I read Geoff Slocombe’s recent post about quantum computing with interest and, I’ll admit, a little skepticism. While there’s no doubt that practical quantum computing would represent a significant step forward in computing power, there are still some struggles ahead to realise a device with enough qubits to do useful calculations and that’s stable enough to provide reliable service. When quantum systems interact with the outside world they tend to stop what they’re doing—not a great feature in a computer.

My hunch is that quantum computing will prove to be similar to energy generation through nuclear fusion—well understood from a theoretical point of view, entirely possible in principle, able to be demonstrated on a laboratory scale, but difficult to implement practically. Fusion power has been ‘a few decades away’ for much more than a few decades now, and no fusion reactor has yet been able to generate more energy than is required to run it. Some engineering problems are just really hard. Quantum computing might be one of them.

I’ve now set myself up to be proven dramatically wrong on not one but two major technologies, with my only protection from Clarke’s First Law being that no one’s ever likely to call me ‘distinguished’. So I’d better hedge and say prudent planning allows for the possibility of clever people solving difficult problems, and that it’s worth thinking about the potential impact of the maturation of either or both. I’ll come back to fusion in another post, but one of the hedging strategies against the development of quantum computing was in the news earlier this month, as China announced the launch of the world’s first quantum communication satellite.

I say ‘hedging’ because quantum computing threatens the security of one of the standard approaches to cryptography. Public key encryption is the foundation of internet security, and avoids having to securely distribute the digital equivalent of codebooks to users everywhere. A leading public key method relies on it being much easier to multiply two large prime numbers than to split an even larger number into prime factors.

There’s no mathematical law that precludes the possibility of a smart person finding a really neat trick for factoring big numbers, but no one has so far. Given the time mathematicians have spent studying number theory, it’s a fair bet it’s not going to happen. (I’m tempting Clarke again.) But a big enough quantum computer factorises much faster than existing computers, threatening the security of today’s communication. Needless to say, that has the attention of people whose job it is to keep information secure.

It turns out that there’s an answer to the potential problem, and again it comes from a property of the quantum world. If you can set up a channel that reliably allows the passage of quantum information (information that isn’t a string of zeroes or ones, but a string of various mixes of zeroes and ones) then you can send strings of digits and be sure that no one has intercepted them. That’s because the act of reading a quantum message intrinsically changes it, effectively destroying its content. And because of what’s called the ‘no cloning theorem, the eavesdropper can’t reconstruct the string and send it on to the unsuspecting recipient. By this method cryptographic keys can be distributed with absolute security. A bad guy can interfere with the communication of the key, but can’t steal it.

It turns out that engineering quantum communication is much less difficult (the word ‘easy’ probably shouldn’t be applied to any of these techniques) than quantum computing. For example, the transmission along fibre optic cables of sequences of single photons of light with useful quantum properties is now well-established. That’s the basis of the 2013 Australian Government Quantum Network project to link Parliament House with other government organisations in Canberra. A prototype system was running in the US several years before that and China has ambitious plans for a secure internal network.

Bumping up against the real world tends to cause photons signals to lose their initial quantum state, and a cable length of 250 kilometers still represents a significant achievement. But scientists are still making steady progress; a German group has demonstrated the transmission of quantum signals from an aircraft to a ground station 20km away, and others have done the same between fixed ground stations 144km apart. The Chinese satellite system would use encoded light pulses to communicate with the ground. Given progress elsewhere, if we take the Chinese explanation for the satellite at face value, either it’s experimental, or the Chinese are a few steps ahead of the pack.

Quantum communication requires a dedicated communication channel, so it’s not a solution for the internet. But it’ll work for governments and militaries keen to protect their information. It seems that quantum communication could negate one of the big selling points of quantum computers even before they arrive on the scene.

Las Vegas was the place to be last week, with the world’s largest annual hacker conferences, Black Hat and Defcon, taking over the town. The events unearthed lots of cyber gossip, but it was the world’s first machine-only hacking competition that stole the show. DARPA’s Cyber Grand Challenge pitted seven ‘cyber reasoning systems’ against each other to assess their ability to detect software vulnerabilities and write new security patches without human assistance. The automated computers were confronted with modified versions of historic bugs, including Heartbleed, Sendmail crackaddr and the Morris Worm. Carnegie Melon’s ‘Mayhem’ won the US$2 million prize, and even briefly held a lead on a human team in a separate hacking event—before eventually coming last. This sort of artificial intelligence isn’t intended to replace human analysis, but the success of the Challenge confirmed the utility of automated network defence and the assistance that such systems can offer in network protection. Other highlights from the desert include flying laptops, the return of the Jeep hackers, the rise of automated spear-phishing Twitter bots, and how to hack your way into first class airline lounges.

It was at the Black Hat conference that Apple announced its first ever bug bounty program. Ivan Krstic, Apple’s head of security engineering and architecture, revealed that Apple will start offering up to US$200,000 to hackers who report undiscovered security vulnerabilities in Apple’s software. After years of refusing to pay independent researchers and relying instead on internal security efforts, Apple will start the program next month on an invitation-only basis. In doing so, it joins the ranks of many other large tech companies that offer rewards for cybersecurity detective work, including Google, Microsoft and Facebook. Fancy yourself a white hat hacker? Well, check out Bugcrowd’s up-to-date inventory of live bug bounty programs. Happy hunting!

Rumours are circling that the Obama administration is planning to elevate the powers of the Pentagon’s Cyber Command. There are preparations to separate Cybercom from the NSA into a separate and more influential Unified Combatant Command. Rejigging the organisational structure appears necessary to improve Cybercom’s performance, as the shortcomings of its current online campaign against ISIS are drawing criticism from military leaders. Standby for confirmation of this change from the White House.

Cyber continues to bubble up in the US elections. The recent hack of the Democratic National Committee’s network has generated concerns over the security of the electronic voting technology. The Obama administration is considering the possibility of designating the electronic ballot-casting system as ‘critical infrastructure’. Doing so would allow the Department of Homeland Security to take more robust measures to protect the system, which Secretary Jeh Johnson described as part of the US’ ‘vital national interest’. Those discussions join a long election dialogue on cybersecurity that has included Clinton’s email misdemeanours, the DNC hack, Trump inciting Russian hackers and the respective policy positions of both candidates. Cybersecurity expert and founder of both Black Hat and Defcon, Jeff Moss, has publicly endorsed Clinton, despite her online blunders—better the devil you know. But then again, who could go past Trump’s profound value-add last month when he announced, ‘I am a fan of the future, and cyber is the future’…

As the host of the 2016 Summer Olympic Games, Rio has needed to up its cybersecurity game. Large scale sporting events bring with them an increased volume of online activity and are naturally attractive to cybercriminals. A report from security firm Fortinet reveals a spike in malicious online activity such as online payment fraud, in sync with the opening of The Games. Over the last month, Brazil has experienced an 83% rise in the number of malicious URLs, in comparison to a 16% increase globally. The major threats are expected to be phishing scams, unsecure public Wi-Fi connections and ATM skimmers. Luckily, US-CERT has published some handy tips to keep you cyber secure at The Games.

Speaking of cybercrime, Australia has set up a new cyber-intelligence unit to track terrorism financing, money laundering and financial fraud. Justice Minister Michael Keenan indicated that this unit would be stood up within the Australian Transaction Reports and Analysis Centre to crack down on organised criminal activities online. The unit will tackle job recruitment scams with IDCARE and identify criminal patterns in cooperation with ACORN, the Australian Cybercrime Online Reporting Network.

The Australian Bureau of Statistics suffered an embarrassing denial of service last night, just as millions of Australians logged on to complete the national census. This comes after widespread privacy concerns over the increased time period that individuals’ information would be stored and security worries over the fortitude of the website’s encryption. So much so, that several senators openly committed to boycotting this week’s survey, despite hefty fines. So last night’s debacle is an awkward development, with questions being raised by the media on the origin and motivation of the incident, and its implications for the integrity of personal data. While you’re waiting for the census website to come back online, check out #bettercensusquestions for some comic relief.

Finally, Pokémon Go’s rise to become the most successful mobile game in history has led to the creation of malicious apps masquerading as the real thing. These knock-off games have popped up on the Google Play store and are smuggling malware onto people’s Android mobile operating systems. Check out Dell’s analysis of these exploits here. Getting ahead of the game, Iran has banned Pokémon Go before its even been released, on the grounds of security concerns. So, thanks to the country’s High Council of Virtual Spaces, Iranians will never be able to catch ‘em all – but at least they will be safe from cybercriminals.

Cyberspace pervades everyday life. Our growing reliance on networks has increased the vulnerability of Australia’s national security, economy and society to malicious cyber actions. As a result, there’s a need to build trust and confidence in cyberspace, and the infrastructure and institutions that it enables and supports.

Deterrence policies and capabilities are often invoked as a means to create this stability. Australia’s recent Cyber Security Strategy, released in April 2016, stated that ‘Australia’s defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack’. In launching the Strategy, Prime Minister Malcolm Turnbull further emphasised that ‘acknowledging this offensive capability, adds a level of deterrence’. This rhetorical trend is also evident in other international cyber strategies including those of our major allies and partners.

However, there are pit falls in that approach to cybersecurity. In our report, Deterrence in Cyberspace, released today, we explore those issues and provide recommendations for policymakers to address stability and security in cyberspace.

The use of deterrence to mitigate security threats is based on an assumption that states are rational, and make decisions based on cost-benefit assessments. On that assumption, one can deter a challenger by increasing the perceived costs of their action (deterrence by punishment) or decreasing the expected benefit (deterrence by denial).

However, threatening punishment is unlikely to deter malicious behaviour in cyberspace, for several reasons:

•         Setting enforceable thresholds is difficult due to the spectrum of potential acts in cyberspace and the non-binary nature of many cyber capabilities. For that reason the difference between an ‘attack’ and below-the-threshold events, such as espionage and criminality, is often less obvious.
•         Responding proportionately is also made difficult by the difficulty of controlling escalation in cyberspace and the lack of normative framework to guide a conventional response.
•         It’s often difficult to quickly and accurately identify the responsible actor. Attributing blame risks inadvertent escalation with a third party and can expose valuable national cyber capabilities.

Instead, such threats have the potential to heighten international insecurity by inducing what we’ve dubbed the ‘credibility-stability paradox’. The reliability of a state’s commitment to enforcing its own deterrence policy statements is a significant symbol of its political and military power. If a state doesn’t follow through on a threat when its threshold is crossed, it directly reduces its credibility in the eyes of the international community, undermining its ability to both intimidate and negotiate in the future.

Conversely, making good on a threat in cyberspace can have drastic impacts on international stability. Retaliation, either inside or outside of cyber space, may spiral beyond the intended punishment, inflicting damage over and above what would be considered a proportionate response to the breach of a threshold. That risks a minor incident triggering a tit-for-tat escalation that devolves into a larger and more destructive conflict, further damaging international stability. So, as soon as a cyber deterrence threat is extended, a state faces the strategic dilemma of being forced to choose between maintaining its credibility or risking collateral damage.

That isn’t to say that offensive cyber capability shouldn’t be developed, but rather that it shouldn’t be developed for the purpose of making threats. The use of offensive cyber capabilities, in accordance with international law, to enable and support conventional military forces contributes positively to broader deterrence capability by reinforcing the lethality and effectiveness of armed forces as a tool of state power.

The report recommends methods to alter an adversary’s decision-making by withholding the perceived rewards of certain behaviour and building an international conflict reduction framework. Implementing a denial strategy in cyberspace requires strong, adaptive defences, resilient networks, and the use of other advanced techniques and technologies to reduce the perceived value of malicious behaviour. Denying enemies an advantage commensurate with the effort required to breach security should dissuade them from further attempts on the network. That supports cybersecurity generally and, if effectively conducted, can further enhance conventional deterrence postures and improve a state’s overall national security.

ICPC’s new report explores the nature of cyberspace, reviews the challenges it poses to deterrence by punishment and offers alternative approaches for policymakers seeking to establish stability in cyberspace. In a context of increasing network dependence and growing cyber tensions, setting a precedent of restraint, trust and international cooperation is essential. This will ensure Australia can continue to reap the economic and social benefits of a stable cyberspace.

According to a recent survey by Tech London Advocates, London’s tech experts and cyber security professionals are ‘overwhelmingly opposed’ to the UK’s recent decision to leave the EU. Mainland Europe represents an  essential source of talent for the UK, which suffers an ‘alarming lack of digital skills’, and Brexit will likely raise barriers to Europeans’ freedom to work and travel in the UK. In fact, there are concerns that a potential dip in Britain’s economy may result in a technological brain drain, with British cyber professionals seeking higher pay in countries such as the US. Negotiating the split will involve establishing whether British law enforcement will continue to benefit from the information sharing arrangements of Europol’s European Cybercrime Centre (EC3), and whether it will continue to reflect the privacy and data protection legislation of the EU or develop its own regulation standards. The attractive benefits of the EU’s ‘digital single market’ means it’s likely Britain will continue to adhere to the data standards of its continental counterparts in order to facilitate the flow of data across the Channel.

Staying with European data debates, the final changes to the US–EU data sharing agreement, Privacy Shield, have been agreed upon this week. The new arrangement will regulate the transatlantic transfer of EU data by US companies, replacing the ‘Safe Harbour’ model that was struck down last October by the European Court of Justice. The scheme features ‘a number of additional clarifications and improvements’ in response to concerns of US mass surveillance of European citizens. The new data transfer pact includes stronger restrictions and establishes the role of a US ombudsman to handle complaints over American misuse of EU data. The final version of Privacy Shield was sent to European member states for review this week, and the vote is expected to be held early next month.

Russia’s new mass surveillance bill will require all messaging services operating in Russia—such as WhatsApp, Telegram and Viber—to provide the Federal Security Service with backdoor access to citizens’ personal communications. Pitched as a counterterrorism bill, the legislation will also necessitate ISPs to hold customers’ metadata for three years and real communication records for up to six months. The legislation has been dubbed ‘the big brother law’ and companies that fail to comply will be subject to fines of up to one million Rubles (AU$20,000). Russia’s lower house, the Duma, passed the bill last week and it’s now expected to move quickly through Russia’s Federal Council and the Kremlin, into law.

China is also clamping down on data management, holding a second reading of controversial new draft rules this week. The cybersecurity law will require Chinese citizens’ personal data be stored domestically, with any request to transfer the data overseas requiring a government security evaluation. Importantly, the legislation will force network operators to ‘comply with social morals and accept the supervision of the government’. While Chinese media outlets state that these measures as designed to ‘protect the information infrastructure’, the bill is seen internationally as ‘internet censorship enshrined in legislation’.

The US recently held its fifth annual military network defence test, Cyber Guard, in Virginia with nearly 1,000 participants from the military, government, private sector, academia and allied countries. The exercise, led by the US Cyber Command, the FBI and the Department of Homeland Security, required participants to respond to a simulated network attack on US infrastructure. Over a week, participants were challenged by an active expert ‘red team’ to practice inter-agency coordination, private sector cooperation and Five Eyes interoperability. Cyber Command is also working to establish a ‘Persistent Training Environment’—a year-round cyber facility capable of simulating multiple scenarios simultaneously—which is expected to reach initial operating capability in 2019.

Closer to home, the Australian Department of Defence has announced a $12 million contribution to the Australian National University’s new innovation centre for high performance computing, data analytics and cybersecurity. The $45 million research facility will house 70 students, academics and staff from the Australian Signals Directorate. The initiative is part of efforts to boost the study of STEM subjects and address Australia’s cyber skills shortage.

For some in-depth reading, check out the Global Commission on Internet Governance: One Internet report released by the Centre for International Governance Innovation and Chatham House this week. Notably, it proposes three potential outcomes for the internet: ‘a dangerous and broken cyberspace’, ‘unequal gains’ or ‘broad unprecedented progress’. Microsoft has also published a new report this week, proposing a cybersecurity norm development model for both nation states and ICT industry. The paper addresses offensive, defensive and industry norms, as part of Microsoft’s ongoing work to ‘advance trust in global ICT ecosystems’.

Cybersecurity made an appearance in the eighth round of the US–China Strategic and Economic Dialogue which took place in Beijing last week, chaired by State Councillor Yang Jiechi and Secretary of State John Kerry. Both countries reaffirmed the value of the Senior Experts Group on International Norms in Cyberspace and Related Issues, their commitment to refrain from supporting cyber-enabled theft of intellectual property and their positive anticipation of the second High-Level Dialogue on Cybercrime and Related Issues to be held in Beijing on June 14.

The first of those ministerial-level US–China cybercrime talks was held last December, breaking the freeze in Sino-US cyber relations that started when China withdrew from a bilateral working group in response to the US indictment of 5 Chinese military officials back in May 2014. The recent December talks established a set of guidelines, a hotline and plans to conduct a tabletop exercise and continue discussions on the issue in 2016. The weekend’s terrible shooting in Orlando has meant that the second iteration of talks scheduled for this week will now be conducted at the sub-ministerial level. For a handy synopsis of US–China cyber perspectives, check out this Cipher Brief interview with Adam Segal from the Council on Foreign Relations.

Achieving additional bilateral goals, President Obama talked cybersecurity with Indian Prime Minister Narendra Modi at the White House last week. As part of their third major bilateral summit, the leaders released a joint statement that committed to deepening their cooperative partnership in regards to combatting cybercrime, securing critical infrastructure and promoting voluntary norms of state behaviour. During the talks, the US and India penned a ‘Framework for the US-India Cyber Relationship’ that’s expected to be signed by the two leaders within the next 60 days. The framework recognises both countries’ simultaneous commitment to a ‘multistakeholder model of Internet governance’ and ‘the leading role for governments in cyber security matters relating to national security’. That duality is an interesting addition to a sequence of inconsistent policy stances taken by the Indian government over the past year, which has included variations of a government-led multilateral approach and a broader multistakeholder approach.

There’s more good news for Indian cybersecurity, with the establishment of a new Microsoft Cyber Security Engagement Centre last week. Microsoft selected the city of Gurgaon as the location for one of only seven such cyber security hubs worldwide. The centre is intended to stimulate public–private cooperation in the fight against cybercrime and increase cooperation amongst Indian businesses, government and academic organisations. Microsoft’s initiative will be run in collaboration with the National Cybersecurity Coordinator, as well as CERT-India, meaning it’s a great step forward for public–private partnership in India.

It seems that everybody is interested in the US Presidential race, with the Democratic National Committee’s networks suffering a breach at the hands of Russian hackers. The two groups involved were reportedly removed from the system by Crowdstrike over the weekend, after several months of clandestine activity. The intrusion focused on internal staff communications and opposition research on Donald Trump, disregarding the personal information of donors, suggesting motivations of espionage rather than financial cybercrime. This, paired with the ongoing issue of Clinton’s email server, leaves Democratic cybersecurity wanting.

The UK House of Commons passed the contentious ‘Investigatory Powers Bill’ last week, licensing the government to collect bulk data on the online activity and smartphone use of Brits. The first cut of the surveillance bill, rejected after it elicited strong private sector objection, required businesses to increase their retention of customer data and help law enforcement undermine encrypted communications. Facebook, Google, Microsoft, Twitter and Yahoo released a joint submission outlining their concerns last December, specifically in reference to ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’. Clearly heeding the harsh industry feedback and attempting to avoid the mess of the Apple-FBI debate, the final version requires that companies overcome encryption measures only if it’s reasonable in terms of cost and technology. However, these amendments haven’t satisfied critical civil rights and privacy advocates, who refer to this bill as the ‘Snooper’s Charter’, and who will likely wait with baited breath to see if the legislation is passed by the House of Lords later this year.

European privacy is a hot topic this week, with Germany fining three companies for transferring data under the auspices of an overturned privacy law. As we’ve covered previously, the Safe Harbour agreement supported the transfer of EU data across the Atlantic by US companies, based on self-regulation. This agreement was deemed invalid by the European Court of Justice last October, making such data transfers illegal. This week, Adobe Systems, PepsiCo subsidiary Punica, and Unilever have been slapped with fines totalling €28,000 for failing to establish an alternative method of cross-border data transfer. The Hamburg Data Commissioner stated that ‘the data transfer of these companies to the USA was thus without any legal basis and unlawful’.