The communications demands of the Media Age are so diverse and complex that only a simple answer will suffice.

This is back-to-basics meets back-to-the future. Head to the bedrock of first principles while everything else in the Media Age goes into the flux capacitor.

Express the essence in six words: speak truth, always. Speak fast, always.

Maximum truth. Maximum speed. Always. Hyphenate the motto to show how the two concepts merge: truth-with-speed.

Truth up front, but speed nearly as important. The Media Age puts a rocket under the adage that a lie dashes round the world while truth is still pulling on its trousers.

Truth-with-speed sounds simple—a motherhood sentiment. But Defence’s default settings—and those of the Minister’s office—pull in the opposite direction.

The control imperative means the Minister and Defence want command over what truth is given and when and how; truth and speed are subject to ministerial approval! The current motto reads: defined truth, carefully decided, delivered slowly.

If Canberra embraced truth-with-speed it would alter the level and detail of Ministerial control over Defence’s release of information on operations. And it would force Defence to think more clearly about what to conceal and what must be done in the open. Those are big asks, challenging a lot of culture.

As a former Defence insider commented: ‘I think the aim of the game really was keeping the troops silent and preventing whistle blowers, rather than the Media as such.’

Truth-with-speed would strike at a lot of Defence boundaries.

How much truth can Canberra manage? The system understands—in theory—the benefits of openness.

Releasing the Cyber Security Strategy last month, Prime Minister Malcolm Turnbull pledged to be more explicit about cyber-crime successes and failures and hack attacks:

‘Only by acknowledging, explaining and analysing the problem can we hope to impose costs on perpetrators and empower our private citizens and government agencies and businesses to take effective security measures.’

The PM’s new cyber-security advisor, Alastair MacGibbon, recently posed the dilemma:

‘The question is how open a government can be about cyber-security without causing further damage and without hanging out all the government’s crown jewels?’

Across all the terrain of the Media Age, a balance has to be struck and tough choices confronted about where to draw the lines.

A good start is to be clear about the crown jewels. And separate those jewels from mere convenience or embarrassment or stuff up or political plays and bureaucratic comfort.

The distinction is between jewels and tawdry trinkets.

The need for truth-with-speed is accelerating as terrains merge. Rather than treating social media and traditional Media as different entities, see them as a continuum running right across the communications landscape. The borders evaporate.

You can’t have one message for a domestic audience and a different message for an international audience—they are one audience. And you have to give the Digital Citizen what once was reserved for journalists.

The hacks no longer control the news. Governments direct less of the information. Give the Press what you should give the People: hacks and Digital Citizens must be treated as equals, because in this new terrain they are the same. Truth-with-speed for all.

Technologically, new media are transformative, but many of the military-media issues recur: Exclude versus Engage; Control versus Communication.

Old lessons matter, even as the lines blur. The military instinct to control, censor and shut out is antediluvian in the Media Age.

Time to relearn some hard-won lessons about the relationship between journalists and the military—then apply them to lots of new players.

Here are three principles for use in the Media Age.

The prime directives draw on recommendations offered 30 years ago by the Centre for Journalism Studies, University College, Cardiff, in a study commissioned by Britain’s Ministry of Defence after the media policy shambles (and scrambles) of the Falklands War.

So the basic principles aren’t new, just hard to do. The burden of truth-with-speed is in the doing, not the pledging.

The prime directives of truth-with-speed:

1. The Government promises as a core commitment to give Australians (and all other Digital Citizens) as much information as possible about ADF operations as quickly as possible. The ADF should be charged with fully meeting this promise to always deliver maximum truth with maximum speed. The principle will apply in peace and war.
2. The automatic responsibility is always to give as much information as possible, whether that news is good or bad. This is the default setting and the basic rule—not just a declared principle. The working assumption must be that information should be released, not that it should be withheld.
3. Secrecy and partial release of information for operational security must be reviewed constantly. Defence must detail the categories of information regarded as ‘crown jewels.’ What’s to be kept secret and—broadly—why? Defence should report regularly to Parliament on how it’s meeting the responsibility for maximum disclosure.

Much would change if these became the driving principles.

For instance, the ‘Defence Instructions (General) on Public Comment and Dissemination of Information by Defence Members’ obsesses that any release of information must be ‘coordinated, agreed and authorised.’

The DI(G) would be turned on its head. Having clearly defined the crown jewels (what is to be secret), everything else would be authorised. The default setting can’t be that everything is secret unless decided otherwise.

Defence would expect the facts to be told fully and quickly. And the job would be done by those closest to the facts.

The strategic corporal would be joined by the Lieutenant who can speak and the Captain who can confirm and the Major who can explain, and so on up the line.

Instead of the Canberra-centric mantra of coordinated and agreed, this would be decentralised. When the ADF was in the field, the facts would come from the field. The Digital Citizens will report from the front, so should the ADF.

The Afghanistan lesson is to tell a lot more and the Media Age demand is to tell it quickly.

Defence would get confronting freedoms. Let off the ministerial leash, Defence would have to speak more openly and honestly about what it is and how it works.

The Pakistani Foreign Office has reached out to the nation’s largest intel body, Inter-Services Intelligence (ISI), for assistance to boost its internal IT security. Government ministries in Pakistan are no strangers to targeted online campaigns (here and here), and the Ministry of Foreign Affairs is seeking to beef-up its cyber resilience in response. The Ministry has requested 80 million rupees in next year’s federal budget—a 130% increase on this year’s budget—to boost the resilience of its Islamabad headquarters and communications security across its network of foreign missions. The move has raised concerns internally that the new role will provide ISI with undue access to the Ministries’ communications, although that’s been dispelled by a government official who said ISI would only have ‘limited access’ and that the work of departments remain protected by ‘encryption codes’.   

The Cyber Space Administration of China (CAC) recently launched an investigation into Chinese search engine Baidu, finding that the site has been inappropriately presenting sponsored links as organically generated search results. The CAC found that Baidu was ranking returned search results based upon the advertising spend received from companies, but neglected to make this clear to the user that the results were in fact sponsored.

Apple CEO Tim Cook is set to visit China this month to undertake talks with senior government and CCP representatives. The visit comes at a tumultuous time in the relationship between the tech giant and economic powerhouse, with Beijing recently suspending several of Apples online services on the mainland and concerns surrounding China’s new counterterrorism law.

Last month US General Vincent Brooks spoke to US Senate leaders about the online threat posed by North Korea. In news that won’t surprise readers of our 2015 Cyber Maturity Metric, Brooks rated North Korea’s online abilities as ‘among the best in the world and the best organized’. To counter the growing cyber threat from North Korea, last week the US and South Korea agreed to deepen cyber cooperation. Speaking in Seoul, Secretary of State John Kerry pointed the finger at Pyongyang for carrying out ‘provocative, destabilizing and repressive actions’ online and warned that North Korea will be ‘will be held accountable for their actions.’

The Canadian government is moving to block two Huawei employees from entering Canada on espionage concerns. Canadian border officials have advised the pair that their entry will be denied under section 31 (1) f of the country’s immigration act, with authorities holding ‘a reasonable belief’ that they are part of an organisation which may be engaged in acts of ‘espionage, subversion or terrorism.’ It’s extremely rare for applicants to be rejected for a Canadian visa based on espionage concerns. The workers and their employer deny any involvement in espionage. Huawei is frequently accused of state-sponsored espionage; the company was barred from tendering for the construction of Australia’s NBN in 2012 on national security grounds.  

On the home front, the International Cyber Policy Centre recently welcomed senior Australian and Spanish public sector and business leaders to Canberra for a 1.5 track dialogue. Co-hosted with the Spain–Australia Council Foundation, discussions centered around national public and private sector perspectives on cyber security and sought to identify areas of possible cooperation between Australia and Spain. Spanish Secretary of State for Foreign Affairs Ignacio Ybañez opened the dialogue, noting that cyber security cooperation and private sector engagement was a significant area of potential growth in our bilateral relationship. He noted that geographic distance was no longer a barrier to the relationship between Spain and Australia given our networked and connected world. He emphasised shared values as an enabler of cooperation on issues such as norms, conflict risk reduction and cyber security incident response. The dialogue identified several areas of potential future cooperation between Spain and Australia—including CERT collaboration, best practice and threat information sharing for critical infrastructure protection and coordination of efforts in global cyber capacity building through shared membership in institutions such as the Global Forum on Cyber Expertise.

The major cyber story of the week is the long-awaited release of Australia’s Cyber Security Strategy, the first document of its kind since 2009. The Strategy outlines $230 million of funding for enhanced cyber security efforts over four years, with a focus on five key themes. Specifically, significant investment will be funnelled into improving the cyber capabilities of the AFP, Crime Commission, Australian Signals Directorate and Australia’s Computer Emergency Response Team (CERT Australia).

The Strategy’s overarching principle of public–private sector partnership informs the establishment of a Cyber Security Growth Centre and Joint Cyber Threat centres in capital cities. The government will also relocate Australia’s Cyber Security Centre from the highly classified ASIO building to allow greater private-sector access.

The Strategy establishes new positions: a Minister Assisting the Prime Minister on Cyber Security, a Special Advisor on Cyber Security (to be filled by Alastair MacGibbon), and a Cyber Ambassador to be appointed by Julie Bishop. Further, the development of a sustainable cyber-savvy workforce will be encouraged through investment in STEM education and the creation of academic centres of excellence in universities.

Notably, the Strategy explicitly refers to Australia’s offensive cyber capabilities—a first in Australia’s rhetoric surrounding cyber security. At the launch, Turnbull stated than an ‘offensive cyber capability, housed in the Australian Signals Directorate, provides another option for the Government to respond’.

The Strategy has been hailed as ‘the most important and innovative government strategy yet written’. However, there has been criticism of the document’s language not addressing the seriousness of contemporary cyber threats strongly or directly enough. Others are concerned that this underestimation is reflected in the funding on offer, which falls short in comparison to the billions being spent by Australia’s peers. Last year, the UK announced plans to invest £1.9 billion (A$3 billion) in cybersecurity, while the US has recently upped its spending by US$5 billion to a total of US$19 billion (A$24.8 billion). Check out some in-depth analysis of the new Strategy from the ICPC team here, here and here.

In the US, tech firms have banded together to oppose a bill that would effectively outlaw end-to-end encryption and require companies to help the government decrypt customer data. A coalition of companies—including Apple, Facebook, Google, Netflix, Microsoft and Twitter—wrote an open letter to the sponsors of the new bill, Senators Richard Burr and Dianne Feinstein. The tech giants warn against the ‘unworkable policies around encryption that would weaken the very defences we need to protect us from people who want to cause economic and physical harm’.

In an amusing concurrent development, popular instant messaging service Viber just announced it will make end-to-end encryption the default for its 700 million users. The company stated that it’s ‘proud that our users can confidently use Viber without war of their messages being intercepted’. This comes only a few weeks after WhatsApp made the same transition.

This week also brought an exciting development in Artificial Intelligence (AI) technology. Scientists from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), in partnership with machine learning start-up PatternEx, have developed a hybrid machine that can learn how to identify 85% of cyber attacks. The findings, which merge state-of-the-art AI and analyst intuition, were published in a paper titled AI2: Training a big data machine to defend. The initiative works on an active learning system, where artificial intelligence network assessments are verified by an analyst, and any corrections are integrated back into the machine as a feedback loop that continues to improve its detection accuracy. The system can reportedly reduce false positives by a factor of five and is about three times more accurate than comparable technologies—a major development in the potential of AI for cybersecurity.

Staying stateside, a Bloomberg report has revealed that a US$12 billion tactical mobile Internet network used by the US Army suffers significant cyber security vulnerabilities. The Warfighter Information Network-Tactical Increment 2, or WIN-T, uses satellite and radio technology to offer secure voice, video and data communications to troops on the move. The network is deployed to 11 of the Army’s combat brigades and is already in use in Iraq and Afghanistan. However, an assessment conducted by Johns Hopkins University and the Army Research Laboratory recommended ‘improvement to user training techniques and hardware and software enhancements to harden against the cyberthreat’. In light of those findings, the US Army and General Dynamics are undertaking efforts to upgrade systems already in use and line-up improvements that will be deployed through 2028.

Notwithstanding its apparently flawed military cyber defences, the US has been having fun with its offensive cyber rhetoric this week. Check out this piece from The New York Times to understand what US Deputy Defense Secretary Roger Work really means when he says the US is dropping ‘cyberbombs’ on ISIS.

The release of the Panama Papers this week has set a new record for the largest volume of data that has ever been leaked. The 2.6 terabytes of data, consisting of 11.5 million documents previous leaks such as WikiLeaks by a significant margin. The leak was provided to news outlets through encrypted channels by an unknown source.

This week another US health care company has fallen victim to ransomware, only a month after a Los Angeles hospital was held to ransom by cyber criminals. Electronic health records at 10 hospitals owned by MedStar Health in Maryland and Washington DC were encrypted on Tuesday last week and held ransom by unidentified hackers causing significant disruption to services. MedStar reported that it had restored 90% of its network by last Saturday, but it’s not clear if the company paid the US$18,500 ransom request. The Washington Post noted that hospitals and other health and insurance providers are obvious targets for hackers as they maintain sensitive personal information, but the industry hasn’t kept up with the financial and retail sectors efforts for cyber security and resilience.

In Japan, planning for the 2020 Tokyo Olympics has prompted the government to implement a program to train a further 1000 cybersecurity analysts within government. A preferential pay system and new senior leadership positions for cybersecurity are intended to boost cybersecurity awareness and skills across the government before the games kick off in four years.

The UK Ministry of Defence (MoD) has announced that it’ll spend £40 million on its new Cyber Security Operations Centre (CSOC), previously announced as part of the UK’s cyber security strategy. The Centre will be located at the MoD Information Systems and Services branch at Corsham in Wiltshire, formerly the location of the UK government’s nuclear war bunker. The CSOC will monitor and defend MoD’s networks, and is part of a larger £1.9 billion investment over five years by the UK in defensive and offensive cyber capability by MoD and GCHQ. The UK also announced last Friday at the Nuclear Security Summit in the US that it will be undertaking joint drills with the US to test the cybersecurity of nuclear power plants in both countries.

It appears that there’s still confusion in the US Department of Defense (DoD) about who’s responsible for leading the charge when responding to a cyber emergency in the US. It seems that both Northern Command and Cyber Command (CYBERCOM) believe that they’d take the lead for DoD assistance to domestic cyber crises, and Pacific Command is of the opinion that it’d take responsibility for responding to cyber incidents in its area of responsibility. The Government Accountability Office (GAO) has warned that until roles and responsibilities of DoD’s various different components are clearly established, it ‘may not be positioned to effectively employ its forces and capabilities to support civil authorities’.

This problem isn’t isolated or new, with the GAO issuing a report back in 2013 that stated that roles and responsibilities for cybersecuirty at the national level also need to be more clearly defined. In a separate interview, the Pentagon’s head of cyber policy Aaron Hughes noted that one of the key accomplishments so far in implementing the DoD Cyber Strategy has been exercises to refine CYBERCOM collaboration with the FBI and Homeland Security—suggesting that work is underway towards overcoming the problems identified by GAO. .

Following the indictment of seven Iranian hackers by the US last week, Iran watchers have been working to scope the country’s cyber capability. Majid Rafizadeh from Harvard notes that while Iran hasn’t yet reached the cyber sophistication of China and Russia, its capability is advancing at a rate that warrants security concern, particularly as the Iranian regime perceives cyberspace as an environment in which it can ‘advance its ideological, geopolitical, and strategic ambitions… by inflicting damage on their major state institutions and infrastructures’. The National Council of Resistance of Iran, a Paris-based shadow Iranian government, has also published a review of Iran’s cyber capability.

And finally, the American Foreign Policy Council has released a primer on cyber security, including briefs on US, Chinese, Russian, Iranian and North Korean cyber capabilities.

Western Australia’s parliament was hacked last Tuesday with a computer virus forcing the shutdown of its telecommunications systems. According to Speaker Michael Sutherland, the attack impeded a number of house operations including, ‘Hansard publications, the preparation and processing of questions on notice and answers to questions on notice’. Fortunately, the breach didn’t prevent Parliament sitting as usual.

The incident comes following a 2015 audit of sections of the WA government’s digital infrastructure. The assessment found that some agencies didn’t adequately protect information to prevent unauthorised access and data loss. Specifically, it noted the lack of basic controls over passwords, patching, setting of user privileges, copies of sensitive information across systems and poorly configured databases. Cyber security within state governments in Australia often lags behind best practice, but news last week that Queensland is establishing its own cybersecurity unit can be taken as a welcome sign that this trend may soon reversed.

Last week’s ruling that Apple must assist the FBI to unlock an iPhone linked to San Bernardino gunmen Syed Farook has reignited the smouldering discussion on encryption and the difficult balance between privacy and public safety. More public figures have recently come out on one side of the debate or the other. NSA chief Admiral Mike Rogers surprisingly came out on the side of encryption, saying that it’s ‘foundational to the future’, while Microsoft founder Bill Gates has chastised Apple CEO Tim Cook for opposing the court order. Surveys of public opinion in the US have found that there’s a roughly 50/50 split between support for the FBI or Apple. This is significant as Apple will reportedly seek to propel the case out of the courts this week and into the hands of Congress to decide.

Also in the US, the Hollywood Presbyterian Medical Centre in LA has paid 40 bitcoins (equivalent to US$17,000 in ransom to retrieve access to its patient files after a malware attack. The attack prevented access to the computer systems and restricted the ability to share communications electronically, successfully forcing the hospital to return to manual paper and pen patient submissions. Ransomware locks computer systems through file encryption which then demands a ransom payment in exchange for the decryption key.

Japanese companies have been targeted by a highly skilled and well financed state actor according to cyber security firm Cylance. The campaign, named Operation Dust Storm, previously targeted major industry in Japan, South Korea the US, Europe and South East Asia, but has now narrowed its target set to Japanese organisations. The intent of the hackers appears to be long term presence on networks to exfiltrate data, particularly from electricity, oil, gas and transpiration companies. Japan is a frequent target for hackers, however security consultants to Japanese firms and the government continue to highlight weaknesses in corporate culture that views breaches as a loss of face, preventing disclosure and cooperation on common threats.