It’s never easy being first. There are no playbooks to thumb through and no clear footprints to follow to let you know you’re on track, or even that you’re heading in the right general direction.

Six years ago, Australia’s eSafety Commissioner became the world’s first online safety regulator following the tragic death of TV presenter Charlotte Dawson.

Dawson, who had been very open about her struggles with mental illness, took her own life after being mercilessly trolled on Twitter. The outpouring of grief and anger that followed prompted the government to create a unique regulator with the sole aim of protecting citizens like Charlotte online.

Today, like most six-year-olds, we still have a long way to go and a lot to learn, but we’ve reached a point where we believe we have a successful and practical model in place focusing on three key areas—protection, prevention, and proactive and systemic change.

I’ll deal with protection first because our regulatory schemes represent the tip of the spear in our fight to protect Australians on the internet.

eSafety has a range of civil powers to compel the removal of illegal or harmful content, whether it’s child sexual abuse material, pro-terrorist content, the non-consensual sharing of intimate images or serious cyberbullying of a child.

We exist as a vital safety net for all Australians who have experienced abuse online and have nowhere else to turn.

And more and more Australians have come to us as the Covid-19 pandemic continues its stranglehold on the world and supercharges all forms of online harm.

eSafety took over the administration of Australia’s online content scheme in 2015. Since then, we’ve seen significant increases in reports of illegal online content, the majority of which concern child sexual abuse material.

But it’s safe to say 2020 was a year like no other.

As the world turned to the internet to continue to work, learn and communicate, we received 21,000 public reports of illegal online content, the most in the scheme’s 20-year history, and a 90% increase compared to 2019.

We also saw a 114% increase in reports of the non-consensual sharing of intimate images.

Serious cyberbullying of children was up by 30%, and the number of adults reporting online harassment to us increased by nearly 40%.

Sadly, we believe these elevated levels of online harm and abuse represent an alarming new normal.

That’s why our goal at eSafety is to prevent these online harms we see every day from happening in the first place.

We strive to achieve this through evidence-based research, education and community programs designed to target specific audiences giving people of all ages and backgrounds the right tools to protect themselves online.

For us, this starts with our early years program because we know 94% of 4-year-olds already have access to an internet-connected device.

And as they get older, we need to be teaching them the critical reasoning skills that will help them deal with the pressures and dangers that exist in the online world.

Fear-based messages don’t work and neither do one-off programs, so we need to be regularly reinforcing these important lessons in a positive, pragmatic and non-threatening way, and co-designing our programs with the audiences we are trying to reach.

But widespread cultural change takes time, and we can’t continue to lump the responsibility for online safety on the shoulders of users—particularly children and their often overwhelmed parents.

This is where I believe proactive and systematic change through something we call ‘safety by design’ will finally move the needle.

We’ve known the harms for over two decades and the tech companies are also aware of how their platforms have been weaponised.

We have spent the past three years working with big tech firms to lead them down a path that will fundamentally change how they design, develop and deploy their products, so now safety is at the core.

When we get into our cars, we almost take for granted that the brakes will work, the seatbelts will be effective and the air bags will deploy when needed.

We want similar safeguards to become standard in the online world.

Ultimately, we want to surface good practice and we want these innovations to be shared. During my tech industry days, we used to call it ‘coopetition’ and while we’ve seen this work with security and privacy, we’re yet to see it applied to online safety.

It’s time for this to change.

Technology never stays still for long and so we must also keep an eye on the digital horizon for new technologies heading our way, anticipating how they could be misused and weaponised to harm others.

From decentralised services to end-to-end encryption, online anonymity, new immersive technologies and the rise of deepfakes, we need to anticipate how they might be misused and how we can build safety features in before the genie can squeeze his way out of the bottle.

Since our humble beginnings in 2015, the rapid pace of technological change and the emergence of new platforms and services have given rise to new ways for people to interact online, but also new threats.

With this in mind, the government has proposed reforms to online safety legislation which will enable eSafety to better protect Australians of all ages and increase the pressure on companies to keep their users safe.

The Online Safety Bill 2021 proposes a new, world-first adult cyber-abuse scheme, along with an expanded child cyberbullying scheme that will branch out from social media platforms to also include games, websites and messaging services.

Under the new legislation, our 20-year-old online content scheme will be modernised, extending our takedown powers to tackle child sexual abuse, wherever the world it is hosted.

Regulatory pressure will be applied to industry to remove harmful content more swiftly, prioritise user safety and behave in line with community standards and expectations.

Our goal at eSafety has always been to make the internet a safer and more civil place for all Australians.

While we were the world’s first online safety regulator, we’re no longer alone in this fight. Fiji has set up its own commissioner and we’ve been in talks with Ireland, the United Kingdom, Canada and the United States about setting up theirs.

A playbook has now been written and it’s my hope our experience can act as a blueprint for others so that one day soon we will have a global network of online safety regulators all working together to keep us all safe on the internet.

To ensure the digital sovereignty of communities in northern Australia, intensive effort is needed to build greater digital capacity and the social infrastructure to enable it.

The region has long suffered from a digital deficit. Bridging the Rubicon of northern Australia’s digital divide with the rest of the country requires significant investment in broadband and telecommunications access in remote areas.

Equally important is the development of digital literacy, programming skills and policy frameworks to make sure that digital technologies work in the best interest of communities.

But northern Australian jurisdictions aren’t just sitting back waiting for the federal government to save the day. And there are big economic opportunities in the digital arena that the Northern Territory is keen to exploit.

For example, the Darwin Data Centre project is trying to leverage Darwin’s proximity to Asia and the fact that Singapore currently has a moratorium on new data centres to reduce energy use. A major advantage of Darwin as a location is that construction costs there are relatively low.

The NT government is planning to leverage the data centre to advance further industrial clusters that will add a new dimension to the territory’s traditional industrial profile of agriculture and mining.

Similarly, digitally dependent energy projects such as the Australian ASEAN Power Link—a massive solar farm between Darwin and Alice Springs connected to Singapore—will stabilise Darwin’s power supply and potentially open up a new avenue of energy export revenue for the region.

While these initiatives are a great start, the federal government needs to invest more in the social infrastructure of the north. One area ripe for further development is skills and education in STEM (science, technology, engineering and mathematics). In doing so, the government could be making a long-term investment in digital sovereignty initiatives by Indigenous Australians.

The concept of digital sovereignty has been advanced in various contexts to capture the interplay between social and digital infrastructure.

Because of the dominant position of digital companies (for example, Google, Apple, Facebook, Amazon) and the increasing presence of Chinese companies internationally (ByteDance, Alibaba, Tencent), the idea first emerged as a way to describe control over various digital domains.

These domains include ‘data, software (e.g. AI), standards and protocols (e.g. 5G, domain names), processes (e.g. cloud computing), hardware (e.g. mobile phones), services (e.g. social media, e-commerce), and infrastructures (e.g. cables, satellites, smart cities)’.

For consumers this means, most prominently, control over data. This does not necessarily entail individualised sovereignty over data, but looks to forms of collective ownership that can be put in place to ensure the collective wellbeing of a particular group.

In Indigenous Australia, this idea is playing out in various initiatives that act to ensure that data is controlled by communities, and is used to strengthen and advance the ability of Aboriginal and Torres Strait Islander communities to make their own decisions about their own development, justice and equality.

The Indigenous Data Network, supported by the federal government, aims to improve access to data and information-sharing between government and Indigenous organisations by assisting them to identify local solutions for local issues. There is a crossover here with efforts to include Indigenous knowledge systems in the design and function of AI-enabled systems—such as traditional land management practices in Kakadu—and in projects that seek to combat the overpolicing of Indigenous communities.

But at the most basic level, digital sovereignty means access to digital infrastructure, like mobile phones and internet connectivity in general. As government services and commerce are increasingly app- and web-based, gaps in access prevent remote communities from participating in and contributing to society. The provision of access needs to be accommodated to the ways in which Indigenous people currently use technology. For example, many families in remote areas share phones.

Researchers from the Cooperative Research Centre for Developing Northern Australia recently mapped the priorities to encourage investment in digital connectivity infrastructure and social infrastructure across the north. They found that large parts of the region lacked service and that the high cost of digital access was hampering businesses and communities. The report highlighted an urgent ‘need for digital knowledge and skills to be oriented towards, and taught in, local contexts as it is critical for workforce development’.

The study also identified the lack of an ‘overarching agenda for future-proofing northern Australia’s telecommunication and internet needs’. This is where the idea of digital sovereignty again comes into play. At the government level, access to, control over and regulation of critical digital infrastructure is a central issue, particularly when it comes to 5G and cloud computing.

Building the digital infrastructure of the north will play an important role in boosting the potential application of new technologies in the mineral, gas and agriculture sectors.

In the mineral and gas sectors, the lack of access to skills is one of the major impediments to take-up of new technologies. In agriculture, the National Farmers’ Federation has set an ambitious target of becoming a $100 billion sector by 2030. However, big goals in these sectors can only be met by more systematic approaches to building digital social and physical infrastructure.

Discussions on technology and strategy in Canberra typically lead down one of three paths.

The first is military implications and applications, usually in the context of our relations with the United States.

The second is around trade and economics, recognising that our economy and prosperity are heavily dependent on the ideas, products and services of others.

The last is darker, involving arcane sources, secret places and foreign influence, and is focused on shutting doors and barring windows.

Along each of those paths, technology is understood as something external, ‘done’ or given to Australia by others. There’s no real sense of initiation or ownership. We’ve allowed ourselves to think of Australia essentially as a spectator rather than a participant in technological innovation.

While myopic, that approach was relatively harmless when technological development was strategically neutral. But it is no longer so.

Digital technologies, in particular, are a key arena of an accelerating great-power competition. That’s important, because digital technologies are deeply intertwined with our economies, our communities, our daily lives and even our identities. Our choice and use of these technologies will increasingly shape our social interactions and constrain our political decisions.

What are the choices before us? At present there are two Western models—the American and the Western European models—and an authoritarian model, increasingly dominated by China. Other nations generally fall into the category of ‘takers’.

Takers are characterised by technological weakness, with little industry and few platforms on which to build their own technological sphere—and low levels of interest in doing so. And, because of the increasing integration of technology, society and economy, they tend to assume the world view and governance habits of others.

Australia has only a fragile technology ecosystem of its own, and government is evincing little interest in supporting it to the extent needed for it to establish its own critical mass. Indeed, the overall trend for research and development expenditure is towards stasis, if not decline.

It’s interesting to consider Australia’s decision to exclude Huawei from the nation’s 5G network through that lens. Like the Assistance and Access Bill, it reflects the growing influence of internal security concerns among the Five Eyes partners. Yet neither decision motivated the Australian government to invest significantly in a technology industry or public sector capability to develop alternatives and provide greater autonomy over future options.

In short, Australia is a technology taker.

So, what options does Australia have to secure its future in a world of increasing technological determinism?

Well, old habits are hard to break. Following the American model—a focus on the technological, leaving people to sort out the consequences of new products and services—follows old, well-worn paths in national security, business and society.

However, Silicon Valley has come under sustained criticism from a wide section of the Australian community and government, on issues ranging from taxation to social media to national security. US defence technology is increasingly expensive and burdensome. We’ve accepted that in the past as a part of being an ally and a technology taker, but doing so may become more precarious, especially with volatility generated by President Donald Trump in the relationship.

What of the European model? Europeans tend to pay more attention to the social aspects of technology and the protection of personal data, and have a more inclusive decision-making process. In terms of personal liberties, that model probably has more to offer for strengthening Australian democracy in a digital age.

But Western Europeans are increasingly concerned with internal stability and coherence. Europe’s demographics and economies fall short of the social, economic and technical dynamism present in our own larger neighbourhood. Australia cannot rely on it shaping the future of the intersection of technology and society in our favour.

The Chinese model—aggressive use of technology for authoritarian purposes—is characterised by surveillance, behaviour modification, a denial of privacy or secrets for anyone other than the state, and the subservience of all industry, research, institutions, communities, people and data to the Chinese Communist Party.

Needless to say, that is fundamentally antithetical to Western concepts of democracy. And yet, it’s notable that those who are free with their criticism of American platforms, including Western governments, are hesitant to criticise the increasingly large and powerful—and CCP-supported—Chinese platforms.

Western companies have benefited from Chinese state control, for example, through ‘programmable labour’, the development of technologies facilitating surveillance or simply access to its market. And China offers a number of self-interested parties, whether governments, police forces or companies in competitive markets, a range of incentives, such as Belt and Road Initiative loans, state-subsidised technology and the means of monitoring and controlling citizenry.

Australians have not yet started to consider what a future liberal, Western digital democracy might look like in a world of technologically driven competition. So far, the dominant government policies on technology and society have been shaped by fear.

But security concerns alone should not dictate our future. Nor should national security be conflated with strategy and statecraft. Doing so makes it harder to resist increasingly authoritarian practices and mindsets, whether in response to internal or external threats.

Instead, Australia needs to establish its own counterweight.

We need a restatement of democratic values and norms, ones appropriate to a Western digital democracy. That cannot be left to the national security community. The debate has to be broad and inclusive, not least to build the mutual trust between government and citizen needed for functioning digital societies and economies.

We need to invest in research and development and in establishing a technological industry base in this country. If Finland and Estonia can do it, we surely can. We’ll need a different approach to government decision-making, to drive investment, outcomes and long-term accountabilities rather than focusing on simply short-term expenditure and efficiencies.

It also means investing more, not less, in public sector capabilities—deepening knowledge, and not just in defence and security—while supporting private sector opportunities.

Australia shares a common heritage and ideals with its Western counterparts. Facilitating links with European and US institutions and companies would help Australia bridge the technological divide, build capability, strengthen democracy and develop its own ethos.

Establishing a determined technology outreach effort into our immediate region, in ASEAN and in fellow democracies, would help to build a community of the like-minded. Here, Australia has much, if not more, to learn from its neighbours than it has to offer.

Australia should seek to offer a strengthened vision of the future, preferably among like-minded nations, in counterpoint to that offered by China and other authoritarian regimes, and one that reflects our own liberal democratic ideals.

Building a plausible counterweight will be hard: the hour is late and we’ve been dreadfully slow out of the starting gate. But the sooner Australia comes to grips with this new shaping of the world, the better we will be able to adapt, act and secure our future.

As China and Russia stepped up their offensive cyber capabilities, Australia responded in the 2016 defence white paper by investing $400 million in improving its ability to protect its own systems and to respond to attacks.

That included creating an Information Warfare Division in the Australian Defence Force with responsibility for both offensive and defensive cyber activities. The goal was to make the ADF, and the Department of Defence more broadly, an integral part of the nation’s cybersecurity capability.

The increased focus on cybersecurity was timely given Moscow’s escalating use of cyber tools for online influence operations and China’s open ambitions to become a ‘cyber superpower’. Last month’s revelation that hackers accessed the computer systems of Australian defence shipbuilder Austal underscores the need for the government to further increase Australia’s cyber capability—not just to harden public institutions against attacks, but to encourage and enable the private sector to do likewise.

Australia’s cyber defences can only be as good as the people employed to set them up and operate them. If the Information Warfare Division is going to generate an effective offensive and defensive cyber capability, it needs to attract skilled and intelligent young workers. Unfortunately, there’s already a shortage of cyber professionals in Australia and it will be difficult for the division to get the new talent it needs.

The division had 100 staff when it was launched in July 2017. In 2018, 49 Defence personnel graduated from the inaugural ‘Accelerated Defensive Cyber Training’ course, which the ADF plans to run again in 2019 and 2020. Unless it increases cohort sizes or runs more than one course a year, Defence won’t be able to generate the 900 staff that the division has aimed to recruit by 2027.

In fact, the division needs more than 900. A standing force of that size requires a supply pool of around 3,000 trained personnel to allow for leave, reassignment to other posts and turnover.

The announcement that Elbit Systems of Australia has been awarded a three-year contract to provide further cyber training to the ADF will go some way towards helping qualify the required number of operators. The 49 graduates of the accelerated training course will be the first personnel to use the new cyber training range.

Defence must ensure that high-ranking ADF members in command positions are also receiving cyber education and training so that they’re well equipped to effectively lead on cyber issues.

The cyber threats to Australia are only going to increase. Because the Information Warfare Division will be expected to contribute offensive cyber capabilities to the battlespace, the ADF will need to have a comprehensive policy and legislative framework governing the employment of offensive cyber in operations. The division needs clear direction and an actionable policy to be able to translate the government’s strategic intent into operational and tactical success.

If a clear policy framework isn’t developed that outlines how the ADF is to do this, there’s a risk that money and capability won’t be used effectively.

To some fanfare, the White House announced a national cyber strategy last week. It breaks little new ground but still sends an important message that cyber continues to be a priority. Now action is needed to ensure it doesn’t become shelf-ware.

The Trump administration claimed this was the first such strategy since 2003 when President George W. Bush issued the National Strategy to Secure Cyberspace. That’s a little misleading. Though it wasn’t styled as a ‘strategy’ President Barack Obama issued a detailed cyberspace policy review within four months of taking office. He released the first international cyberspace strategy in 2011 and issued multiple cyber-focused executive orders and a cybersecurity action plan in 2016.

And my old office at the State Department, pursuant to a Congressional mandate, produced a wide ranging cyber strategy in 2015 that was far more detailed than this one. But every administration wants to claim it’s doing something new and different with little credit to what’s come before, so the branding here is hardly surprising. The new document is still very important because threats in cyberspace are increasing and it clearly defines this administration’s cyber policy. It doesn’t discard work and policy but builds on it.

The strategy comes almost two years into this administration, and a full year after a myriad of detailed reports were due from a host of federal agencies pursuant to the president’s executive order on strengthening cybersecurity last May. Those reports spanned the gamut from enhancing the cyber workforce to international engagement and deterrence in cyberspace.

Given the scope of those reports, one might assume that a strategy composed of their findings would be detailed and groundbreaking. With few exceptions however, it’s not. Instead it’s very high level, lacks detail and often restates past policies. In some areas, like articulating roles and responsibilities for federal agencies, it punts the hard issues, saying instead that these will be worked out in the future.

Hard as it is, defining roles and responsibilities, and who’s in charge of what, is central to an effective strategy. I expect that, as in the past, internecine turf wars (certainly not unique to cyber) made this too difficult. Still, if the National Security Council has a unique strength, it’s in resolving interagency battles. That’s become, I expect, a more difficult task given the abolition of the White House cyber coordinator role, and it’s disappointing that this could not be achieved with this document.

But, there’s a lot to like in this strategy even if it lacks real detail and often resorts to vague platitudes. It restates much of the US cyber canon, including the importance of internet freedom and the central role of multi stakeholder internet governance, welcome pronouncements to our allies and partners. That’s even more important now when attacks on the press and claims of ‘fake news’ often dominate the headlines and call into question our commitment to these ideals and when countries including China and Russia advance a contrary agenda of absolute internet sovereignty.

The strategy also sounds familiar themes on issues including the importance of battling cybercrime, concern about supply chain vulnerability, the need to strengthen cyber defences and the importance of public-private partnerships—all motherhood concepts of cyber doctrine. Condemnation of attempts by bad state actors to undermine our democracy is also welcome in the light of the president’s second guessing of Russia’s involvement.

Consistency with past practice shows we’re building on accomplishments and sends a strong message of continuity to our public and our partners. The very fact that the strategy’ been released sends a message that cyber continues to be a national priority. That’s especially helpful in light of the revelation in Bob Woodward’s book that the president characterised this area as ‘cyber sh*t’. Perhaps my favourite line in the strategy is ‘[c]yberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power’.

One of the critical shortcomings of past cyber policy is that senior decision-makers treat it as a bright shiny object that’s the purview of the technical rather than the policy community. I’ve long argued that integrating cyber as a core issue of national and economic security is fundamental to making real progress. Pretty words are one thing and action another. If the president doesn’t prioritise this area with resources and actions, or if he continues to undercut the messaging on Russian malign activity, all the words in the world will have little effect.

Some new points are noteworthy, but perhaps in tension. For one, the strategy includes the launch of an international cyber deterrence initiative and on the other, a relaxation of the rules governing retaliation, referenced in the strategy but largely articulated in National Security Advisor John Bolton’s ‘cyber-rattling’ comments at its launch.

I’m pleased that the strategy continues to emphasise the need for a cyber stability framework built, among other things, on voluntary norms of state behaviour, and for international engagement and capacity building. These have been staples of the US international program and leadership for many years. I was also happy to see an emphasis on deterrence, including aspiring to impose ‘swift, costly and transparent consequences when malicious adversaries harm the US or its partners’. That’s something, as I have written before, that we’re still not very good at.

While we’re getting better at naming and shaming some of those responsible for cyber events, that’s not sufficient to deter actors like Russia or North Korea. Real consequences for bad state behaviour that will affect their decision making is still desperately lacking. That creates the ‘norm’ that such bad behaviour is acceptable–or at least cost free.

The strategy seeks to address this, in part, through a new international cyber deterrence initiative that recognises that: ‘[t]he imposition of consequences will be more impactful and send a stronger message if it is carried out with a broader coalition of like-minded states.’ It seeks to build a coalition to collectively respond to shared threats by, among other things, coordinating responses, sharing intelligence, buttressing attribution, supporting each other’s responses and, most significantly, engaging in ‘joint imposition of costs against malign actors’. This emphasis on collective action and partnerships is a welcome counter to the prevailing narrative of ‘America alone’.

None of this is easy. Sharing information and coordinating action among disparate bureaucracies is difficult in the best of times but the building of this coalition was underway long before I left the State Department. This strategy gives it a welcome boost at a critical time. As the document was released, a large, multi-agency US delegation, and the delegations of numerous allies and partners, attended the Singapore International Cyber Week conference. It was a timely opportunity to progress this important initiative.

The other major development, that often overshadowed the strategy itself in media coverage, was Bolton’s statement that the rules governing the use of offensive cyber tools had been relaxed and that the White House ‘has authorised offensive cyber operations’ against US adversaries. The extent to which the rules have been relaxed and the nature of such operations remain unclear.

Like the 2011 International Strategy for Cyberspace, the new strategy says that all tools of national power, diplomatic, law enforcement, economic, cyber and military, can be used to respond to a cyber incident. Offensive cyber operations are an important part of this arsenal and their use in the right circumstances, consistent with international law, makes sense.

However, there are many unanswered questions, and some answers may have a negative impact on the international cyber deterrence initiative. Presumably this move does not mean that offensive cyber operations will be a tool of first resort. They should be reserved for when they are most effective. It’s widely accepted that the best response to a cyberattack is often not a cyber one. Cyber tools must be integrated into all our capabilities and not seen as some sort of magic button, particularly given that their use involves a fair amount of pre-planning. And despite the borderless nature of cyberspace, there’s a difference if such tools are used in adversary space or if they’re used to disrupt an adversary’s activities in neutral or friendly territory.

In an adversary’s space, the primary issue is escalation and that can be overcome with direct messaging. In third party space, unilateral cyber actions run the risk of damaging the alliances needed to take collective action against cyber and other threats, essentially making an international cyber deterrence initiative more difficult.

There may be times when the US needs to take unilateral action but in other cases it may be better to ask allies to employ their capabilities. How these diplomatic and partnership issues will be weighted and resolved in the new structure Bolton described is unclear, particularly when it’s reported that interagency consideration of these operations has been significantly curtailed. But failure to properly assess these issues risks the loss of the ability to respond collectively to incidents in the long term.

Inadvertent consequences, potential collateral damage, possible loss of control and retaliation and escalation must all be considered. Again, it’s not clear how the new structure will consider these issues. We need to develop and use these capabilities as part of an overall deterrence regime—but it’s important that they be integrated and balanced as one of many strategic responses.

The 2003 National Strategy to Secure Cyberspace was a generally good document and groundbreaking in its time. Yet, it was soon largely treated as shelf-ware, in part because folks were not ready to treat cyber as a priority and in part because there wasn’t consistent high-level implementation or emphasis. The new White House cyber strategy bears a lot of similarities to that document and, while cyber is now clearly in the mainstream, I fear it too will become little more than a collection of good words unless there’s a robust implementation plan, adequate resources and cybersecurity is made a real priority by the president himself.

While I’m heartened by innovations like the cyber deterrence initiative, actions like the slashing of funding undermines strong language in the strategy that capacity-building is vital. The cyber coordinator role in the White House has been abolished when the strategy suggests we need it most. And, 14 months after I left the State Department, it still hasn’t reestablished a high level cyber position despite the evident need for it made clear by the strategy. I want us to be effective. I want us to better deter cyber threats using all the tools at our disposal. We cannot afford to ignore this issue or be complacent and while a new strategy is an important milestone, it must be followed by concerted action and a real implementation plan.