norms of responsible state behaviour in cyberspace.
Cyber resilience. By following the recommendations from the norms and through acts of implementation, States are effectively strengthening their national cybersecurity maturity. Therefore, implementation of the norms is directly contributing to a nation’s ability to protect against malicious cyber activity, reduce exposure to risks and vulnerabilities in ICTs, and respond to malicious ICT activity.
International credibility. Most states want to be, and be seen as, responsible members of the international community. Showing demonstrable support for norms of responsible behaviour adds to a country’s international and regional credibility. Domestically, the implementation of international norms helps governments provide direction to their national cybersecurity policy and developments.
Contribute to norm-setting. The effective demonstration of implementation allows states to shape the common opinion of what is and what is not considered responsible behaviour of states and ensure that international expectations align with the local and regional context.
Reassurance, accountability and transparency. In a situation in which a large enough group of states can show demonstrable implementation of the UN norms, each within its own means and capabilities and within its national and regional context, a global environment is created in which states can be reassured of each other’s willingness and ability to prevent unnecessary tensions and unintended conflict. Altogether, this adds to the accountability and transparency of state activities in cyberspace.
PART B – PRACTICAL GUIDANCE ON IMPLEMENTATION, WITH EXAMPLES FROM THE ASEAN REGION
To read part B, please download the full report here.
ASPI’s Bart Hogeveen provides a brief overview of the project.
Acknowledgements
The author would like to acknowledge contributions by officials and participants working with the governments of Brunei Darussalam, Cambodia, Indonesia, Lao PDR, Malaysia, the Philippines, Singapore, Thailand and Vietnam.
Our particular appreciation goes to:
the Department of Foreign Affairs, Department of ICT, Office of the President and the National Security Council, the Philippines
the Ministry of Foreign Affairs and Badan Siber dan Sandi Negara, Indonesia
the Ministry of Information and Communications, Ministry of Foreign Affairs, and the Diplomatic Academy Vietnam, Vietnam
the National Cybersecurity Agency, Ministry of Foreign Affairs, and CyberSecurity Malaysia, Malaysia
In addition, the author is indebted to contributions from Dr Fitriani, Ms Farlina Said, Dr Moonyati Yetid, Mr Eugene Tan, Mr Ben Ang and the Global Forum on Cyber Expertise and support from the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade and their embassies and high commissions in Southeast Asia.
This publication is the output of a project funded by the UK Government and the Australian Government (Cyber and Critical Technology Cooperation Program). More information can be found at https://www.aspi.org.au/cybernorms. The views expressed in this work are not necessarily those of the UK or Australian governments or of the participating governments. The author is responsible for its content, any views expressed or mistakes.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies and issues related to information and foreign interference and focuses on the impacts those issues have on broader strategic policy. The centre has a growing mixture of expertise and skills and teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues. The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity-building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, micro-copying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publisher. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published February 2022.
Funding support for this publication was provided by the UK and Australian governments.
UN General Assembly, Group of Government Experts on Developments in the field of ICTs in the context of international security, A/70/174, 22 July 2015, paragraph 10. ↩︎
UN General Assembly, Group of Government Experts on Advancing responsible state behaviour in cyberspace in the context of international security, A/76/135, 14 July 2021, paragraph 15; UN General Assembly, Open-ended working group on developments in the field of ICTs in the context of international security, A/75/816, 18 March 2021, paragraph 24. ↩︎
UN General Assembly, Group of Government Experts on Developments in the field of ICTs in the context of international security, A/70/174, 22 July 2015, paragraphs 26-28. ↩︎
It is important to distinguish between ‘norms of responsible state behaviour’ (that is, the UN norms) and what are called ‘norms of international law’. In this document, the term ‘norms’ refers only to the former. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/14143838/CYBER-NORMS.png5051524nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2022-03-22 06:00:002025-03-14 14:39:48The UN norms of responsible state behaviour in cyberspace
This brief report explores the challenge of producing policy-relevant China research and analysis. Policy-relevant research is defined as work that drives action, affects decision-making, or both. It’s the kind of research think tanks seek to do, bridging the gap between academia and civil servants who work on policy.
This paper focuses on two key findings:
There’s a distinction between conducting policy-relevant research and the process of disseminating it in a way that will effectively shape and influence the policy process in particular places by particular policy- and decision-makers. In practice, the difference between the two isn’t always clearly understood and perhaps not clearly taught.
There’s limited training that prepares the China analytical community to deal with the challenges of producing policy-relevant research under conditions of restricted access to China. Researchers require more support in navigating the research environment and filling skill-set gaps.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/14223233/China-research-and-analysis_banner-Feb22.jpg4501350nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2022-02-28 06:00:002024-12-14 22:34:46Producing policy-relevant China research and analysis in an era of strategic competition
Domestic telecommunications companies assist law enforcement by the lawful interception of otherwise private communications when presented with a valid warrant.
This has been a powerful tool to combat crime. In the 2019–20 financial year, for example, 3,677 new warrants for telecommunications interception were issued, and information gained through interception warrants was used in 2,685 arrests, 5,219 prosecutions and 2,652 convictions. That was in the context of 43,189 custodial sentences in the same year.
But law enforcement and security officials assert that the usefulness of ‘exceptional access’, as it’s called in this paper, has declined over time as strong encryption has become increasingly common.
Australian Security Intelligence Organisation (ASIO) Director-General Michael Burgess has stated that encryption ‘damages intelligence coverage’ in 97% of ASIO’s priority counter-intelligence cases.
The problem of increasingly powerful encryption degrading the usefulness of exceptional access is often referred to as ‘going dark’.
The Australian Government has committed to the reform of Australia’s electronic surveillance legislative framework.5 Although its discussion paper mentions encryption only in passing,6 we can expect that encryption and going dark will be a topic of debate as reform is considered. This paper contributes to that debate by examining how firms that provide digital communications services can provide assistance to law enforcement even as strong encryption is increasingly common.
Although exceptional access is primarily concerned with evidence collection, it may be better in some cases to focus on crime prevention, when it comes to achieving society’s broader aim of safety and security. This may be especially true for serious offences that cause significant harms to individuals, such as child exploitation and terrorism.
Accordingly, in this paper I divide assistance to law enforcement into two broad types:
Building communications services so that criminal harm and abuse that occur on the service can be detected and addressed, or doesn’t even occur in the first place. Examples of harms that might be avoided include cyberbullying or child exploitation that occur online.
Assisting law enforcement with exceptional access for crimes that are unrelated to the communications service. Examples of such crimes might include an encrypted messaging service being used to organise drug smuggling or corruption.
I start by exploring the justification for exceptional access and then examine how encryption has affected assistance to law enforcement, as well as the differences between transport encryption and end-to-end (E2E) encryption and the implications those differences have for law enforcement.
I examine encryption trends and discuss the costs and benefits of exceptional access schemes.
I then examine some of the approaches that can be used by service providers to provide these two different forms of assistance as E2E encryption becomes increasingly common. I also summarise some of the advantages and disadvantages of those different approaches.
A number of initiatives seek to embed safety and security into the design, development and deployment of services. They encourage industry to take a proactive and preventive approach to user safety and seek to balance and effectively manage privacy, safety and security requirements. Those initiatives have relatively few big-picture privacy or security drawbacks, but there are many issues on which there isn’t yet consensus on how to design platforms safely. Such initiatives may also need extensive resources for employee trust and safety teams.
Providing law enforcement access to E2E encrypted systems is very challenging. Proposals that allow access bring with them some potentially significant risks that exceptional access mechanisms will be abused by malicious actors.
Watch the launch webinar here.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/14221637/IP58-End-to-End-Encryption_banner.jpg4501350nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2022-02-23 06:00:002025-03-06 17:02:07The future of assistance to law enforcement in an end-to-end encrypted world
Opportunities for Australia–India cooperation to support the region in the post-Covid-19 context
What’s the problem?
Covid-19 and the subsequent public-health responses have disrupted social and economic lives across the globe. Fiscal support measures may have alleviated the initial fallout in some places, but one of the bigger shocks has been the accelerated adoption and integration of and reliance on digital technologies. While this is a positive contribution towards digital development, it has also accentuated the already large gap between those able to adopt digital technologies and those without sufficient means to do so.
For the many fragile democracies in the Indo-Pacific, this is creating conditions that could undermine democratic resilience. A central question for these democratic governments is how to drive accelerating digital transformation and ICT-enabled growth towards poverty reduction, sustainable economic growth and building social cohesion while maintaining resilience to cybersecurity threats.
Southeast Asians are exceptional consumers of online goods and services. The region is also home to a growing number of technology start-ups, and governments are pushing this ‘drive for digital’ through ambitious national strategies. Despite those positives, digital growth within the region and within individual economies is uneven.
Human capital is a central driver of poverty reduction, sustainable growth and social cohesion,1 but, in Southeast Asia, digital literacy and skills are lagging behind usage and infrastructure. The adoption of technology is progressing, but problems of affordability, connectivity and coverage remain. There’s a limit to the growth trajectory due to weak demand from micro, small and medium-sized enterprises (MSMEs) that don’t have the means, skills or opportunities to adopt or integrate digital technologies.
This is particularly affecting the livelihoods of non-metropolitan communities, women, MSMEs and those whose jobs may be affected by the introduction of technology and automation.
The digital divide and rising inequality are now the everyday bromides of earnest policymakers. But the phrases have become policy cliches, stripped of meaning, with no sense of the underlying dynamics at play, making the prospects for any viable solutions slim. The Covid-19 pandemic has offered a harsh look at the role of the digital divide in driving inequality and the unedifying future that lies ahead as major technological advances compound and permanently entrench inequality. — Huong Le Thu, ‘Investing in Southeast Asia’s tech future’, in The Sydney Dialogue: playbook, 20212
Since the outbreak of Covid-19 in early 2020, digital adoption has further accelerated and driven greater demand for online services in retail, education and health. However, the pandemic has also contributed to the further widening of pre-existing digital divides. Women have been disproportionately affected, as many are employed in the informal and ‘gig economy’ sectors, which were hit hard by lockdowns. The pandemic has also further exposed more users to cybersecurity and online safety risks in an environment in which practices of cyber hygiene are generally poor.
As a result, the region is now faced with a dual transformation challenge: how can we stimulate further digital development while ensuring that future growth is inclusive?
What’s the solution?
This report recommends Australia and India leverage their bilateral partnership in cyber and critical technologies to support inclusive digital development in Southeast Asia, and strengthen the foundations of Southeast Asia’s digital economy.
The governments of Australia and India should take a more coordinated approach to their digital engagements with Southeast Asian countries, and further consider establishing a Joint Working Group on Digital Engagement to bring together like-minded partners.
Given that India and Australia face digital development challenges that are similar to Southeast Asia, an Australia-India spearheaded cooperation should be approached through a troika-type collaboration with Southeast Asian partners. This collaboration should look to address the region’s digital skills shortage, improve cyber resilience and contribute to digital public infrastructure. This requires a multi-stakeholder effort involving governments, the private sector, civil society and the technical community.
A priority area for additional support are efforts that enhance the digital knowledge and digital business skills of the Southeast Asian workforce. International initiatives should seek to augment or connect with existing local digital skilling programs. Specific areas of focus for Australia and India could include support to female digital entrepreneurship, and improvement of access to online courses and training to upskill MSMEs.
To improve cyber resilience operationally, Australia and India could strengthen and deepen relationships with Southeast Asia’s national cybersecurity agencies and national Computer Emergency Response Teams by exploring ways to share collective resources, expertise and experiences more effectively and more widely across each country’s economic sectors and non-metro areas.
At a strategic level, through the Australia-India Joint Working Group on Cyber Security Cooperation, the two countries could consider the possibility of sharing strategic assessments of the regional cyber threat landscape with Southeast Asian partners.
Finally, India and Australia should explore regional marketplaces for digital public goods and infrastructure which could offer further business incentives to digital, technology and cybersecurity communities in Australia, India and Southeast Asia.
Introduction
Southeast Asia is home to one of the world’s fastest growing markets of internet users. Pre-pandemic, there was enormous optimism about the growth of Southeast Asia’s digital economy. Estimates from 2019 showed a trajectory that would triple its US$100 billion internet economy by 2025.3 During the first year of the Covid-19 pandemic, the region’s internet economy gained more traction, and even achieved double-figure growth in Vietnam and Indonesia.4
Today, the region continues to struggle with new and more contagious variants of the virus, as the majority of the region’s population remains unvaccinated.5 Economic hardship, overburdened health systems and, in some cases, repressive public-order responses are posing challenges to political stability and societal resilience. As a consequence, when combined with the effects of climate change, there’s uncertainty about the long-term economic and social effects and the shape and speed of economic recovery.
Digital technologies6 are playing an integral part not just for contact tracing or getting public-health messages out into the community but also as a driving force for post-pandemic economic recovery. For years, governments in Southeast Asia have been pursuing ambitious digital transformation agendas that have laid a foundation for their emerging digital economies. In a post-Covid world, international partnerships of governments, industry and civil society organisations, such as between India, Australia and Southeast Asia, could form a key element in the region’s digital economic recovery and help set digital standards and norms.
Focusing on Indonesia, Malaysia, the Philippines, Thailand and Vietnam, which are some of the region’s largest and emerging technology-enabled economies, this report explores what efforts can be made by an Australia–India collaboration to support Southeast Asia’s digital capacity and resilience in the aftermath of the Covid-19 crisis. Collaboration between Australia and India in the area of cyber and critical technology is an emerging partnership that brings opportunities for strengthening both countries’ digital cooperation with Southeast Asian partners.
What are the digital economy, digital transformation and Industry 4.0?
There’s no agreed definition or framework that defines the digital economy. Different frameworks highlight, to varying degrees, macro policy foundations (such as competition, trade, governance), digital enablers (infrastructure, platform policies, skills, finance) and sectoral transformation (such as ICT applications in key economic sectors such as public services).7
Digital economy frameworks rarely consider the whole digital ecosystem and its interaction with the rest of the economy. The Asian Development Bank, for instance, has introduced the term ‘core digital economy’,8 which it defines as the contribution to GDP of any economic transaction involving both digital products and digital industries. In this report, we also consider wider aspects within the digital economy, including gender and inclusion.
Digital transformation refers to the process of moving from analogue to digital processes, integrating technology into working processes and, in its most advanced stages, doing so under the guidance of a strategy.
Industry 4.0 or the ‘fourth industrial revolution’ (4IR) refers to the application in industry of the convergence of physical and digital technologies. This can include artificial intelligence, machine learning, ‘internet of things’ (IoT) devices, advanced robotics, augmented reality, cloud computing, big data and analytics, and 3D printing.
The first section of the report reviews the enablers and attendant challenges of Southeast Asia’s digital economy, such as the supply of infrastructure, demand for digital services and general uptake of technology by individuals and businesses. In addition, it looks at intersecting policy issues that enable, support and sustain digital transformation, such as inclusivity; skills and talent; online security and safety; and regulations and governance. It then touches upon the region’s adoption of advanced technologies such as 5G and artificial intelligence (AI) that could equally be enablers of the region’s next leap in digital transformation.
The second section offers an overview of the pandemic’s effects on Southeast Asia’s digital landscape. Although there’s been continued investment into digital infrastructure, it shows there are fundamental weaknesses in the rate of digital growth within MSMEs.
The third section looks at a troika type of collaboration between India, Southeast Asia and Australia. As the digital development challenges faced by Southeast Asia are equally relevant to Australia and India, we provide a selection of relevant skills, expertise and flagship programs that India and Australia could contribute to the region in a common effort to adapt to a digital future that’s free, open and secure.
Finally, this report concludes with a set of policy recommendations for Australia and India on areas in which they could extend meaningful and targeted support to Southeast Asia’s digital economic recovery.
Download Report
This report continues with chapters on;
The state of digital Southeast Asia in 2021
The impact of Covid-19 on Southeast Asia’s digital landscape
India-Australia and cyber and technology cooperation in Southeast Asia
ASPI and ORF would thank all of those who peer reviewed drafts of this report, including Arindrajit Basu and Akshay Mathur, for their valuable feedback. We would also like to acknowledge the contributions of Baani Grewal, Samyak Leekha, Antara Vats, Ariel Bogle, Karly Winkler and Albert Zhang to this report. We are also grateful to the individuals consulted across government, industry and academia, including participants at the Southeast Asia Internet Governance Forum and the ASPI-ORF-hosted Track 1.5 Dialogue on Digital Southeast Asia that helped to shape and focus this report.
This report was commissioned by the Australian Department of Foreign Affairs and Trade (DFAT). The work of ASPI ICPC wouldn’t be possible without the support of our partners and sponsors across governments, industry and civil society.
A draft of this report was shared with DFAT and valuable comments were incorporated, but, as with all our research, ASPI remains fully independent in the editorial judgements and policy recommendations made by our authors.
About the Observer Research Foundation
ORF seeks to lead and aid policy thinking towards building a strong and prosperous India in a fair and equitable world. It sees India as a country poised to play a leading role in the knowledge age—a role in which it shall be increasingly called upon to proactively ideate in order to shape global conversations, even as India sets course along its own trajectory of long-term sustainable growth. ORF helps discover and inform India’s choices. It carries Indian voices and ideas to forums shaping global debates. It provides non-partisan, independent, well-researched analyses and inputs to diverse decision-makers in governments, business communities and academia and to civil society around the world. Our mandate is to conduct in-depth research, provide inclusive platforms and invest in tomorrow’s thought leaders today. ORF’s website is at https://www.orfonline.org/.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published February 2022. ISSN 2209-9689 (online). ISSN 2209-9670 (print). Cover image: Wes Mountain.
Funding Statement: Funding support for this publication was provided by the Australian Department of Foreign Affairs and Trade
World Bank, The Human Capital Index 2020 update: human capital in the time of COVID-19, World Bank, Washington DC, 2020, online. ↩︎
Huong Le Thu, ‘Investing in Southeast Asia’s tech future’, in: Fergus Hanson, Danielle Cave, Madeleine Nyst (eds), The Sydney Dialogue: playbook, ASPI, Canberra, 19 November 2021, online. ↩︎
Google, Temasek, Bain & Company, e-Conomy SEA 2019, 2019, online; Cybersecurity in ASEAN: an urgent call to action, AT Kearney, 2018, online. ↩︎
‘Share of people vaccinated against COVID-19, Jan 18, 2022’, Our World in Data, 2022, online. ↩︎
‘Digital technologies’ refers to the electronic tools, systems, devices and resources that generate, store or process data. Their use requires a level of understanding of how information and communication technologies work and a degree of skill to engage with and create technology applications. ↩︎
Nagy K Hanna, ‘Assessing the digital economy: aims, frameworks, pilots, results, and lessons’, Journal of Innovation and Entrepreneurship, 2020, 9(16), online. ↩︎
Asian Development Bank (ADB), Capturing the digital economy: a proposed measurement framework and its applications—a special supplement to Key Indicators for Asia and the Pacific 2021, ADB, Manila, August 2021, online. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/14153918/pb57-DigitalSEAsia_banner.jpg8231588nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2022-02-10 06:00:002025-03-14 15:44:17Digital Southeast Asia
In line with previous Agenda for Change publications from 2016 and 2019, this piece is being released in anticipation of a federal election as a guide for the next government within its first months and over the full term. Our 2022 agenda acknowledges that an economically prosperous and socially cohesive Australia is a secure and resilient Australia.
ASPI’s Agenda for change 2019: strategic choices for the next government did, to a great extent, imagine a number of those challenges, including in Peter Jennings’ chapter on ‘The big strategic issues’. But a lot has changed since 2019. It was hard to imagine the dislocating impacts of the Black Summer fires, Covid-19 in 2020 and then the Delta and Omicron strains in 2021, trade coercion from an increasingly hostile China, or the increasingly uncertain security environment.
Fast forward to today and that also applies to the policies and programs we need to position us in a more uncertain and increasingly dangerous world.
Our Agenda for change 2022 acknowledges that what might have served us well in the past won’t serve us well in this world of disruption. In response, our authors propose a smaller number of big ideas to address the big challenges of today and the future. Under the themes of getting our house in order and Australia looking outward, Agenda for change 2022 focuses on addressing the strategic issues from 2021 and beyond.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/12220446/AgendaForChange2022-banner.jpg4501350nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2022-02-02 06:00:002025-03-06 15:15:30Agenda for change 2022: Shaping a different future for our nation
This report analyses two Chinese state-linked networks seeking to influence discourse about Xinjiang across platforms including Twitter and YouTube. This activity targeted the Chinese-speaking diaspora as well as international audiences, sharing content in a variety of languages.
Both networks attempted to shape international perceptions about Xinjiang, among other themes. Despite evidence to the contrary, the Chinese Communist Party (CCP) denies committing human rights abuses in the region and has mounted multifaceted and multiplatform information campaigns to deny accusations of forced labour, mass detention, surveillance, sterilisation, cultural erasure and alleged genocide in the region. Those efforts have included using Western social media platforms to both push back against and undermine media reports, research and Uyghurs’ testimony about Xinjiang, as well as to promote alternative narratives.
In the datasets we examined, inauthentic and potentially automated accounts using a variety of image and video content shared content aimed at rebutting the evidence of human rights violations against the Uyghur population. Likewise, content was shared using fake Uyghur accounts and other shell accounts promoting video ‘testimonials’ from Uyghurs talking about their happy lives in China.
Our analysis includes two datasets removed by Twitter:
Dataset 1: ‘Xinjiang Online’ (CNHU) consisted of 2,046 accounts and 31,269 tweets.
Dataset 2: ‘Changyu Culture’ (CNCC) consisted of 112 accounts and 35,924 tweets.
The networks showed indications of being linked by theme and tactics; however, neither achieved significant organic engagement on Twitter overall—although there was notable interaction with the accounts of CCP diplomats. There were signs of old accounts being repurposed, whether purchased or stolen, and little attempt to craft authentic personas.
Twitter has attributed both datasets to the Chinese government, the latter dataset is specifically linked to a company called Changyu Culture, which is connected to the Xinjiang provincial government. This attribution was uncovered by ASPI ICPC in the report Strange bedfellows on Xinjiang: the CCP, fringe media and US social media platforms.
Key takeaways
Different strands of CCP online and offline information operations now interweave to create an increasingly coordinated propaganda ecosystem made up of CCP officials, state and regional media assets, outsourced influence-for-hire operators, social media influencers and covert information operations.
The involvement of the CCP’s regional government in Xinjiang in international-facing disinformation suggests that internal party incentive structures are driving devolved strands of information operations activity.
The CCP deploys online disinformation campaigns to distract from international criticisms of its policies and to attempt to reframe concepts such as human rights. It aligns the timing of those campaigns to take advantage of moments of strategic opportunity in the information domain.
Notable features of these datasets include:
Flooding the zone: While the networks didn’t attract significant organic engagement, the volume of material shared could potentially aim to ‘bury’ critical content on platforms such as YouTube.
Multiple languages: There was use of English and other non-Chinese languages to target audiences in other countries, beyond the Chinese diaspora.
Promotion of ‘testimonials’ from Uyghurs: Both datasets, but particularly CNCC, shared video of Uyghurs discussing their ‘happy’ lives in Xinjiang and rebutting allegations of human rights abuses. Some of those videos have been linked to a production company connected to the Xinjiang provincial government.
Promotion of Western social media influencer content: The CNHU network retweeted and shared content from social media influencers that favoured CCP narratives on Xinjiang, including interviews between influencers and state media journalists.
Interaction between network accounts and the accounts of CCP officials: While the networks didn’t attract much organic engagement overall, there were some notable interactions with diplomats and state officials. For example, 48% of all retweets by the CNHU network were of CCP state media and diplomatic accounts.
Cross-platform activity: Both networks shared video from YouTube and Douyin (the Chinese mainland version of TikTok), including tourism content about Xinjiang, as well as links to state media articles.
Self-referential content creation: The networks promoted state media articles, tweets and other content featuring material created as part of influence operations, including Uyghur ‘testimonial’ videos. Similarly, tweets and content featuring foreign journalists and officials discussing Xinjiang were promoted as ‘organic’, but in some cases were likely to have been created as part of curated state-backed tours of the region.
Repurposed spam accounts: Accounts in the CNCC dataset tweeted about Korean television dramas as well as sharing spam and porn material before tweeting Xinjiang content.
Potential use of automation: Accounts in both datasets showed signs of automation, including coordinated posting activity, the use of four letter codes (in the CNHU dataset) and misused hashtag symbols (in the CNCC dataset).
Persistent account building: ASPI ICPC independently identified additional accounts on Twitter and YouTube that exhibited similar behaviours to those in the two datasets, suggesting that accounts continue to be built across platforms as others are suspended.
The Chinese party-state and influence campaigns
The Chinese party-state continues to experiment with approaches to shape online political discourse, particularly on those topics that have the potential to disrupt its strategic objectives. International criticism of systematic abuses of human rights in the Xinjiang region is a topic about which the CCP is acutely sensitive.
In the first half of 2020, ASPI ICPC analysis of large-scale information operations linked to the Chinese state found a shift of focus towards US domestic issues, including the Black Lives Matter movement and the death of George Floyd (predominantly targeting Chinese-language audiences). This was the first marker of a shift in tactics since Twitter’s initial attribution of on-platform information operations to the Chinese state in 2019. The party-state’s online information operations were moving on from predominantly internal concerns and transitioning to assert the perception of moral equivalence between the CCP’s domestic policies in Xinjiang and human rights issues in democratic states, particularly the US. We see that effort to reframe international debate about human rights continuing in these most recent datasets. This shift also highlighted that CCP information operations deployed on US social media platforms could be increasingly entrepreneurial and agile in shifting focus to take advantage of strategic opportunities in the information domain.
The previous datasets that Twitter has released publicly through its information operations archive focused on a range of topics of broad interest to the CCP: the Hong Kong protests; the Taiwanese presidential election; the party-state’s Covid-19 recovery and vaccine diplomacy; and exiled Chinese businessman Guo Wengui and his relationship with former Trump White House chief strategist Steve Bannon. The datasets that we examine in this report are more specifically focused on the situation in Xinjiang and on attempts to showcase health and economic benefits of CCP policies to the Uyghur population and other minority groups in the region while overlooking and denying evidence of mass abuse. In both datasets, the emblematic #StopXinjiangRumors hashtag features prominently.
Traits in the data suggest that this operation may have been run at a more local level, including:
the amplification of regional news media, as well as Chinese state media outlets
the involvement of the Xinjiang-based company Changyu Culture and its relationship with the provincial government, which ASPI previously identified in Strange bedfellows on Xinjiang: the CCP, fringe media and US social media platforms by linking social media channels to the company, and the company to a Xinjiang regional government contract
an ongoing attempt to communicate through the appropriation of Uyghur voices
the use of ready-made porn and Korean soap opera fan account networks on Twitter that were likely to have been compromised, purchased or otherwise acquired, and then repurposed.
The CCP is a complex system, and directives from its elite set the direction for the party organs and underlings to follow. Propaganda serves to mobilise and steer elements within the party structure, as well as to calibrate the tone of domestic and international messaging. The party’s own incentive structures may be a factor that helps us understand the potential regional origins of the propaganda effort that we analyse in this report, and have identified previously. The China Media Project notes, for example, that local party officials are assessed on the basis of their contribution to this international communication work. It’s a contribution to building Beijing’s ‘discourse power’ as well as showing obedience to Xi Jinping’s directions.
The data displays features of the online ecosystem that the party has been building to expand its international influence. The networks that we analysed engaged consistently with Chinese state media as well as with a number of stalwart pro-CCP influencers. One strand of activity within the data continues attempts to discredit the BBC that ASPI and Recorded Future have previously reported on, but the real focus of this campaign is an effort to reframe political discourse about the concept of human rights in Xinjiang.
The CNHU dataset, in particular, offers a series of rebuttals to international critiques of CCP policy in Xinjiang. As we’ve noted, the network was active on issues related to health, such as life expectancy and population growth. CCP policies in the region are framed as counterterrorism responses as a way of attempting to legitimise actions, while negative information and testimonies of abuse are simply denied or not reported. The accounts also seek to promote benefits from CCP policies in Xinjiang, such as offering education and vocational training. The BBC and former US Secretary of State Mike Pompeo—the former having published reports about human rights abuses in the region, and the latter having criticised the party’s policies in the region—feature in the data in negative terms. This external focus on the BBC and Pompeo serves to reframe online discussion of Xinjiang and distract from the evidence of systematic abuse. For the CCP, both entities are sources of external threat, against which the party must mobilise.
Methodology
This analysis uses a quantitative analysis of Twitter data as well as qualitative analysis of tweet content.
In addition, it examines independently identified accounts and content on Twitter, YouTube and Douyin, among other platforms, that appear likely to be related to the network.
Both datasets include video media. That content was processed using SightGraph from AddAxis. SightGraph is a suite of artificial-intelligence and machine-learning capabilities for analysing inauthentic networks that disseminate disinformation. For this project, we used SightGraph to extract and autotranslate multilingual transcripts from video content. This facilitated extended phases of machine-learning-driven analysis to draw out ranked, meaningful linguistic data.
Likewise, images were processed using Yale Digital Humanities Laboratory’s PixPlot. PixPlot visualises a large image collection within an interactive WebGL scene. Each image was processed with an Inception convolutional neural network, trained on ImageNet 2012, and projected into a two-dimensional manifold with the UMAP algorithm such that similar images appear proximate to one another.
The combination of image and video analysis provided an overview of the narrative themes emerging from the media content related to the two Twitter datasets.
Twitter has identified the two datasets for quantitative analysis as being interlinked and associated via a combination of technical and behavioural signals. ICPC doesn’t have direct access to that non-public technical data. Twitter hasn’t released the methodology by which this dataset was selected, and the dataset may not represent a complete picture of Chinese state-linked information operations on Twitter.
The Twitter takedown data
This report analyses the content summarised in Table 1.
Table 1: Twitter dataset summaries
In both datasets, most of the tweeting activity seeking to deny human rights abuses in Xinjiang appears to have started around 2020. In the CNHU dataset, accounts appear to have been created for the purpose of disseminating Xinjiang-related material and began tweeting in April 2019 before ramping up activity in January 2021. That spike in activity aligns with the coordinated targeting of efforts to discredit the BBC that ASPI has previously identified. While some accounts in the CNCC dataset may have originally had a commercial utility, they were probably repurposed some time before 19 June 2020 (the date of the first tweet mentioning Xinjiang and Uyghurs in the dataset) and shifted to posting Xinjiang-related content. Former Secretary of State Mike Pompeo gave his attention-grabbing anti-CCP speech in July 2020, and criticism of him features significantly in both datasets.
Previous ASPI analysis identified Twitter spambot network activity in December 2019 to amplify articles published by the CCP’s People’s Daily tabloid, the Global Times (figures 1 and 2). The articles that were boosted denied the repression of Uyghurs in Xinjiang and attacked the credibility of individuals such as Mike Pompeo and media organisations such as the New York Times. It isn’t clear whether that network was connected to the CNHU and CNCC datasets, but similar behaviours were identified.
Figure 1: Tweets per month, coloured by tweet language, in CNHU dataset
Figure 2: Tweets per month, coloured by tweet language, in CNCC dataset[fig2]
An overview of the tweet text in both datasets shows that topics such as ‘Xinjiang’, ‘BBC’, ‘Pompeo’ and ‘Uyghur’ were common to both campaigns (Figure 3). While there were some tweets mentioning ‘Hong Kong’, specifically about the Covid-19 response in that region, this report focuses on content targeting Xinjiang-related issues.
Figure 3: Topic summary of tweet text posted between December 2019 and May 2021
In early 2021, the #StopXinjiangRumors hashtag was boosted by both networks. Accounts in the CNHU dataset were the first to use the hashtag, and many accounts potentially mistakenly used double hashtags (‘##StopXinjiangRumors’). Accounts in the CNCC dataset that were batch created in February 2021 appear to have posted tweets using the hashtag and tagged ‘Pompeo’ following the tweets posted by accounts in the CNHU dataset. The use of the hashtags may be coincidental, but the similarity of timing and narratives suggests some degree of coordination. #StopXinjiangRumors continues to be a hashtag on Twitter (as well as YouTube and Facebook).
The rest of this report presents the key insights from the two datasets in detail.
Dataset 1: CNHU
Dataset 1: CNHU – Key points
Nearly one in every two tweets (41%) contained either an image or a video. There were in total 12,400 images and 466 videos in the CNHU dataset.
This video and image content was aimed broadly at pushing back against allegations of human rights abuses in Xinjiang, particularly by presenting video footage of ‘happy’ Uyghurs participating in vocational training in Xinjiang, as well as screenshots of state media and government events promoting this content.
The network promoted phrases commonly used in CCP propaganda about Xinjiang, such as ‘Xinjiang is a wonderful land’ (新疆是个好地方)—the eighth most retweeted hashtag in the CNHU dataset.
In total, 48% (1,308) of all retweets by the network were of CCP state media and diplomatic accounts. The Global Times News account was the most retweeted (287), followed by the account of Ministry of Foreign Affairs (MOFA) spokesperson Hua Chunying (华春莹) (108).
While the network shared links to state media, YouTube and Facebook, many videos shared in the CNHU dataset appeared to have originated from Douyin.
The network worked to promote state media. Of all the tweets, 35% had links to external websites—mostly to Chinese state media outlets such as the China Daily, the China Global Television Network (CGTN) and the Global Times.
The network showed potential indicators of automation, including coordinated posting, the appearance of randomised four-letter digit codes in some tweets, and watermarked images.
The network tweeted and shared content in a variety of languages, including using Arabic and French hashtags, suggesting that it was targeting a broad audience.
Dataset 2: CNCC
Dataset 2: CNCC – Key points
The CNCC dataset contained a considerable amount of repurposed spam and porn accounts, as well as content linked to Korean music and television.
While there was a small amount of content about Hong Kong and other issues, most of the non-spam content related to Xinjiang. Much of that content sought to present ‘testimonials’ from Uyghurs talking about their happy lives in China.
Some of this content may be linked to a company called Changyu Culture, which is connected to the Xinjiang provincial government and was funded to create videos depicting Uyghurs as supportive of the Chinese Government’s policies in Xinjiang.
The network had a particular focus on former US Secretary of State Mike Pompeo: @蓬佩奥 or @‘Pompeo’ appears 438 times in the dataset. Likewise, video content shared by the network referenced Pompeo 386 times.
Download Report & Dataset Analysis
Readers are encouraged to download the report to access the full dataset analysis.
Acknowledgements
The authors would like to thank the team at Twitter for advanced access to the two data sets analysed in this report, Fergus Hanson and Michael Shoebridge for review comments, and AddAxis for assistance applying AI in the analysis. ASPI’s International Cyber Policy Centre receives funding from a variety of sources, including sponsorship, research and project support from governments, industry and civil society. No specific funding was received to fund the production of this report.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors. We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au.
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published December 2021. ISSN 2209-9689 (online). ISSN 2209-9670 (print).
Cover image: Illustration by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons. License Attribution-Share Alike. Users of the image should use the following sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by the Australian Strategic Policy Institute’s International Cyber Policy Centre.’
Funding Statement: No specific funding was received to fund production of this report.
Building an evidence base for an informed critical technologies strategy
Kitsch Liao, Dr Samantha Hoffman and Karly Winkler, with Baani Grewal, Cheryl Yu, Saki Kikuchi, Tilla Hoja, Matthew Page and Jackson Schultz.
What’s the problem?
Technology policy formulation has recently gained a renewed importance for governments in the era of strategic competition, but contextual understanding and expertise in deciding where to focus efforts are lacking. As a result, decision-makers might not understand their own national strengths and weaknesses. It’s difficult to judge whether a country’s R&D outputs, no matter how advanced, and its development of production capacity, no matter how significant, align with the country’s intended strategic objectives or can be used effectively to achieve them.
The ability to measure the relative strengths and weaknesses of a country by weighing specific strategic objectives against technical achievements is of paramount importance for countries.
This is especially true as nations seek to resolve supply-chain resilience problems underscored by the Covid-19 pandemic. China’s rejection of the Quad’s vision of a free and open Indo-Pacific, willingness to use economic coercion and the resulting strategic competition, call further attention to multiple technology sectors’ heavy reliance on a single source. A solution must be found that can exploit synergy across multiple technology sectors among collaborating countries while ensuring supply-chain resilience.
What’s the solution?
Governments’ ability to ensure that strategic objectives pertaining to critical technologies are both well articulated and achievable, and researchers’ and industry’s ability to collaborate in meeting those objectives, would be greatly enabled by the development of an objective and repeatable methodology for measuring technical achievements against clearly defined strategic goals for the critical technology sector. The most pressing challenge should be a relatively straightforward one to resolve: standardise metadata about national objectives and R&D efforts to enable business analysis.
The Quad Critical and Emerging Technology Working Group is an important step towards building collaboration in the research, development and production of critical technologies among like-minded governments. While in nascent stages, the group is gathering momentum and working towards addressing the September 2021 objective to monitor trends in critical and emerging technologies for cooperation, with an initial focus on biotechnology. We recommend as follows:
Conduct detailed analysis to understand current and emerging gaps in critical and emerging technologies, starting with biotechnology, among like-minded countries.
Develop a partnership between like-minded countries with advanced technological capabilities to deliver a secure technology supply chain for critical tech. This should include a commitment to a set of core principles for technology development and delivery, including ‘baking in’ democratic principles to the technology and agreeing to share any civilian advances on market terms and refrain from coercion.
Establish a Quad or Quad Plus critical technologies fund to which participating states pledge investment funds that are then disbursed to address current and emerging critical technologies gaps.
Introduction to the Benchmarking Critical Technologies Project
Benchmarking Critical Technologies is a pilot project at ASPI ICPC that examines the development of a handful of critical technologies in the context of strategic partnership and strategic competition.
‘Critical technologies’ broadly refers to strategically important technology areas.1 Australia, for example, defines ‘critical technology’ as ‘technology that can significantly enhance or pose risks to Australia’s national interests, including our prosperity, social cohesion and national security’.2 For this pilot study, we focus on the biotechnology and energy technology sectors in China and in the Quad— the quadrilateral Indo-Pacific diplomatic network consisting of Australia, India, Japan and the US.
This project will be expanded over the course of 2022 to include more technology areas and countries.
During the Quad Leaders’ Summit in March 2021, the Quad Critical and Emerging Technology Working Group was announced. The communiqué from the summit said that the working group was intended to ‘ensure the way in which technology is designed, developed, governed and used is shaped by the Quad countries’ shared values and respect for universal human rights’.3 The communiqué didn’t directly name China, but China was clearly implied in its pledge to recommit to ‘promoting the free, open, rules-based order, rooted in international law and undaunted by coercion, to bolster security and prosperity in the Indo-Pacific and beyond’.4
It’s clear that China is the key strategic competitor that the Quad countries are hedging against. They’re technology and manufacturing powerhouses with strong geopolitical influence in the region, which makes the competition both more important and more difficult. As the Quad works to develop capabilities in a range of critical sectors, the Quad members will need to also understand how to leverage each other’s strengths and overcome collective weaknesses to guarantee supply-chain resilience, among other strategic objectives.5 They will also need to triangulate the effects of each nation’s digital enmeshment in Chinese supply chains and the net effects of that in particular sectors.
There’s a lack of empirical data to ground decision-makers’ advice on everything from capability gaps to priority investment areas. This project is an attempt to begin to bring additional empirical data to the decision-making process. Our intent is to offer improved clarity on each country’s strengths and weaknesses in each critical technology. After consultation with the Australian Government, we decided to focus on hydrogen energy and solar photovoltaic (solar PV) technologies from the energy sector, and genetic engineering and vaccines and medical countermeasures in the biotechnology sector.
The broader technology areas that these specific technologies sit within are of clear strategic importance. The Quad Leaders’ Summit communiqué established that biotechnology would be the starting point for the Critical and Emerging Technology Working Group’s collaboration. It also highlighted, in the context of the recent COP26 conference, that the Quad would coordinate to ‘establish responsible and resilient clean-energy supply chains’.6
To assess national capabilities, we measured each country’s R&D and infrastructure development efforts using patent and patent impact data and academic impact data, and compared those results against the country’s technology-specific policy goals. For patents, we collected two measures for each critical technology: the quantity and quality of the patents. IP Australia provided ASPI ICPC with patent data to analyse the quantity of patents for each critical technology. Additionally, using the commercial product PatentSight developed by LexisNexis, we assessed patent quality with the Patent Asset Index (PAI).7 The tool assesses patent quality across various measures in the overall ecosystem of a technology field. Those measures are technology relevance (TR), indicating how much future patents in the field depended upon the patent; market coverage (MC), indicating how much of the global market the patent offers protection of; and competitive impact (CI), the aggregate of TR and MC indicating the economic value of the patent. The aggregate economic value of all patents in the field then constitutes the field’s PAI. For academic impact factors, we used the CiteScore (CS) methodology for measuring impact factors embedded within Elsevier’s Scopus commercial database product.
We also drew on background interviews with industry specialists and senior officials in relevant government departments. Budget data was more challenging to collect, normalise and assess.
Consequently, it isn’t treated as a separate metric, but included with general policy analysis. (For more on our methodology, see the Appendix.)
We recognise that both the policies and technologies on which we base our assessments are evolving. Technology development doesn’t always move in a linear trajectory, and current capabilities aren’t the only indicator of future outcomes. Moreover, the strategic interests and desired policy outcomes one country seeks might not align simply or easily with those of another. Therefore, it isn’t possible to directly compare countries against each other. Rather than arbitrarily rating each country’s progress against the others, we’ve rated each country’s progress in achieving the strategic objectives that it has outlined for each technology area (Figure 1). The progress indicator’s location should be interpreted as being dynamic, given that both policies and technologies will evolve.
Figure 1: Rating scale—country progress in meeting national policy objectives
Rating scale legend
Some high-level policy objectives specific to the technology area have been set, but there’s little evidence of efforts making progress towards meeting those objectives.
Despite the articulation of some policy objectives pertaining to the technology area, those are still relatively unclear. The country’s R&D and production capabilities don’t appear to be sufficient to contribute to realising the country’s stated policy objectives.
There’s some evidence that the country is developing actionable policy in the technology area. There’s clear progress in the country’s ability to contribute to the R&D of the technology, or production capacity. It isn’t clear, however, whether this progress aligns with the country’s stated policy objectives.
There’s evidence that stated policy objectives, research and investment are beginning to translate into aligning capabilities.
There’s strong evidence that stated policy objectives, research and investment have already translated into aligning capabilities.
Source: Image produced by ASPI.
Overall assessment
Quantity doesn’t mean quality, at least in terms of the way patents and research shift global knowledge and capabilities in the overall ecosystem of a technology field. Our findings on patent impact—measured by how often a patent is cited or purchased—highlighted that China, with the highest number of patent applications filed, didn’t have a correspondingly high impact factor. Australia and India, and to a lesser extent Japan, filed far fewer patents, but those few patents had impact more on par with US patents, which were high in both number and impact. One patent can significantly influence the evolution of a technology; others might incrementally advance knowledge or create offshoot fields. Impact factors in these types of analysis can be an objective measure for determining scientific advances or commercial success but aren’t necessarily useful in indicating whether national capabilities support policy objectives. If the point of benchmarking critical technologies capabilities at a national level is to understand what makes a country capable of meeting national policy objectives, competitive in a strategic competition and well placed to work with like-minded partners, then the ability of individual researchers or organisations to advance a technology field doesn’t tell us how competitive a country is in translating concepts to capabilities that align with its strategic objectives. For example, ASPI ICPC believes that in China, the disproportionately large number of patents filed internally is most likely attributable to companies patenting specific applications of technology. In the Quad, countries such as Australia and India have been more impactful for a fewer number of patent applications filed and research papers significantly advance the field.
Success in connecting policy objectives to outcomes isn’t yet entirely measurable. Our comparison of national policies pertaining to each critical technology we research shows that China, followed by the US, tends to have more clarity about what it seeks to achieve by investing in R&D and production capabilities, and following that up with actions that will achieve those objectives. India, Japan and Australia don’t lack policy development or innovative capacity, but we believe they have been less effective at connecting concepts to capability. This assessment is no doubt at least partially because the development of policy objectives postdates most of our data.
Metrics don’t explain the context in which innovation is taking place, including incentive structures, and how that affects a country’s ability to meet specific objectives. In China, the incentive structure is designed so that researchers are working to meet specific policy objectives. In fact, companies closely collaborate with the state in technical standards development. According to the revised 2017 Standardisation Law,8 the Standardisation Administration of China (an agency under the State Administration for Market Regulation) is required to oversee standards initiation and implementation, and in practice technical committees for standards setting under the Standardisation Administration tend to consist of both companies and research institutes. We believe the knock-on effect of the incentive structure in China is that the R&D base is disadvantaged, while companies and researchers focus on implementing specific applications of technology that meet policy needs. China’s National Patent Development Strategy (2011–2020) was designed as a ‘long-term and comprehensive plan to use the patent system and patent resources to enhance the country’s core competitiveness’.9 The strategy document prioritises ‘encourag[ing] and supporting[ing] enterprises to upgrade the core technologies and key technologies with patent rights in China’s advantageous fields to national and international standards’.10 We believe companies are seeking to achieve those objectives by owning the market first, and patents support that approach. They’re adding economic value by increasing the quantity of applications, and owning the market comes before efforts to refine the product. Many PRC-originated technologies are being exported globally (see ASPI ICPC’s Mapping China’s Tech Giants project), no matter what the overall quality of the product in comparison to competitors, and that proliferation is probably achieving some market power and incumbency. It’s a cumulative and individual challenge for the Quad nations to move more rapidly from concept to capability in order to avoid the PRC leading in meeting strategic objectives with that technology
Download
Readers are warmly encouraged to download the full report to access the detailed sector by sector analysis.
The Patent Search Strategy used in the formulation of the report is available for review here.
Acknowledgements
We acknowledge the assistance we have received from IP Australia, the Department of the Prime Minister and Cabinet, the Department of Industry, Science, Energy and Resources, and numerous interviewees and peer reviewers in policy and industry roles across the Quad.
Thank you to ASPI ICPC researcher Albert Zhang for assistance. We are grateful for the valuable comments and assistance provided by Fergus Hanson, Michael Shoebridge and Jocelinn Kang.
This project was supported through a $150,000 grant from the Department of the Prime Minister and Cabinet.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.
ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published November 2021. ISSN 2209-9689 (online). ISSN 2209-9670 (print). Cover image: Leslie Sharpe.
Funding Statement: Funding support for this publication was provided by the Department of the Prime Minister and Cabinet.
‘What is a “critical technology”?’, in ‘Appendix A: National Critical Technologies List’, Clinton White House archives, online. ↩︎
Marise Payne, ‘Launch of the International Cyber and Critical Technology Engagement Strategy’, speech, 21 April 2021, online. ↩︎
Scott Morrison, ‘Quad Leaders’ Summit communique’, 24 September 2021, online. ↩︎
See, for instance, the Biden administration’s memorandum, ‘Multi-agency research and development priorities for the FY 2023 Budget’, August 2021, online; and the former Trump administration’s October 2020 list of critical and emerging technologies, online. ↩︎
For a more comprehensive definition and explanation of the methodology behind the Patent Asset Index, consult the product website, online. ↩︎
Standardisation Law of the People’s Republic of China, Standardisation Administration of China, 23 March 2018, online. The Standardisation Law was revised and adopted at a meeting of the Standing Committee of the National People’s Congress in November 2017 and came into force on 1 January 2018. ↩︎
‘National Patent Development Strategy (2011–2020)’ [‘全国专利事业发展战略(2011—2020年)’], China National Intellectual Property Administration, 18 November 2010, online. ↩︎
‘National Patent Development Strategy (2011–2020)’. ↩︎
This report provides a primer on the roots of the Cyberspace Administration of China (CAC) within China’s policy system, and sheds light on the Chinese Communist Party’s (CCP) intentions to use cyberspace as a tool for shaping discourse domestically and internationally.
The report details the position of the Cyberspace Administration of China in China’s propaganda system. Considering its origins in the former Party Office of External Propaganda, the authors argue that ‘countries that lack comprehensive cyber regulations should err on the side of caution when engaging with the CCP on ideas for establishing an international cyber co-governance strategy.’
By assessing the CCP’s strategy of becoming a ‘cyber superpower’, its principle of ‘internet sovereignty’, and its concept of ‘community of common destiny for cyberspace’, this report seeks to address how the CCP is working to build a consensus on the future of who will set the rules, norms and values of the internet.
The report also examines the World Internet Conference – a ‘platform through which the CCP promotes its ideas on internet sovereignty and global governance’ – and its links to the CAC.
Translated versions of this report are also available in Indonesian, Malaysian, Thai, and Vietnamese. The translation of these reports has been supported by the U.S. State Department.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/14214444/Chinas-cyber-vision_banner.png4501350nathanhttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgnathan2021-11-24 06:00:002024-12-14 21:48:04China’s cyber vision: How the Cyberspace Administration of China is building a new consensus on global internet governance
Media are invited to attend a special event featuring former US top cyber adviser Chris Painter hosted by ASPI’s International Cyber Policy Centre (ICPC) on the future of cyberspace and emerging technologies. Question our panel on some of the world’s pressing global issues including the impact of emerging tech on national security, cyber threats to our election process, the changing nature of cyber-conflict and the rise of censorship and strict information control in the Asia-Pacific.
Panel:
• Chris Painter, former US State Department Coordinator for Cyber Issues and White House Senior Director for Cybersecurity Policy; • Dr Tobias Feakin, Australian Ambassador for Cyber Affairs, Department of Foreign Affairs and Trade • Professor Elanor Huntington, Dean, College of Engineering and Computer Science, Australian National University • Fergus Hanson, Head of the International Cyber Policy Centre (chair)
Date: 28 February 2018 Time: 1630 – 1730 Venue: ASPI, Level 2, 40 Macquarie St Barton Canberra
A canapes and drinks reception will conclude the event. Chris Painter is in Australia as the inaugural distinguished fellow at ASPI’s International Cyber Policy Centre (ICPC). His visit is made possible thanks to the generous support of DFAT’s Cyber Affairs Special Visits Program, Macquarie Telecom Group and ICPC core sponsors
To register your attendance please contact:
Renee Jones, Events and Communications Manager, ASPI
E: reneejones@aspi.org.au
M: 0400 424 323
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-02-27 17:36:002024-11-15 17:38:40ASPI Cyber Masterclass ‘In Conversation: The future of cyber and emerging technologies’
In this roundtable ASPI brings experts in international affairs and cyber affairs from think-tanks, research institutes and universities from across the ASEAN region together with representatives of ASEAN and ARF Member States, Industry and other non-governmental organisations.
The aim of the event is to discuss ways to move forward with confidence-building measures in cyberspace in our region. The end result is a set of practical policy recommendations that will be presented to the Summit delegations.
Date: 15 March Time: 1000 – 1500 Venue: International Convention Centre Sydney
This is an invitation-only event. Should you wish to attend, please contact Bart Hogeveen
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-02-23 17:39:002024-11-15 17:41:18Roundtable on Practical Futures for Cyber Confidence Building in the ASEAN region
Australian Strategic Policy Institute’s International Cyber Policy Centre (ICPC) is pleased to announce Chris Painter – former State Department Coordinator for Cyber issues and former White House Senior Director for Cybersecurity Policy – as its inaugural distinguished cyber fellow for 2018.
Chris has been on the vanguard of US and international cyber issues for over 25 years – first as a leading federal prosecutor of some of the most high-profile cybercrime cases in the country, then as a senior official at the Department of Justice, the FBI, the National Security Council and finally as the world’s first top cyber diplomat at the State Department.
“I am very happy to come back to Australia and spend time with my friends at ASPI’s ICPC and my many friends and colleagues in government, business and civil society. Australia has always been a strong partner on cyber policy and combatting cyber threats. As technical and policy threats increase in cyberspace it is imperative that we work together to promote an open and secure cyberspace, promote stability in cyberspace, and find new ways to deter bad actors,” Chris Painter said.
“Chris has made an extraordinary contribution to the world of cyberspace and national security and we’re delighted to host him at ASPI. Chris’s research at the centre will look at some of the big strategic issues in cyber affairs,” Head of ICPC Fergus Hanson said.
Chris will be in Australia from the 20th Feb until the 10th March. He will participate in a range of meetings, roundtables and events including the ASPI Cyber Masterclass on 28 February. Watch our event page and @ASPI_ICPC for more information. For media enquiries please contact reneejones@aspi.org.au / 0400 424 323
Chris’s visit is made possible thanks to the generous support of DFAT’s Cyber Affairs Special Visits Program, Macquarie Telecom Group and ICPC core sponsors.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-02-05 17:43:002024-11-15 17:44:53Top US cyber adviser Chris Painter announced as ASPI distinguished fellow
According to Tom Uren, cyber security expert from the Australian Strategic Policy Institute’s ‘International Cyber Policy Centre’, the discovery revealed potentially unknown bases. “It’s one thing to be able to see people walking in and out of offices in Canberra…it’s another thing to know where people run, where they go into buildings, and what buildings are important.” He described the map as piece of a puzzle “bad actors would try and use to further their ends”. “Anything that gives you a pattern of life can be used against you by bad actors. It makes it easier, and when you are making it easier for your opposition, that’s never a great thing.”
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-01-30 17:58:002024-11-15 17:59:26US military to review policies after fitness tracker exposes base locations – Channel 9 News
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-01-29 18:04:002024-11-15 18:05:54A fitness-tracking app has released data that reveals secret military bases – ABC Radio National
Danielle Cave, a senior analyst at the International Cyber Policy Centre at the Australian Strategic Policy Institute, called the heatmap an “open source intelligence gold mine”. She suggested the data also raised a cyber security risk. “A hacking group, state or non-state, could very easily now target Strava knowing how valuable the data is that they are holding,” she said. “If it does turn out that people can strip out the personal details of some of these Strava users, then I think it’s getting into a very dangerous place.”
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-01-29 18:02:002024-11-15 18:03:51Strava has published details about secret military bases, and an Australian was the first to know – ABC News
The Australian Strategic Policy Institute’s (ASPI) International Cyber Policy Centre (ICPC) is pleased to announce it’s been awarded a 2018 Fulbright Specialist Grant. With this grant ICPC will bring out Elsa Kania, adjunct fellow in the Technology and National Security Program at the Center for a New American Security.
Elsa’s expertise lies in Chinese defence innovation and emerging technologies, particularly artificial intelligence. Her research interests include Chinese military modernisation, information warfare and defence science and technology. Her most recent publication “Battlefield Singularity: Artificial Intelligence, military revolution and China’s future military power” was accompanied by an essay in Foreign Affairs magazine.
Elsa is also an independent analyst, consultant and co-founder of the China Cyber and Intelligence Studies Institute (CCISI). A graduate of Harvard College, her thesis focused on the evolution of the PLA’s strategic thinking on information warfare. She speaks Mandarin and in 2014-15 was a Boren Scholar in Beijing.
ICPC senior analyst Danielle Cave said: “We are delighted to host Elsa Kania and her visit couldn’t be better timed. Last year, the Chinese Government committed to expand its AI industry to USD 150 billion by 2030. And as Elsa states in her recent report, the People’s Liberation Army ‘is pursuing advances in impactful and disruptive military applications of AI’. Such investments will have profound security, political, economic and social implications for the entire Asia-Pacific region. It’s imperative Australia invests in understanding how such emerging technologies will re-shape our economy and the potential impacts on regional security. Elsa is perfectly positioned to make a valuable and timely contribution as Australia, and our wider region, seek to navigate both the opportunities and challenges presented by the proliferation of AI technologies.”
Elsa will be in Australia from mid-March to mid-April. She will participate in ASPI events, roundtables and have meetings with government, business and civil society. Watch our event page and @ASPI_ICPC for more information. For event, meeting and media enquires please contact reneejones@aspi.org.au / 0400 424 323
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-01-16 18:12:002024-11-15 18:14:29ASPI to bring out China defence & Artificial Intelligence specialist with Fulbright grant
China has responded angrily to Australia’s criticism of its loans and aid to Pacific island nations.
The Minister for International Development and the Pacific, Concetta Fierravanti-Wells, has raised concerns Chinese funds are being used to build unnecessary infrastructure and the developing nations will struggle to repay the resulting debts to China.
A Chinese Government spokesman says the Senator’s remarks are irresponsible and show little knowledge of the facts.
Fergus Hanson from the Australian Strategic Policy Institute says China regards its aid program as a state secret.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/04/17135358/v2Artboard-1-copy-scaled.jpg8532560markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-01-16 14:08:002024-11-17 14:09:42China hits back over criticism of its aid to Pacific islands
During the Cold War, summit meetings between the United States and the Soviet Union were often dominated by agreements to set limits on nuclear weapons and the systems built to deliver them. The US and Russia still discuss these topics, but at their recent meeting in Geneva, US President Joe Biden and Russian President Vladimir Putin focused in no small part on how to regulate behaviour in a different realm: cyberspace. The stakes are every bit as high.
It’s not hard to see why. Cyberspace and the internet are central to the workings of modern economies, societies, political systems, militaries and just about everything else, which makes digital infrastructure a tempting target for those seeking to cause extraordinary disruption and damage at minimal cost.
Moreover, states and non-state actors can carry out cyberattacks with a high degree of deniability, which adds to the temptation to develop and use these capabilities. We know when and from where a missile is launched, but it can take a long time to discover that a cyberattack has occurred and figuring out who’s responsible can take even longer. Such a slow and uncertain attribution process can render the threat of retaliation, which is at the heart of deterrence, beyond reach.
What put this issue squarely on the agenda of the Biden–Putin meeting is that Russia has grown increasingly aggressive in cyberspace, whether by creating false accounts on social media to influence American politics or by gaining access to critical infrastructure, such as power plants. Reinforcing the issue’s salience is the reality that Russia is not alone: China reportedly gained access in 2015 to 22 million US government personnel files—which included information that could have helped it determine who was or is working for the US intelligence community.
Likewise, in 2014, North Korea attacked Sony (and compromised all sorts of private communications) in an effort to block distribution of a satirical film that depicted the assassination of the country’s leader. This all adds up to a latter-day Wild West, with many armed people operating in a space governed by few laws or sheriffs to enforce them.
Traditionally, the US has favoured a largely unstructured internet—‘open, interoperable, secure, and reliable’, according to a policy set a decade ago—in order to promote the free flow of ideas and information. But US enthusiasm for such an internet is waning as foes exploit this openness to undermine its democracy and steal intellectual property important to the functioning and comparative advantage of its economy.
The question—easier to pose than to answer—is where to draw lines and how to get others to accept them. For one thing, the US is not without its contradictions, as it, too, carries out espionage in cyberspace (think of it as the modern equivalent of steaming open envelopes to read someone else’s mail) and reportedly, along with Israel, installed malware to sabotage Iran’s nuclear weapons program. So, any ban on activities in cyberspace would presumably be partial.
One promising idea would be to follow up on what Biden and Putin discussed, namely, to ban the targeting of critical infrastructure, including but not limited to dams, oil and gas production facilities, electrical grids, healthcare facilities, nuclear power plants and nuclear weapons command and control systems, airports, and major factories. Cyber capability can become a weapon of mass destruction when such important sites are compromised.
Even with such an agreement, verifying compliance could prove impossible, so the US would also want to introduce a degree of deterrence to ensure that parties to such a pledge honour it. Deterrence could involve the declared willingness to carry out symmetrical responses: if you target or attack our critical infrastructure, we will do the same to yours. Deterrence could also be asymmetrical: if you target or attack our facilities, we will sanction you or target your interests elsewhere.
Any such agreement would also need to be buttressed by unilateral action, given the stakes and the reality that other agreements (such as China’s 2015 pledge not to steal intellectual property) have been violated. For example, the US would want to take steps to reduce the vulnerability of its high-value systems.
It would also be necessary to declare or negotiate that claims of ignorance or denials of government involvement in aggressive cyber activity, such as when Putin said his government had nothing to do with Russian ransomware attacks, will not be accepted. The analogy here is to terrorism: in the wake of the 9/11 attacks, the US made clear that it would not distinguish between terrorist groups or governments that provided them support or sanctuary. Russia would therefore be held accountable for the actions of groups acting from its territory. Insisting on accountability should increase Russia’s incentive to rein in such behaviour.
Over time, a US–Russia pact could serve as a model that could be joined by China, Europe and others. If it were extended to China, prohibitions on the theft of intellectual property (and penalties for violating the ban) could be added. None of this adds up to disarmament, but it is the cyber equivalent of arms control, which is as good a place to start as any.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2021-06-24 01:19:482021-06-24 01:19:48Taming the cyber wild west
It’s never easy being first. There are no playbooks to thumb through and no clear footprints to follow to let you know you’re on track, or even that you’re heading in the right general direction.
Six years ago, Australia’s eSafety Commissioner became the world’s first online safety regulator following the tragic death of TV presenter Charlotte Dawson.
Dawson, who had been very open about her struggles with mental illness, took her own life after being mercilessly trolled on Twitter. The outpouring of grief and anger that followed prompted the government to create a unique regulator with the sole aim of protecting citizens like Charlotte online.
Today, like most six-year-olds, we still have a long way to go and a lot to learn, but we’ve reached a point where we believe we have a successful and practical model in place focusing on three key areas—protection, prevention, and proactive and systemic change.
I’ll deal with protection first because our regulatory schemes represent the tip of the spear in our fight to protect Australians on the internet.
eSafety has a range of civil powers to compel the removal of illegal or harmful content, whether it’s child sexual abuse material, pro-terrorist content, the non-consensual sharing of intimate images or serious cyberbullying of a child.
We exist as a vital safety net for all Australians who have experienced abuse online and have nowhere else to turn.
And more and more Australians have come to us as the Covid-19 pandemic continues its stranglehold on the world and supercharges all forms of online harm.
eSafety took over the administration of Australia’s online content scheme in 2015. Since then, we’ve seen significant increases in reports of illegal online content, the majority of which concern child sexual abuse material.
But it’s safe to say 2020 was a year like no other.
As the world turned to the internet to continue to work, learn and communicate, we received 21,000 public reports of illegal online content, the most in the scheme’s 20-year history, and a 90% increase compared to 2019.
We also saw a 114% increase in reports of the non-consensual sharing of intimate images.
Serious cyberbullying of children was up by 30%, and the number of adults reporting online harassment to us increased by nearly 40%.
Sadly, we believe these elevated levels of online harm and abuse represent an alarming new normal.
That’s why our goal at eSafety is to prevent these online harms we see every day from happening in the first place.
We strive to achieve this through evidence-based research, education and community programs designed to target specific audiences giving people of all ages and backgrounds the right tools to protect themselves online.
For us, this starts with our early years program because we know 94% of 4-year-olds already have access to an internet-connected device.
And as they get older, we need to be teaching them the critical reasoning skills that will help them deal with the pressures and dangers that exist in the online world.
Fear-based messages don’t work and neither do one-off programs, so we need to be regularly reinforcing these important lessons in a positive, pragmatic and non-threatening way, and co-designing our programs with the audiences we are trying to reach.
But widespread cultural change takes time, and we can’t continue to lump the responsibility for online safety on the shoulders of users—particularly children and their often overwhelmed parents.
This is where I believe proactive and systematic change through something we call ‘safety by design’ will finally move the needle.
We’ve known the harms for over two decades and the tech companies are also aware of how their platforms have been weaponised.
We have spent the past three years working with big tech firms to lead them down a path that will fundamentally change how they design, develop and deploy their products, so now safety is at the core.
When we get into our cars, we almost take for granted that the brakes will work, the seatbelts will be effective and the air bags will deploy when needed.
We want similar safeguards to become standard in the online world.
Ultimately, we want to surface good practice and we want these innovations to be shared. During my tech industry days, we used to call it ‘coopetition’ and while we’ve seen this work with security and privacy, we’re yet to see it applied to online safety.
It’s time for this to change.
Technology never stays still for long and so we must also keep an eye on the digital horizon for new technologies heading our way, anticipating how they could be misused and weaponised to harm others.
From decentralised services to end-to-end encryption, online anonymity, new immersive technologies and the rise of deepfakes, we need to anticipate how they might be misused and how we can build safety features in before the genie can squeeze his way out of the bottle.
Since our humble beginnings in 2015, the rapid pace of technological change and the emergence of new platforms and services have given rise to new ways for people to interact online, but also new threats.
With this in mind, the government has proposed reforms to online safety legislation which will enable eSafety to better protect Australians of all ages and increase the pressure on companies to keep their users safe.
The Online Safety Bill 2021 proposes a new, world-first adult cyber-abuse scheme, along with an expanded child cyberbullying scheme that will branch out from social media platforms to also include games, websites and messaging services.
Under the new legislation, our 20-year-old online content scheme will be modernised, extending our takedown powers to tackle child sexual abuse, wherever the world it is hosted.
Regulatory pressure will be applied to industry to remove harmful content more swiftly, prioritise user safety and behave in line with community standards and expectations.
Our goal at eSafety has always been to make the internet a safer and more civil place for all Australians.
While we were the world’s first online safety regulator, we’re no longer alone in this fight. Fiji has set up its own commissioner and we’ve been in talks with Ireland, the United Kingdom, Canada and the United States about setting up theirs.
A playbook has now been written and it’s my hope our experience can act as a blueprint for others so that one day soon we will have a global network of online safety regulators all working together to keep us all safe on the internet.
At the recent Australian e-commerce summit, Prime Minister Scott Morrison praised technology adoption as a means of driving economic returns. Australia doesn’t need to be a Silicon Valley, he said, it just needs to be the best at adopting technology.
It’s worth digging into this, as the story around technology for economic development and national sovereignty is complex.
There are five main reasons to pursue a technology-adoption strategy.
The first tends to be maturity—or lack thereof. Start-ups, for example, will typically adopt a tech stack rather than try to build their own. It’s quicker and often cheaper, allowing them to prioritise the little capital they have. More often than not, such decisions are time-limited. There’s frequently an expectation that once a company gains sufficient momentum and income, it will build something that embeds or supports its specific product or service.
The second reason is related to the maturity issue—some organisations decide that technology is not a core competency. Technology in these cases is perceived as a cost centre and efficiency is the dominant paradigm. Short-term budgeting, an expenditure mindset and a lack of strategy also favour that approach.
Then there’s the fear of ‘orphans’, a third reason. Building bespoke platforms and systems risks undue reliance on unsupported and lagging technologies. Where there’s a lack of technological sophistication, or an unwillingness to invest in such capability, adopting an established platform and support may help resolve concerns over, for example, redundancy and security. It’s a form of risk transfer.
That can, however, lead to the fourth reason: capture. The costs of leaving a particular technology and adopting a new one, or building one’s own, may be too high, especially where more and more business functions become intertwined with and dependent upon the provider’s broader offerings and even good will. With few options, captured organisations may be subjected to price gouging and technological hand-me-downs. In the meantime, the chances are the workforce has become deskilled, weakening the organisation’s own bargaining position.
Last, there’s using adoption to access more advanced technology, and so better position the organisation or nation. That’s not advocated here but it’s an approach that may lend itself to a more unscrupulous strategy of reverse engineering the technology or systems, or simply stealing it and its intellectual property for business or national advantage.
The urgency in the prime minister’s speech reflects elements of the first and second and the more altruistic aspect of the fifth reason. Adoption is cheaper and faster than building, and it can give that leg-up to access new business.
Strategically, that’s not enough. Information technology is deeply embedded in our organisations, our personal lives and national well-being. Countries that see it primarily as a cost centre—or just ‘a magic box in the corner’—will weaken, become increasingly vulnerable in a competitive world, and fall behind.
True, adoption will always be part of a well-rounded, competitive approach to technology. It enables experimentation—a try-it-and-see approach to newer technologies. And it can help weaker players compete. But it cannot be the only, or even the primary approach in the modern world.
Adoption brings other attributes at which Australians may look askance. For example, as more and more AI is being built into and back-boxed with vendor’s platforms, it also embeds others’ assumptions, cultural norms and attributes. The government itself has pushed back on, for example, ‘high-risk vendors in 5G networks’ on security grounds.
Increasingly, the collection of personal data and the use of algorithms are being questioned, as with Facebook, Tik Tok and Tencent-associated games. Those are in the social domain: what about technologies that shape government decisions about welfare, taxation or security status?
Moreover, adoption means less control or visibility into the system’s operational analytics—often beaconed back to the company, which after all holds the intellectual property. There’s less insight into research or product roadmaps, which can limit planning, and as research and development is undertaken overseas, may constrain influence and capability-building as well.
Australia needs a strategy that makes it more than a technological dependant. That means more than adoption; it also means not cutting Australia off technologically or spending profligately in pursuit of a purely nationalist approach. Australia needs the best of both worlds: access to leading-edge technologies, while building a capability to support Australian interests. Government’s own use of technology cannot be dominated solely by an efficiency or convenience paradigm. Building your own can bring hard-won expertise that is hard to duplicate through other means.
Being able to design, develop and implement technologies, and contribute to the foundational science, is a key measure of sovereignty. There’s often a trade-off between sovereignty and income: sovereignty is a public good that can be costly to produce. On defence matters, Australian governments have frequently been willing to develop and build locally at increased economic cost. Developing technology with clear use cases has an economic and sovereignty multiplier effect beyond military capability.
Building local technologies is also soft power that contributes directly to hard power, especially in cyber as well as in emerging areas such as quantum computing and space capability. Such activity and knowhow forms a contribution to our existing alliances and may help build new ones. Helping to embed democratic values into technology—reflecting the importance of privacy, for example—helps withstand creeping techno-authoritarianism, aspects of which are already evident in our own societies.
Adoption-only—and even adoption-mainly—policies risk relegating Australia to the second and third tiers in a technologically competitive world. Such policies also mean accepting the cultural norms and priorities of others.
It need not be so. Australia could pursue strategic niches, much as Israel has done in defence and information technologies or the Netherlands in agri-food and horticulture, where there is market need, strategic drivers and a supportive ecosystem. It would mean investing in technology creation and adaptation, supporting venture capital, enabling the conditions for scaling, reducing regulation and creating a favourable taxation environment. That would allow Australia the options, not excluding adoption, for a more strategic approach to technology and help it avoid the capture trap.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2020-12-07 04:10:232020-12-07 04:10:23The strategic costs of adopting technology
To ensure the digital sovereignty of communities in northern Australia, intensive effort is needed to build greater digital capacity and the social infrastructure to enable it.
The region has long suffered from a digital deficit. Bridging the Rubicon of northern Australia’s digital divide with the rest of the country requires significant investment in broadband and telecommunications access in remote areas.
Equally important is the development of digital literacy, programming skills and policy frameworks to make sure that digital technologies work in the best interest of communities.
But northern Australian jurisdictions aren’t just sitting back waiting for the federal government to save the day. And there are big economic opportunities in the digital arena that the Northern Territory is keen to exploit.
For example, the Darwin Data Centre project is trying to leverage Darwin’s proximity to Asia and the fact that Singapore currently has a moratorium on new data centres to reduce energy use. A major advantage of Darwin as a location is that construction costs there are relatively low.
The NT government is planning to leverage the data centre to advance further industrial clusters that will add a new dimension to the territory’s traditional industrial profile of agriculture and mining.
Similarly, digitally dependent energy projects such as the Australian ASEAN Power Link—a massive solar farm between Darwin and Alice Springs connected to Singapore—will stabilise Darwin’s power supply and potentially open up a new avenue of energy export revenue for the region.
While these initiatives are a great start, the federal government needs to invest more in the social infrastructure of the north. One area ripe for further development is skills and education in STEM (science, technology, engineering and mathematics). In doing so, the government could be making a long-term investment in digital sovereignty initiatives by Indigenous Australians.
The concept of digital sovereignty has been advanced in various contexts to capture the interplay between social and digital infrastructure.
Because of the dominant position of digital companies (for example, Google, Apple, Facebook, Amazon) and the increasing presence of Chinese companies internationally (ByteDance, Alibaba, Tencent), the idea first emerged as a way to describe control over various digital domains.
These domains include ‘data, software (e.g. AI), standards and protocols (e.g. 5G, domain names), processes (e.g. cloud computing), hardware (e.g. mobile phones), services (e.g. social media, e-commerce), and infrastructures (e.g. cables, satellites, smart cities)’.
For consumers this means, most prominently, control over data. This does not necessarily entail individualised sovereignty over data, but looks to forms of collective ownership that can be put in place to ensure the collective wellbeing of a particular group.
In Indigenous Australia, this idea is playing out in variousinitiatives that act to ensure that data is controlled by communities, and is used to strengthen and advance the ability of Aboriginal and Torres Strait Islander communities to make their own decisions about their own development, justice and equality.
The Indigenous Data Network, supported by the federal government, aims to improve access to data and information-sharing between government and Indigenous organisations by assisting them to identify local solutions for local issues. There is a crossover here with efforts to include Indigenous knowledge systems in the design and function of AI-enabled systems—such as traditional land management practices in Kakadu—and in projects that seek to combat the overpolicing of Indigenous communities.
But at the most basic level, digital sovereignty means access to digital infrastructure, like mobile phones and internet connectivity in general. As government services and commerce are increasingly app- and web-based, gaps in access prevent remote communities from participating in and contributing to society. The provision of access needs to be accommodated to the ways in which Indigenous people currently use technology. For example, many families in remote areas share phones.
Researchers from the Cooperative Research Centre for Developing Northern Australia recently mapped the priorities to encourage investment in digital connectivity infrastructure and social infrastructure across the north. They found that large parts of the region lacked service and that the high cost of digital access was hampering businesses and communities. The report highlighted an urgent ‘need for digital knowledge and skills to be oriented towards, and taught in, local contexts as it is critical for workforce development’.
The study also identified the lack of an ‘overarching agenda for future-proofing northern Australia’s telecommunication and internet needs’. This is where the idea of digital sovereignty again comes into play. At the government level, access to, control over and regulation of critical digital infrastructure is a central issue, particularly when it comes to 5G and cloud computing.
Building the digital infrastructure of the north will play an important role in boosting the potential application of new technologies in the mineral, gas and agriculture sectors.
In the mineral and gas sectors, the lack of access to skills is one of the major impediments to take-up of new technologies. In agriculture, the National Farmers’ Federation has set an ambitious target of becoming a $100 billion sector by 2030. However, big goals in these sectors can only be met by more systematic approaches to building digital social and physical infrastructure.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2020-11-23 23:25:502020-11-23 23:25:50Advancing digital sovereignty in northern Australia
Australia’s 2020 cybersecurity strategy says the government will publicly call out, when it is in the nation’s interests to do so, countries responsible for unacceptable intrusions or activity. It’s appropriate for the world’s 13th largest economy to have that capability and to be prepared to use it. But what are the options for economies that are much smaller or less developed?
When an organisation or government detects malicious online activity or a breach of cybersecurity, the first question often asked is who is behind the attack. Significant resources and capabilities must then be engaged to identify and disable the perpetrator.
The quest to know one’s enemy makes sense for strategic reasons and also for assessment reasons. Knowing the origins or originator of an attack can facilitate counterattacks and enable assessments of whether it is a lone wolf, an issue-motivated group, an organised criminal syndicate or a state-sponsored actor. A country like Australia can choose either not to respond or to adopt ‘a range of targeted and decisive responses’. The diplomatic options range from keeping the knowledge confidential to public naming and shaming. For countries with lower capabilities, the options are more limited.
The confidential or ‘quiet diplomacy’ response to state-sponsored interference can be criticised as weak, ineffectual and unlikely to result in anything more than a denial from the accused government. While it might seem to be at the flaccid end of the spectrum of possible responses, a confidential response can nevertheless serve a useful purpose.
When one government tells another that it’s aware of malicious cyber activity originating from one of its agencies, it lifts the veil of anonymity and introduces a threat of consequences if the activity continues. At the very least, it introduces distrust, or affirms existing distrust, in the bilateral relationship, making attainment of foreign policy objectives more difficult. And if the bilateral relationship is already antagonistic or distrustful, the affected country might well be encouraged to opt for public naming and shaming, which has the added sting of informing and thereby warning the rest of the world.
But many countries—and especially small and developing countries (though not all developing countries)—lack the resources and capabilities to track and investigate the origins of a cyberattack or other malicious online activity. For these countries, the enemy remains unknown or, even if a nation is suspected, unverifiable. In other words, they have no actionable information.
Faced with an asymmetric threat, they may well heed the advice of Sun Tzu in The art of war and try to evade the enemy who is superior in strength. But what does a strategy of evasion look like for a country with a low level of cyber maturity that lacks effective cyber-related infrastructure, policies, legislation and organisations?
In an era when the international rules and norms governing relations between states are being challenged, strengthening the self-defence mechanisms of small and medium-sized countries becomes more urgent. Globally, most cybersecurity breaches are due to human error, such as employee negligence or malicious acts, rather than the vulnerability of computer systems. An evasion strategy needs a focus on human error and human behaviour to control cyber breaches. Countries with a low level of cyber maturity have limited response options, but raising cybersecurity awareness and encouraging safe online practices are within their reach.
In its international cyber engagement strategy, Australia commits to working with developing countries ‘to build their technical, legislative and institutional capacity to fight cybercrime’. The cyber cooperation program accompanying the strategy funds programs to implement this commitment. Both the strategy and the cooperation program recognise the importance of online security for economic development and the prevention of losses from cybercrime.
One of the first projects funded under the cooperation program was a cybersecurity capacity- and awareness-raising project in Myanmar led by Monash University in collaboration with Myanmar organisations. The primary aim of the project was to minimise ‘cyber errorism’, and rather than engender fear it provided actionable and doable information. More than seven million users were reached by the campaign. The main lesson learned was that for a campaign to be effective (that is, to change online behaviour) its design needs to based on a thorough understanding of the individual country’s situation, especially its level of cyber maturity, and cultural factors. And this requires locally designed and produced content.
Arguably, a focus on minimising human error through widespread adoption of safe online practices is a more feasible pathway to cybersecurity than a focus on institutional strengthening if capacity and incentives are weak and bureaucratic inertia make effective implementation uncertain.
That said, a cybersecurity strategy is strongest when it has many components, including public awareness, government and private sector cooperation, legislation, global harmonisation of cybercrime laws, and international cooperation. When a range of measures are assembled, the vulnerabilities are closed off and the nation’s or organisation’s defences against cyberattack and malicious online activity are strengthened and the unknown enemy can be evaded.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2020-09-02 03:10:252020-09-02 03:10:25Cybercrime, deterrence and evading attack
Discussions on technology and strategy in Canberra typically lead down one of three paths.
The first is military implications and applications, usually in the context of our relations with the United States.
The second is around trade and economics, recognising that our economy and prosperity are heavily dependent on the ideas, products and services of others.
The last is darker, involving arcane sources, secret places and foreign influence, and is focused on shutting doors and barring windows.
Along each of those paths, technology is understood as something external, ‘done’ or given to Australia by others. There’s no real sense of initiation or ownership. We’ve allowed ourselves to think of Australia essentially as a spectator rather than a participant in technological innovation.
While myopic, that approach was relatively harmless when technological development was strategically neutral. But it is no longer so.
Digital technologies, in particular, are a key arena of an accelerating great-power competition. That’s important, because digital technologies are deeply intertwined with our economies, our communities, our daily lives and even our identities. Our choice and use of these technologies will increasingly shape our social interactions and constrain our political decisions.
What are the choices before us? At present there are two Western models—the American and the Western European models—and an authoritarian model, increasingly dominated by China. Other nations generally fall into the category of ‘takers’.
Takers are characterised by technological weakness, with little industry and few platforms on which to build their own technological sphere—and low levels of interest in doing so. And, because of the increasing integration of technology, society and economy, they tend to assume the world view and governance habits of others.
Australia has only a fragile technology ecosystem of its own, and government is evincing little interest in supporting it to the extent needed for it to establish its own critical mass. Indeed, the overall trend for research and development expenditure is towards stasis, if not decline.
It’s interesting to consider Australia’s decision to exclude Huawei from the nation’s 5G network through that lens. Like the Assistance and Access Bill, it reflects the growing influence of internal security concerns among the Five Eyes partners. Yet neither decision motivated the Australian government to invest significantly in a technology industry or public sector capability to develop alternatives and provide greater autonomy over future options.
In short, Australia is a technology taker.
So, what options does Australia have to secure its future in a world of increasing technological determinism?
Well, old habits are hard to break. Following the American model—a focus on the technological, leaving people to sort out the consequences of new products and services—follows old, well-worn paths in national security, business and society.
However, Silicon Valley has come under sustained criticism from a wide section of the Australian community and government, on issues ranging from taxation to social media to national security. US defence technology is increasingly expensive and burdensome. We’ve accepted that in the past as a part of being an ally and a technology taker, but doing so may become more precarious, especially with volatility generated by President Donald Trump in the relationship.
What of the European model? Europeans tend to pay more attention to the social aspects of technology and the protection of personal data, and have a more inclusive decision-making process. In terms of personal liberties, that model probably has more to offer for strengthening Australian democracy in a digital age.
But Western Europeans are increasingly concerned with internal stability and coherence. Europe’s demographics and economies fall short of the social, economic and technical dynamism present in our own larger neighbourhood. Australia cannot rely on it shaping the future of the intersection of technology and society in our favour.
The Chinese model—aggressive use of technology for authoritarian purposes—is characterised by surveillance, behaviour modification, a denial of privacy or secrets for anyone other than the state, and the subservience of all industry, research, institutions, communities, people and data to the Chinese Communist Party.
Needless to say, that is fundamentally antithetical to Western concepts of democracy. And yet, it’s notable that those who are free with their criticism of American platforms, including Western governments, are hesitant to criticise the increasingly large and powerful—and CCP-supported—Chinese platforms.
Australians have not yet started to consider what a future liberal, Western digital democracy might look like in a world of technologically driven competition. So far, the dominant government policies on technology and society have been shaped by fear.
But security concerns alone should not dictate our future. Nor should national security be conflated with strategy and statecraft. Doing so makes it harder to resist increasingly authoritarian practices and mindsets, whether in response to internal or external threats.
Instead, Australia needs to establish its own counterweight.
We need a restatement of democratic values and norms, ones appropriate to a Western digital democracy. That cannot be left to the national security community. The debate has to be broad and inclusive, not least to build the mutual trust between government and citizen needed for functioning digital societies and economies.
We need to invest in research and development and in establishing a technological industry base in this country. If Finland and Estonia can do it, we surely can. We’ll need a different approach to government decision-making, to drive investment, outcomes and long-term accountabilities rather than focusing on simply short-term expenditure and efficiencies.
It also means investing more, not less, in public sector capabilities—deepening knowledge, and not just in defence and security—while supporting private sector opportunities.
Australia shares a common heritage and ideals with its Western counterparts. Facilitating links with European and US institutions and companies would help Australia bridge the technological divide, build capability, strengthen democracy and develop its own ethos.
Establishing a determined technology outreach effort into our immediate region, in ASEAN and in fellow democracies, would help to build a community of the like-minded. Here, Australia has much, if not more, to learn from its neighbours than it has to offer.
Australia should seek to offer a strengthened vision of the future, preferably among like-minded nations, in counterpoint to that offered by China and other authoritarian regimes, and one that reflects our own liberal democratic ideals.
Building a plausible counterweight will be hard: the hour is late and we’ve been dreadfully slow out of the starting gate. But the sooner Australia comes to grips with this new shaping of the world, the better we will be able to adapt, act and secure our future.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2020-01-21 19:00:532020-01-21 19:00:53Surviving in a world of sharper technological competition
In little more than a generation, the internet has become a vital substrate for economic, social and political interactions, and it has unlocked enormous gains. Along with greater interdependence, however, come vulnerability and conflict. Attacks by states and non-state actors have increased, threatening the stability of cyberspace.
In November, at the Paris Peace Forum, the Global Commission on the Stability of Cyberspace issued its report on how to provide an overarching cyberstability framework. Originally convened by the Dutch government three years ago, the multi-stakeholder GCSC (of which I was a member) had co-chairs from Estonia, India and the United States, and comprised former government officials, experts from civil society and academics from 16 countries.
Over the years, there have been numerous calls for laws and norms to manage the new international insecurity created by information technology, starting with Russian proposals at the United Nations two decades ago calling for a binding treaty. Unfortunately, given the nature of cyber weapons and the volatility of the technology, such a treaty would not be verifiable and would quickly become obsolete.
Instead, the UN set up a Group of Governmental Experts, which produced a non-binding set of norms in 2013 and 2015. The group was unable to issue a report in 2017, but its work continues with an expanded membership, and an open-ended working group, in which some 80 states participated last September, has joined it at the UN. In addition, UN Secretary-General António Guterres established a high-level group, which issued a report looking forward to a broader UN discussion in 2020.
The GCSC defines cyberstability as a condition in which individuals and institutions can be reasonably confident in their ability to use cyber services safely and securely, change is managed in relative peace, and tensions are resolved without escalation. Stability is based on existing international law, which, as the Group of Governmental Experts’ 2013 and 2015 reports affirmed, applies to cyberspace.
But a binding international legal treaty would be premature as the next step. Norms of expected behaviour can provide a flexible middle ground between rigid treaties and taking no action at all. As Michael Chertoff, one of the GCSC co-chairs and a former US secretary of homeland security, has explained, norms can exist in parallel with laws but are more dynamic in the face of rapidly changing technology.
The GCSC proposed eight norms to address gaps in previously declared principles and focused on technical issues that are fundamental to cyber stability. Such norms can be seen as common points of reference in the evolving political discussions.
The first norm is non-interference with the public core of the internet. While authoritarian and democratic states might disagree about free speech or regulation of online content, they can agree not to interfere with core features such as the domain name system, without which there would be no predictable interconnection across the network of networks that comprise the internet.
Second, state and non-state actors must not support cyber operations intended to disrupt the technical infrastructure essential to elections, referendums or plebiscites. While this norm doesn’t prevent all interference such as what happened in the US elections in 2016, it sets some bright lines around technical features.
Third, state and non-state actors should not tamper with goods and services in development or production if doing so may substantially impair the stability of cyberspace. Insecure supply chains present an important threat to stability.
Fourth, state and non-state actors should not commandeer the general public’s resources for use as botnets (cyber robots based on others’ machines but taken over without their knowledge or consent).
Fifth, states should create procedurally transparent frameworks to assess whether and when to disclose to the public vulnerabilities or flaws in information systems or technology. Such flaws are often the basis of cyber weapons. Hoarding such vulnerabilities for possible use in the future poses a risk to all. The presumption should be in favour of disclosure and patching.
Sixth, developers and producers of goods and services on which the stability of cyberspace depends should emphasise security, take reasonable steps to ensure that their wares are free from significant vulnerabilities, mitigate flaws when they are discovered, and be transparent about the process. All actors have a duty to share information on vulnerabilities to help mitigate malicious cyber activity.
Seventh, states should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene. Just like vaccinations prevent communicable diseases, so basic cyber hygiene can go a long way towards removing the low-hanging fruit that attracts cyber malefactors.
Lastly, non-state actors should not engage in offensive cyber operations, and state actors should prevent such activities and respond if they occur. Sometimes called ‘hacking back’, private vigilantism may escalate and pose a major threat to cyberstability. In the past, states condoned and even supported privateers upon the high seas, until they discovered that the risks of escalation and unwanted conflict were too high. The same could be said for stability in cyberspace.
These eight norms alone won’t ensure stability in cyberspace, but combined with norms, principles and confidence-building measures suggested by others, they could provide a start. In the long term, states observe norms of behaviour in order to improve coordination, manage uncertainty or preserve their reputations, or in response to internal pressures. The world is a long way from such a normative regime for cyberspace, but the GCSC has helped to nudge the process forward.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2019-12-06 00:00:552024-12-17 10:22:57Eight norms for stability in cyberspace
As China and Russia stepped up their offensive cyber capabilities, Australia responded in the 2016 defence white paper by investing $400 million in improving its ability to protect its own systems and to respond to attacks.
That included creating an Information Warfare Division in the Australian Defence Force with responsibility for both offensive and defensive cyber activities. The goal was to make the ADF, and the Department of Defence more broadly, an integral part of the nation’s cybersecurity capability.
The increased focus on cybersecurity was timely given Moscow’s escalating use of cyber tools for online influence operations and China’s open ambitions to become a ‘cyber superpower’. Last month’s revelation that hackers accessed the computer systems of Australian defence shipbuilder Austal underscores the need for the government to further increase Australia’s cyber capability—not just to harden public institutions against attacks, but to encourage and enable the private sector to do likewise.
Australia’s cyber defences can only be as good as the people employed to set them up and operate them. If the Information Warfare Division is going to generate an effective offensive and defensive cyber capability, it needs to attract skilled and intelligent young workers. Unfortunately, there’s already a shortage of cyber professionals in Australia and it will be difficult for the division to get the new talent it needs.
The division had 100 staff when it was launched in July 2017. In 2018, 49 Defence personnel graduated from the inaugural ‘Accelerated Defensive Cyber Training’ course, which the ADF plans to run again in 2019 and 2020. Unless it increases cohort sizes or runs more than one course a year, Defence won’t be able to generate the 900 staff that the division has aimed to recruit by 2027.
In fact, the division needs more than 900. A standing force of that size requires a supply pool of around 3,000 trained personnel to allow for leave, reassignment to other posts and turnover.
The announcement that Elbit Systems of Australia has been awarded a three-year contract to provide further cyber training to the ADF will go some way towards helping qualify the required number of operators. The 49 graduates of the accelerated training course will be the first personnel to use the new cyber training range.
Defence must ensure that high-ranking ADF members in command positions are also receiving cyber education and training so that they’re well equipped to effectively lead on cyber issues.
The cyber threats to Australia are only going to increase. Because the Information Warfare Division will be expected to contribute offensive cyber capabilities to the battlespace, the ADF will need to have a comprehensive policy and legislative framework governing the employment of offensive cyber in operations. The division needs clear direction and an actionable policy to be able to translate the government’s strategic intent into operational and tactical success.
If a clear policy framework isn’t developed that outlines how the ADF is to do this, there’s a risk that money and capability won’t be used effectively.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-12-20 01:30:272018-12-20 01:30:27The ADF’s Information Warfare Division needs more staff and a clear framework
During the initial wave of digital-transformation efforts, Australia developed an international reputation as an early leader. That peaked in around 1999.
While the different tiers of government (local, state and federal) and individual agencies have developed some impressive e-government platforms, a joined-up approach to e-government has so far remained elusive.
In a policy brief released today by ASPI’s International Cyber Policy Centre co-written with Estonia’s eGovernance Academy—the world leader in this field—we argue that it’s time for Australia to develop an integrated approach to e-government that joins up all services from all three levels of government. In Estonia, where e-government is something of a national passion, officials estimate that efficiencies derived from e-government reforms lift annual GDP by 2%.
The efficiency gains also make life easier for people and businesses. We’re all familiar with examples of government services that have been made things easier for us—whether it’s not having to go to a physical office to renew a driver’s licence or the ease of having your tax return populated automatically by the Tax Office. But there’s still plenty of clunkiness around. If you move from one state to another, you hit a bureaucratic brick wall. If you update your address details with your local council, the federal government agencies you deal with have no idea. Myriad other small efficiencies that would cumulatively save a huge amount of time are there to be made.
Some of the infrastructure needed for integrated e-government is already in place.
Two key enablers are mechanisms for digital identification and digital signatures.
Australia Post has already built an operational digital identity scheme known as Digital iD, and the government is trialling a second scheme known as Govpass. A separate ICPC policy brief has identified issues that need addressing in both these schemes, but the challenges are not insurmountable and digital identity remains essential for a 21st-century economy and integrated e-government.
Digital signatures are a little further off. The Electronic Transactions Act 1999 went some way towards introducing digital signatures in Australia, but we still lack a unique and hard-to-forge identifier that can be checked by the recipient. This is certainly on the radar of officials in Canberra but remains a work in progress.
The establishment of the Australian Digital Council, which met for the first time in September, is another useful piece of architecture. It is working to drive better federal and state government coordination on digital initiatives and could be a platform to begin discussions on full integration across all three levels of government.
There is no one-size-fits-all approach to integrated e-government, but there are some good principles that can be drawn from experiences abroad. One is the value of a decentralised approach, which was the route taken in Estonia. Facilitating secure data exchanges and interoperability between different government agencies doesn’t require the creation of a single database (a so-called superdatabase) that consolidates all the data from multiple databases. In fact, doing that poses serious security risks. A decentralised approach enables different databases and IT solutions in the different levels of government to ‘talk’ to each other securely and solves the problem of how to integrate the myriad government databases and systems that already exist.
Ensuring public trust is another, and here there’s obviously a bit of work to be done. When scheme after scheme falls over or the ground rules change (for example, opt in becomes opt out) people get frustrated. There’s also a deeper issue. Digital transformation is being developed from an agency- rather than people-centric viewpoint. The mission at present is to help a government agency do something more easily or to get more information. User experience is then designed through this narrow lens. The long-term effect of this approach is to gradually disempower people as more of their lives move beyond their control and they are effectively forced to participate in these disempowering schemes as other alternatives become too inconvenient.
A different approach would be to design digital transformation initiatives from the citizens’ perspective. What does that look like? It would mean providing people with easy and meaningful control over their data. It would mean giving citizens an online log every time their personal information is accessed by any arm of government or the private sector, with a one-click process for contesting any access they believe may be unauthorised. It would allow them to decide who can access different components of their data (such as individual records) and provide strong default settings to protect those who don’t bother to adjust their settings. It would mean amending the Privacy Act so that personal information can be reasonably protected in a 21st-century world. In short, it’s about getting in the corner of everyday citizens and empowering them, not the departments who serve them.
The vision across Australia to move government services online and create enabling infrastructure like digital identity is the right one, but we need to think bigger and go further. Launching a national effort to integrate service delivery across all three tiers of government would be a political challenge but it would deliver benefits for every Australian. We should try it.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-11-30 00:16:502018-11-30 00:16:50Introducing integrated e-government in Australia
To some fanfare, the White House announced a national cyber strategy last week. It breaks little new ground but still sends an important message that cyber continues to be a priority. Now action is needed to ensure it doesn’t become shelf-ware.
The Trump administration claimed this was the first such strategy since 2003 when President George W. Bush issued the National Strategy to Secure Cyberspace. That’s a little misleading. Though it wasn’t styled as a ‘strategy’ President Barack Obama issued a detailed cyberspace policy review within four months of taking office. He released the first international cyberspace strategy in 2011 and issued multiple cyber-focused executive orders and a cybersecurity action plan in 2016.
And my old office at the State Department, pursuant to a Congressional mandate, produced a wide ranging cyber strategy in 2015 that was far more detailed than this one. But every administration wants to claim it’s doing something new and different with little credit to what’s come before, so the branding here is hardly surprising. The new document is still very important because threats in cyberspace are increasing and it clearly defines this administration’s cyber policy. It doesn’t discard work and policy but builds on it.
The strategy comes almost two years into this administration, and a full year after a myriad of detailed reports were due from a host of federal agencies pursuant to the president’s executive order on strengthening cybersecurity last May. Those reports spanned the gamut from enhancing the cyber workforce to international engagement and deterrence in cyberspace.
Given the scope of those reports, one might assume that a strategy composed of their findings would be detailed and groundbreaking. With few exceptions however, it’s not. Instead it’s very high level, lacks detail and often restates past policies. In some areas, like articulating roles and responsibilities for federal agencies, it punts the hard issues, saying instead that these will be worked out in the future.
Hard as it is, defining roles and responsibilities, and who’s in charge of what, is central to an effective strategy. I expect that, as in the past, internecine turf wars (certainly not unique to cyber) made this too difficult. Still, if the National Security Council has a unique strength, it’s in resolving interagency battles. That’s become, I expect, a more difficult task given the abolition of the White House cyber coordinator role, and it’s disappointing that this could not be achieved with this document.
But, there’s a lot to like in this strategy even if it lacks real detail and often resorts to vague platitudes. It restates much of the US cyber canon, including the importance of internet freedom and the central role of multi stakeholder internet governance, welcome pronouncements to our allies and partners. That’s even more important now when attacks on the press and claims of ‘fake news’ often dominate the headlines and call into question our commitment to these ideals and when countries including China and Russia advance a contrary agenda of absolute internet sovereignty.
The strategy also sounds familiar themes on issues including the importance of battling cybercrime, concern about supply chain vulnerability, the need to strengthen cyber defences and the importance of public-private partnerships—all motherhood concepts of cyber doctrine. Condemnation of attempts by bad state actors to undermine our democracy is also welcome in the light of the president’s second guessing of Russia’s involvement.
Consistency with past practice shows we’re building on accomplishments and sends a strong message of continuity to our public and our partners. The very fact that the strategy’ been released sends a message that cyber continues to be a national priority. That’s especially helpful in light of the revelation in Bob Woodward’s book that the president characterised this area as ‘cyber sh*t’. Perhaps my favourite line in the strategy is ‘[c]yberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power’.
One of the critical shortcomings of past cyber policy is that senior decision-makers treat it as a bright shiny object that’s the purview of the technical rather than the policy community. I’ve long argued that integrating cyber as a core issue of national and economic security is fundamental to making real progress. Pretty words are one thing and action another. If the president doesn’t prioritise this area with resources and actions, or if he continues to undercut the messaging on Russian malign activity, all the words in the world will have little effect.
Some new points are noteworthy, but perhaps in tension. For one, the strategy includes the launch of an international cyber deterrence initiative and on the other, a relaxation of the rules governing retaliation, referenced in the strategy but largely articulated in National Security Advisor John Bolton’s ‘cyber-rattling’ comments at its launch.
I’m pleased that the strategy continues to emphasise the need for a cyber stability framework built, among other things, on voluntary norms of state behaviour, and for international engagement and capacity building. These have been staples of the US international program and leadership for many years. I was also happy to see an emphasis on deterrence, including aspiring to impose ‘swift, costly and transparent consequences when malicious adversaries harm the US or its partners’. That’s something, as I have written before, that we’re still not very good at.
While we’re getting better at naming and shaming some of those responsible for cyber events, that’s not sufficient to deter actors like Russia or North Korea. Real consequences for bad state behaviour that will affect their decision making is still desperately lacking. That creates the ‘norm’ that such bad behaviour is acceptable–or at least cost free.
The strategy seeks to address this, in part, through a new international cyber deterrence initiative that recognises that: ‘[t]he imposition of consequences will be more impactful and send a stronger message if it is carried out with a broader coalition of like-minded states.’ It seeks to build a coalition to collectively respond to shared threats by, among other things, coordinating responses, sharing intelligence, buttressing attribution, supporting each other’s responses and, most significantly, engaging in ‘joint imposition of costs against malign actors’. This emphasis on collective action and partnerships is a welcome counter to the prevailing narrative of ‘America alone’.
None of this is easy. Sharing information and coordinating action among disparate bureaucracies is difficult in the best of times but the building of this coalition was underway long before I left the State Department. This strategy gives it a welcome boost at a critical time. As the document was released, a large, multi-agency US delegation, and the delegations of numerous allies and partners, attended the Singapore International Cyber Week conference. It was a timely opportunity to progress this important initiative.
The other major development, that often overshadowed the strategy itself in media coverage, was Bolton’s statement that the rules governing the use of offensive cyber tools had been relaxed and that the White House ‘has authorised offensive cyber operations’ against US adversaries. The extent to which the rules have been relaxed and the nature of such operations remain unclear.
Like the 2011 International Strategy for Cyberspace, the new strategy says that all tools of national power, diplomatic, law enforcement, economic, cyber and military, can be used to respond to a cyber incident. Offensive cyber operations are an important part of this arsenal and their use in the right circumstances, consistent with international law, makes sense.
However, there are many unanswered questions, and some answers may have a negative impact on the international cyber deterrence initiative. Presumably this move does not mean that offensive cyber operations will be a tool of first resort. They should be reserved for when they are most effective. It’s widely accepted that the best response to a cyberattack is often not a cyber one. Cyber tools must be integrated into all our capabilities and not seen as some sort of magic button, particularly given that their use involves a fair amount of pre-planning. And despite the borderless nature of cyberspace, there’s a difference if such tools are used in adversary space or if they’re used to disrupt an adversary’s activities in neutral or friendly territory.
In an adversary’s space, the primary issue is escalation and that can be overcome with direct messaging. In third party space, unilateral cyber actions run the risk of damaging the alliances needed to take collective action against cyber and other threats, essentially making an international cyber deterrence initiative more difficult.
There may be times when the US needs to take unilateral action but in other cases it may be better to ask allies to employ their capabilities. How these diplomatic and partnership issues will be weighted and resolved in the new structure Bolton described is unclear, particularly when it’s reported that interagency consideration of these operations has been significantly curtailed. But failure to properly assess these issues risks the loss of the ability to respond collectively to incidents in the long term.
Inadvertent consequences, potential collateral damage, possible loss of control and retaliation and escalation must all be considered. Again, it’s not clear how the new structure will consider these issues. We need to develop and use these capabilities as part of an overall deterrence regime—but it’s important that they be integrated and balanced as one of many strategic responses.
The 2003 National Strategy to Secure Cyberspace was a generally good document and groundbreaking in its time. Yet, it was soon largely treated as shelf-ware, in part because folks were not ready to treat cyber as a priority and in part because there wasn’t consistent high-level implementation or emphasis. The new White House cyber strategy bears a lot of similarities to that document and, while cyber is now clearly in the mainstream, I fear it too will become little more than a collection of good words unless there’s a robust implementation plan, adequate resources and cybersecurity is made a real priority by the president himself.
While I’m heartened by innovations like the cyber deterrence initiative, actions like the slashing of funding undermines strong language in the strategy that capacity-building is vital. The cyber coordinator role in the White House has been abolished when the strategy suggests we need it most. And, 14 months after I left the State Department, it still hasn’t reestablished a high level cyber position despite the evident need for it made clear by the strategy. I want us to be effective. I want us to better deter cyber threats using all the tools at our disposal. We cannot afford to ignore this issue or be complacent and while a new strategy is an important milestone, it must be followed by concerted action and a real implementation plan.
http://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svg00markohttp://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/16232551/ASPI-CMYK_SVG.svgmarko2018-09-25 05:24:162018-09-25 05:24:16The White House cyber strategy: words must be backed by action