Tag Archive for: Cyber

Agenda for change – 2019

In 2018, many commentators pronounced the rules-based global order to be out for the count. This presents serious challenges for a country such as Australia, which has been an active contributor and clear beneficiary of that order. The government that we elect in 2019’s federal election will be faced with difficult strategic policy choices unlike any we’ve confronted in the past 50 years.

This volume contains 30 short essays that cover a vast range of subjects, from the big geostrategic challenges of our times, through to defence strategy; border, cyber and human security; and key emergent technologies.

The essays provide busy policymakers with policy recommendations to navigate this new world, including proposals that ‘break the rules’ of traditional policy settings. Each of the essays is easily readable in one sitting—but their insightful and ambitious policy recommendations may take a little longer to digest.

Previous Agenda for change publications are also available here: 2016 and 2013.

Launch Event

Australia’s cybersecurity future(s)

It’s January 2024. Does Australia still have the internet?

Introduction

Australia wants to create a future for cyberspace that’s open, free and secure, but that future is not assured. According to Dr Tobias Feakin, the Ambassador for Cyber Affairs, ‘Australia’s vision … and our ambitions across the broad spectrum of cyber affairs are impossible to achieve alone.’1 Key drivers are outside of the country’s control. The government can—and should—advance a positive vision, but Australia might not get its way.

What if the future of cybersecurity looks different from what we hope or expect? This is a hard question to answer. Day-to-day concerns demand our immediate attention, and, when we think about the future, we tend to extrapolate from current trends. As a result, we’re shocked or surprised by discontinuous change, and woefully unprepared to face new realities. The risk is particularly acute in cybersecurity, in which rapidly changing technologies combine with diverse social and political forces to create unexpected consequences. Therefore, as difficult as it is to rethink our assumptions about the future, failing to do so could be dangerous.

This report uses scenario analysis to examine one such future: a world where cyberspace is fragmented in the year 2024. Contrary to the ambition of Australia’s International Cyber Engagement Strategy, cyberspace is neither open nor free in this scenario. We analyse what that implies for cybersecurity. In particular, we examine the challenges and opportunities that Australian policymakers may face in the future and wish they had planned for in our present.

We conclude that Australia will be caught in the fray if the internet breaks apart. While this scenario isn’t all bad, Australia could be forced to fend for itself in an increasingly dangerous neighbourhood. The scenario isn’t a forecast or prediction. It’s a compelling narrative to provoke new thinking and critical discussion about what Australia must do now to prepare for different cybersecurity futures.

Our approach is as follows. First, we explain the methodology. Second, we identify the forces of change that drive this scenario. Third, we interact these drivers to describe one possible world in 2024. Finally, we highlight the strategic choices and challenges that this scenario raises for Australia.

Scenario analysis

Scenario analysis is a methodology for critical thinking about alternative futures. It was pioneered at RAND in the 1950s by Herman Kahn in his attempt to ‘think the unthinkable’ about thermonuclear war. The method was further developed by Pierre Wack and Ted Newland at Royal Dutch Shell, where scenario analysis was credited with anticipating the possibility of oil shocks during the 1970s.2 It’s now commonly used in industry and government. For instance, scenario analysis informs the US National Intelligence Council’s quadrennial Global trends report.3 It’s also applied by the Center for Long-Term Cybersecurity at the University of California, Berkeley, in reports on Cybersecurity futures 2020 and Asian cybersecurity futures.4

The goal of scenario analysis is to ask and, ideally, answer ‘what if’ questions about how different drivers of change—social, political, economic, technological—could combine to produce discontinuities and thus different possible worlds. This approach is forward looking. We apply it to imagine Australia’s cybersecurity environment circa 2024. It may be unsettling. Following best practice, we sought to simplify and then exaggerate the drivers of change in order to throw an alternative and perhaps undesirable future into sharp relief. Nevertheless, scenario analysis is still rooted in reality.

The propositions behind this qualitative analysis are plausible, the narrative is internally consistent, and the results reflect expert consultation.

This report breaks from the norm of scenario analysis by focusing on one of many possible futures.

Our focus is not predictive, however. We do not argue that internet fragmentation is probable or likely to play out as per this scenario. We do suggest that this kind of future is significant because it challenges Australia’s preferred vision for an open, free and secure cyberspace. Fragmentation is also a significant concern in internet policy.5 Furthermore, while it may be a single scenario, a fragmented world contains different environments or ecosystems, and analysing that diversity helps compensate for our focus on only one potential future. The challenges and opportunities of such a future therefore warrant special consideration (just as other scenarios warrant further research). Rather than fight the scenario, we encourage you to ask: What would Australia need to decide and do differently for cybersecurity if it confronts this world in 2024?

Drivers of change

Our scenario depicts the interplay or interaction effects of three hypothetical drivers for change: Asia online, tech giants, and great-power conflict. While none is certain, each premise is plausible. More importantly, the resulting scenario is not a linear extrapolation or forecast based on any single trend. It’s the combination of drivers that could contribute to internet fragmentation and result in a cybersecurity environment markedly different from today’s.

Asia online

First, the number of users, devices and applications in Asia grows substantially over the next five years. We imagine that internet penetration in the region grows faster than expected, jumping from less than 50% today to more than 80%, so that more than 3.5 billion people are online in Asia. As a result, there are as many people online in this region come 2024 as the total number of internet users around the world in 2019. By 2024, Asia is also home to more than 15 billion connected devices.

We assume that this rapid expansion of connectivity is unrivalled in other regions. It roughly correlates to Asia’s youthful and growing population, as well as its economic power as the new centre of the global economy. However, economic and political opportunities remain unevenly distributed over the next five years, as is the region’s digital transformation. Most web traffic in Asia is mobile, but connection speeds vary greatly across the urban–rural divide, and economic growth hasn’t reduced economic inequality.

Tech giants

Second, we posit large and locked-in technology platforms as another driver for change. Although new applications flourish over the next five years, we assume that the underlying technology stacks, layers or platforms upon which those applications are built resemble a few large tectonic plates. And those platforms are increasingly dominated by a handful of huge corporations.

Tech giants dominate the user experience, software development and hardware. For most people in 2024, ‘cyberspace’ is difficult to distinguish from megabrands such as Google, Apple, Facebook, Amazon and Microsoft, or, similarly, Alibaba, Tencent, Baidu, Sina Weibo and Huawei. These companies also dominate the marketplace for talent. Regardless of where they work, most software developers work with toolkits and application program interfaces that plug into a dominant platform. Proprietary software developed by tech giants enjoys a home-field advantage over apps built by third-party providers. Industry concentration shapes hardware and telecommunications infrastructure as well, including the ‘internet of things’ (IoT). On the one hand, we imagine that connected devices are ubiquitous and produced by a plethora of manufacturers in 2024. On the other hand, in many markets, many of these connections are mediated by platforms, hubs and bridges dominated by the ‘Big 10’ tech giants.

Great-power conflict

The third driver is strategic competition and conflict between great powers. We posit a multipolar world in 2024. No great-power concert has emerged to manage territorial conflicts or the myriad state and non-state cyber operations. The US remains the only superpower with global reach, but that reach is rivalled by China’s, especially in the Pacific and Indian oceans. US power projection into the region is further limited by budget constraints (accentuated by an ongoing recession), as well as costly commitments to fighting in the Middle East and deterring a weak but assertive Russia. While NATO endures, nationalism and populism have fuelled extreme swings in American and European politics, fraying the alliance. ANZUS endures as well, but the US lacks a coherent strategy towards Asia in 2024. As a result, the US military posture isn’t supported by consistent political and economic policies.

Meanwhile, China has continued to rise. The Middle Kingdom is a middle-income country in 2024, with a nearly $15 trillion economy. Its One Belt, One Road and Digital Silk Road initiatives have established Chinese infrastructure, standards and platforms in several neighbouring economies. However, this economic and strategic agenda is resisted by India in the south and Russia in the north, along with European and American interests in Africa and Oceania. We posit that the Chinese economy has not dipped into recession, although its officially reported growth rate of 3% in the last quarter of 2023 is viewed with considerable scepticism. In China, as elsewhere, economic angst and nationalism have increased variability in foreign policy and contributed to competition and conflict in the region.

2024: Fragmented world, fragmented internet

In this scenario, Asia comes online but cyberspace fragments by 2024. Years of mounting tensions between the US, China, Russia and Western Europe have combined with entrenched platform technologies to result in a world where the internet—singular—is a thing of the past. The ‘World Wide Web’ is anachronistic. Instead, there are several weakly connected internets, each of which contains content and services that are largely inaccessible from outside the same country, region or bloc. There are tunnels through these walled gardens, but few users beyond specialists, spies and criminals have the skill or inclination to use them. Most users’ online access and experience is mediated and monitored by whichever tech giants enjoy official sanction in their local market. In most places, ‘social media’ are just media, and the IoT is just things.

The world’s largest internets are American and Chinese. Access to each correlates with physical proximity to the US or China, coupled with the broader user base of their respective tech giants. In particular, the American internet is accessible in most of the Western Hemisphere (corresponding to the American and Latin American regional internet registries). It’s also accessible in Western Europe, but tensions across the Atlantic have combined with divergent data protection and antitrust regulations, fuelling the emergence of a continental internet in the remnants of the European Union. Russia’s national internet is effectively cordoned off by internal information controls (heightened following the death of Vladimir Putin), combined with external blocking of untrusted traffic (Russian IP addresses being equated with criminal or intelligence operations and rejected by most border routers). National networks have also emerged in North Korea, Saudi Arabia and Venezuela. In addition to indigenous applications, the governments that regulate these and similar shards of cyberspace typically contract with Chinese or American firms to build platforms that are closed and customised for local censorship and surveillance.

Figure 1: Internets of the region, 2024

Enter the dragon

Like the Belt and Road Initiative, or the Nine-Dash Line, geography is a notable feature of the Chinese internet in 2024, which is portrayed as several concentric circles. Domestic services and content sit at the centre, behind the Great Firewall. China’s ‘Social Credit’ system hasn’t proved particularly effective in regulating behaviour offline; a goth-like fashion trend dubbed ‘false negative’ has even emerged to frustrate facial recognition. Nevertheless, China has become a nearly cashless society, and both big data and artificial intelligence are used to effectively monitor most online activity. The incidence of malware has decreased dramatically, and domestic cyber incident response is well coordinated.

Some cybersecurity experts worry that foreign intelligence services are exploiting the backdoor access required by China’s regulation of commercial encryption, yet the government denies any such allegation.

Outside the Great Firewall, similar services and content are available to those individuals, organisations and countries that use the platforms provided by China’s tech giants (or their local affiliates). Many do, particularly in Asia. By default, users in this second ring give their data to Chinese service providers.

Most of that information is stored on servers inside China. The outermost ring consists of custom networks that China has built but for which—purportedly—it has handed information controls over to the client, such as for the heavily restricted mobile apps recently launched in North Korea.

The Western Front

For many users in the US, the American internet in 2024 appears similar to the World Wide Web in 2019. A similar set of tech giants from Silicon Valley and Seattle dominate the market. Their proprietary platforms seem to seamlessly integrate users’ digital lives. Toddlers are frequently reported to perceive voices such as Google Home and Amazon Echo as disembodied members of their families. Data breaches of personally identifiable information are so common as to rarely make news; occasionally, car fleets and wired housing developments that have been bricked by cyberattacks make headlines. Net neutrality remains contentious and partisan. Demands from law enforcement for data collected by bystanders’ wearable tech during the Denver bombing in 2022 have ignited another round of debate over encryption (a debate joined by lobbyists for fintech and cryptocurrencies).

Lobbying by tech giants, fractious domestic politics and anti-statist ideology limit US federal regulations on cybersecurity. One exception is wireless broadband. A government-sponsored, industry-led consortium has rolled out a mobile network called US5G. Chinese companies are banned from building this infrastructure. Likewise, Chinese and Russian cybersecurity software is banned from use on US Government computers. The Security and Exchange Commission has also imposed reporting requirements on cryptocurrencies and initial coin offerings. Domestic information sharing has improved modestly after years of concerted attacks against critical infrastructure, but individual users still have little recourse, and the quality of cyber insurance is variable. US diplomats pay lip service to ideas such as ‘internet freedom’ and ‘cyber norms’ when they criticise authoritarian regimes, but the promotion and practice of the American internet abroad is largely determined by the commercial strategies of its tech giants.

Figure 2: The US5G logo

Fault lines

Asia is a contested zone in 2024. The US and China vie for power in the region while Chinese and American firms compete for market share. Unfortunately, the US and China appear caught in the ‘Thucydides trap’, as the rising and ruling powers jostle near the brink of armed conflict.6 War was narrowly averted in 2022 following a naval skirmish in the South China Sea that killed 65 sailors and marines aboard American and Chinese warships. Patriotic hacking—both state-sanctioned and self-radicalised—during this incident was intense and occasionally destructive. Since then, submarines have been reported patrolling undersea cables in the Pacific. In addition, real and imagined instances of Chinese and American firms facilitating offensive cyber operations by military and intelligence agencies have driven yet another wedge between their rival internets.

On the one hand, countries in the Indo-Pacific enjoy more choice than those in the Western Hemisphere, since the American and Chinese internets are both viable options in this region. Some countries are choosing to bandwagon with China. In 2024, Alibaba, Tencent, Baidu, Sina Weibo and Huawei are providing a bundle of telecommunication, media, IoT and financial services called WeConnect. This bundle has proved remarkably popular in Malaysia, for instance, and among the Chinese diaspora across Asia. WeConnect has also increased internet access in Myanmar and Cambodia by an order of magnitude: millions of their people have leapfrogged from having no phones to using Chinese smartphones overnight. In contrast, Japan uses the American internet as a matter of policy, and most users in Indonesia and the Philippines remain locked into Facebook and Google. India is non-aligned (despite the prevalence of American platforms), and Pakistan is hedging its bets (despite widespread adoption of WeConnect). Competition and choice between American and Chinese internets are fuelling digital innovation across the region.

On the other hand, innovation in this scenario is not improving global integration. Choosing one internet increasingly means forgoing access to others. Chinese and American cybersecurity standards are not compatible. Nor is compatibility of much interest to the tech giants. Years of national tariffs, investment restrictions, divergent regulations and export controls have limited their sales in the others’ domestic markets. Combined with the US5G network, these policies have forced American firms to shift away from Chinese suppliers. Similarly, the ‘Made in China 2025’ initiative has made Chinese tech giants more self-sufficient. The US–China skirmish in 2022 accelerated the disintegration of once highly integrated supply lines and manufacturing. When competing for customers in Asia, the tech giants are incentivised to collude within their own internet and exclude foreign rivals.

Moreover, the range of choice in this region comes at considerable cost. While some aspects of cybersecurity have improved inside Chinese and American internets, those improvements are lost in the mixing zones between them. Cheap, outdated and counterfeit technologies are most vulnerable, enabling cybercrime in 2024 to cost Asia as much as $3 trillion per year. Ransomware, DDoS by IoT botnets, cryptocurrency fraud, industrial espionage, election interference—all are common, especially at the local level. Diverse technology limits the spread or scale of most attacks, but it also provides criminals with many smaller targets of opportunity outside the Great Firewall. Jumbled laws across different jurisdictions also provide safe haven for state and non-state actors to launch attacks and hide ill-gotten gains. In this scenario, data protection isn’t imagined to be a top priority for hundreds of
millions of people who are coming online for the first time. Even more than the American internet, the Chinese internet in 2024 owes its success to users willing to forgo privacy in exchange for access and convenience. The appetite for adopting digital technologies in this contested environment is a recipe for legal and illegal innovation alike.

Moving forward: strategic choices and challenges for Australia

The world that we describe would have serious implications for Australian cybersecurity. At least three lessons stand out in our analysis.

Australia will be caught in the fray

In this scenario, China remains the primary pillar of the Australian economy and the US remains Australia’s security guarantor. Australia won’t want to take sides, and with good reason. But the digital economy may prove more sensitive to geopolitical tension than other markets, in which case Australia could face tough choices in cyberspace sooner rather than later.

The costs of choosing either an American or a Chinese internet could be significant, though not equal. Not choosing could be costly as well. While a mediating, brokering or hedging strategy may prove the lesser evil, it may also make Australia the target of intense pressure. Domestic affairs could become a microcosm of fierce regional competition. Potential outcomes include foreign surveillance, censorship and the manipulation of Australian markets, networks and politics. Chinese platforms are particularly suspect, but American technologies aren’t above reproach. How will federal, state and local governments respond in March 2024, for example, if mass student protests in Melbourne are manipulated through WeConnect? How much more difficult will whole-of-government policies and operations be, even at the federal level, if the tensions between cybersecurity and economics become increasingly pronounced?

29 November 2023

Australian Fintech Firm Shuttered:
US Alleges Data Manipulated by China

The Sydney-based cryptocurrency exchange TransPacific Ledger (TPL) was forced to shut down last night, less than a day after the discovery of data irregularities in trading worth more than $1.5 billion.

TPL suspended operations after the firm was implicated in the crash of blockchain backed indexes in the United States. Trading data brokered by TPL may have been manipulated in high-speed transactions between the US and China.

A darling of the Sydney start-up scene, TPL had been seen as a trusted and profitable intermediary between American and Chinese financial markets. ‘We have a sales office in Hong Kong, we’re fully licensed in Australia, and we comply with all US regulations,’ said TransPacific CEO Ed Jones in an interview last month.

However, US cryptocurrency exchanges crashed on Monday when irreconcilable discrepancies were reported across several ledgers. ‘TPL appears to be the common link,’ according to the White House press secretary, ‘but China is behind the bad data.’ US intelligence officials point to recent advancements in Chinese quantum computing, claiming that these computers could hack the authentication protocols behind blockchain. ‘Maybe this was an experiment that got out of hand,’ said one anonymous source.

Beijing brusquely rejected these claims. ‘False accusations accomplish nothing,’ according to one government spokeswoman. Prominent voices in Chinese media are now blaming unnamed criminals in Australia and demanded their immediate extradition.

The Australian Securities and Investments Commission is working with the Australian Signals Directorate in its investigation. Neither agency was available for comment. The ASX lost 5% after news about TPL broke on Tuesday.

Please note: the above is a fictional article created by the authors for the purpose of this report.

By straddling both internets, both networks could be used to push and pull divisions in Australian government and society. Moreover, even if Australia tries to straddle the US and China, other countries in Oceania may decide differently. For instance, how will Canberra respond if Papua New Guinea, Bougainville and Solomon Islands bargain to adopt the Chinese internet in 2024 unless Australia increases development assistance to expand and maintain their undersea cables? In this scenario, Australia will have to decide how much it’s willing to pay for its preferred strategy, both at home and around the neighbourhood.

Internet fragmentation isn’t all bad everywhere

As costly as straddling or choosing between American and Chinese internets would be for Australia, this isn’t a doomsday scenario. Some aspects of cybersecurity stand to improve inside each network. Harmonised standards and coordination across like-minded jurisdictions could improve incident response, information sharing (including vulnerability disclosure), patching and attribution. Technological diversity may increase at the regional and global levels, limiting the scale of any given platform and thus the extent to which attacks spread beyond any given country, region or bloc. Trust inside these networks may improve as well. For example, this scenario imagines that the average American in 2024 is relatively confident about US5G (despite expert debate about whether this network is demonstrably more secure than the Chinese alternative). Real or imagined, these security gains may make joining one club or another an attractive prospect for Australia.

Granted, the security gains inside each network are offset by friction between them. Australian policymakers will also bristle at claims by China, Russia and other authoritarian regimes that strict censorship and surveillance improve the security of their respective internets. Nevertheless, fragmentation or disintegration need be neither chaotic nor absolute. For better or worse, cross-fertilisation and ideological hypocrisy will occur as well, with American companies mirroring some of the practices used by their Chinese counterparts and vice versa.

Thursday, January 4, 2024

Mastercard and Walmart introduce a Social Credit System

Dismissing comparison to China, Walmart claims new system will help its consumers “live better” and “save money” during the US recession.

Please note: the above is a fictional article created by the authors for the purpose of this report.

Australia lives in a dangerous neighbourhood

The concurrent great-power transition and digital transformation of the region could be more turbulent than in any period in recent history. Tech giants will shape this transformation, but their commercial interests diverge from the public interest in Australian cybersecurity. In contrast to powerful corporations, international organisations such as the International Telecommunication Union appear even less impactful than usual in this scenario. Even multi-stakeholder organisations such as ICANN could be coopted or captured by commercial and geopolitical interests.

Tough Choices

Australia isn’t helpless in this environment, but it should prepare to help itself. Looking back, policymakers in 2024 may wish that preparation had started in 2019. Options include redoubling Australian efforts to champion an open, free and secure cyberspace in order to avoid the future imagined here. Advancing regional leadership, investing in capacity building and taking assertive action on shared interests may prove helpful. At the same time, however, policymakers should consider tough choices about cybersecurity in a less benign environment: 

  • Is Australia prepared to play hardball, not only with the US and China, but also with commercial tech giants, in order to advance its national interest?
  • If forced to take sides or straddle the great powers, how should Australia choose, and how can it mitigate the costs of doing so?
  • Even if there’s no defining moment (for example, President Trump or President Xi declaring ‘You’re either with us, or against us’), is muddling through on issues such as encryption in Australia’s national interest, especially if incremental decisions aggregate into a decisive choice?
  • What, if anything, can Australia do to help the next billion users in Asia come online in ways that improve rather than undermine critical aspects of cybersecurity?
  • And will a laissez-faire or, alternatively, compliance-driven approach to domestic cybersecurity suffice or prove lamentable in the years ahead?

These are important questions to answer, regardless of whether or not the scenario that we describe comes to pass. Scenario analysis doesn’t need to provide accurate predictions in order to provoke strategic thinking about the future of Australian cybersecurity.


Acknowledgements

This report was produced in collaboration between the Sydney Cyber Security Network and ASPI’s International Cyber Policy Centre. It was made possible thanks to a research grant provided by the Sydney Policy Lab. We also thank our research assistant Bryce Pereira, as well as the other experts and visionaries who provided helpful comments and feedback.

@SydneyCyber – https://sydney.edu.au/arts/our-research/centres-institutes-and-groups/sydney-cybersecurity-network.html

ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society. It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

We thank all of those who contribute to the ICPC with their time, intellect and passion for the subject matter. The work of the ICPC would be impossible without the financial support of our various sponsors.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. Department of Foreign Affairs and Trade, Australia’s International Cyber Engagement Strategy, Australian Government, October 2017, 7. ↩︎
  2. For background, see Pierre Wack, ‘Scenarios: Shooting the Rapids – How Medium-Term Analysis Illuminated the Power of Scenarios for Shell Management,’ Harvard Business Review (1985), 139-150; Peter Schwartz, The Art of the Long View: Planning for the Future in an Uncertain World, Doubleday, New Your 1991; Naazneen H. Barma, Brent Durbin, Eric Lorber, and Rachel E. Whitlark, ‘“Imagine a World in Which”: Using Scenarios in Political Science’, International Studies Perspectives 17 (2016), 117-135. ↩︎
  3. For example, see National Intelligence Council, Global trends: paradox of progress, January 2017 ↩︎
  4. Center for Long-Term Cybersecurity, Cybersecurity futures 2020, online; Jonathan Reiber, Arun M Sukumar, Asian cybersecurity futures: opportunities and risk in the rising digital world, Center for Long-term Cybersecurity ↩︎
  5. Among others, see William J Drake, Vinton G Cerf, Wolfgang Kleinwachter, Internet fragmentation: an overview, Future of the Internet Initiative White Paper, World Economic Forum, January 2016, online; Scott Malcomson, Splinternet: how geopolitics and commerce are fragmenting the World Wide Web, OR Books, New York, 2016; Davey Alba, ‘The world may be heading for a fragmented “splinternet”’, WIRED, 7 June 2017 ↩︎
  6. Graham Allison, ‘The Thucydides trap: are the US and China headed for war?’, The Atlantic, 24 September 2015 ↩︎

Identity of a nation

Protecting the digital evidence of who we are

Foreword

By far the greatest part of Australia’s discourse on cybersecurity is focused on the protection of systems: the software, the hardware and the communications networks that provide the access, storage and carriage of sensitive information. Without doubt, this is vitally important. After all, it is within the systems of information management that cyber vulnerabilities exist, and it is through understanding the capabilities of adversaries and vulnerabilities of systems that security can be strengthened.

But the thorough analysis of security threats requires more than just ‘capability’. We also need to assess ‘intent’. And more often than not, the intent that motivates a cyberattack is access to data. It’s the data that needs to be protected from exfiltration, manipulation or destruction, because it’s the data that holds information critical to Australia’s agency and success as a sovereign nation. To date, however, there has been very little serious analysis of Australia’s critical data assets or the national policy settings required for the proper recognition and management of this important national resource.

This ASPI report fills that gap, and comes at a crucial time as all Australian Government agencies continue on the path of digital transformation. Anne Lyons has reminded us all that our national identity assets form the heart of who we are as a nation, and her recommendations provide a sharply focused action plan for a whole-of-government policy framework that looks beyond the temporary, technology-driven threats and vulnerabilities affecting the current generation of government ICT and addresses instead the very foundation of Australia’s digital future—the precious data that defines us.

David Fricker
Director-General National Archives of Australia,
President International Council on Archives

2 minute highlights! Anne Lyons discusses her report.

Impact

Throughout history, warfare has damaged and destroyed assets vital to nations’ cultural heritage and national identity. While physical damage is often clear and immediate, cyberattacks targeting a nation’s identity—its way of life, history, culture and memory— wouldn’t have the same physical visibility, but have the potential to cause more enduring and potentially irreparable harm.

In our increasingly digital world, it isn’t difficult to imagine the types of cyberattacks we’ll be likely to face and the degree of impact on irreplaceable national identity assets.

Consider the following:

  • The discovery that digital reference legal documents had been altered could bring the court system to a halt while the integrity of the entire system is reviewed.
  • The deletion, encryption or corruption of information relating to landholdings or births, deaths and marriages would cause widespread societal disruption, stopping everything from property sales to weddings.
  • A synchronised attack on half a dozen key historical archives—such as our entire newspaper archives, historical photo databases, war records and Indigenous archives—would cause an irreplaceable loss that would be likely to cause public outrage and a great collective sense of loss.
  • Because we haven’t anticipated sophisticated attacks against the organisations holding these assets and because they’re generally undervalued, the protections in place are inadequate. And it isn’t just nation-states, but cybercriminals and hacktivists who may cause serious damage.

This isn’t just an Australian problem. Institutions and governments internationally face the same issue as truth becomes a victim of information warfare, fabricated news, and increasing and evolving cyberattacks.

Our national identity assets are the evidence of who we are as a nation—our resources, our people, our culture, our way of life, our land, our freedom, our democracy. What if we had no evidence of who we are, what we own, who governs us, where we have come from?

What’s the problem?

Like other countries, Australia is focused on protecting its critical infrastructure from cyber threats; however, there’s a serious gap in how we approach the protection of our valuable digital national identity assets.

A cyberattack targeting national identity assets has the potential to cause major disruption and collective psychological damage. Such an attack would almost certainly lead to the further erosion of public trust in Australia’s democratic institutions and our reputation internationally. Our vitally important national identity assets aren’t adequately protected, and a long-term plan to protect them is lacking. The damage that their loss would cause makes them a tempting target for the next wave of cyber-enabled political and foreign interference.1

What’s the solution?

Gaps in our protection of national infrastructure and information security need to be addressed.

Australian governments—state and federal—need to begin a systematic effort to identify and value national identity data. A closer alignment between the professional fields of digital preservation and information security is required, and a stronger focus on information governance. Australian governments need to ensure that our critical government-held national identity assets are protected and that memory institutions charged with their care are adequately funded to do so.

Until these issues are addressed, this increasingly ‘invisible’ vulnerability means that the potential loss of the digital evidence of who we are as a nation remains a sleeping, but urgent, national security priority.

Introduction

Imagine this. You wake up in 2022 to discover that the Australian financial system’s in crisis. Digital land titles have been altered, and it’s impossible for people and companies to prove ownership of their assets. The stock market moves into freefall as confidence in the financial sector evaporates when the essential underpinning of Australia’s multitrillion-dollar housing market—ownership—is thrown into question. There’s a rush to try to prove ownership, but nowhere to turn. Banks cease all property lending and business lending that has property as collateral. The real estate market, insurance market and ancillary industries come to a halt. The economy begins to lurch.

At the same time, a judge’s clerk notices an error in an online reference version of an Act. It quickly emerges that a foreign actor has cleverly tampered with the text, but it’s unclear what other parts of the Act have changed or whether other laws have been altered. The whole court system is shut down as the entire legal code is checked against hardcopy and other records and digital forensics continue. Meanwhile, a ransomware attack has locked up the digital archives of Australia’s major media organisations and parallel archival institutions. Over 200 years of stories about the nation are suddenly inaccessible and potentially lost.

As the Australian public and media are demanding answers, the government is struggling to deal with the crisis. Hard paper copies of many key documents simply don’t exist.
National identity assets are the evidence of who we are as a nation—from our electronic land titles and biometric immigration data, to the outcomes of our courts and electoral processes and the digital images, stories and national conversations we’re having right now.

Increasingly, our national footprint and interactions are digital only, including both digitally born and digitalised material, all of which is increasingly being relied on as a primary source of truth—the legal and historical evidence we rely on now and into the future.

As companies, governments and individuals scramble to protect important data and critical systems such as telecommunications and power supplies from cyber threats, we overlook datasets that are perhaps even more valuable. They’re a prime and obvious target for adversaries looking to destabilise and corrode public trust in Australia.

With 47,000 cyber incidents occurring in Australia each year2 and a permissive global environment for cyber adversaries, information manipulation and grey-zone cyber conflict aimed at disrupting nations and in particular Western democracies, the threat to our national identity assets is real. Both state and non-state adversaries have the capabilities to disrupt, distort and expropriate national identity data. What’s been lacking to date is the intent to use them this way, and intent can change fast.

Keeping national identity assets safe and accessible is vital not only for chronicling Australia’s past, but for supporting government transparency, accountability, the rights and entitlements of all Australians and our engagement with the rest of the world.

This report explores the value of Australia’s digital national identity assets and the consequences of not protecting them. The need to protect them from theft, manipulation, destruction or unlawful action may seem a given, but this review has found that our vitally important sovereign national identity data and information isn’t being adequately protected and lacks a long-term protection or preservation strategy.

Report methodology

Many national data assets are held in government digital holdings, and those assets are the main focus of this report.

More than 20 organisations across government, academia and the corporate sector were consulted and surveyed as a part of this research. In addition, 70 experts on critical infrastructure, information security, cybersecurity, digital preservation, risk management, information governance, archives and data management were interviewed. Roundtable discussions were held to explore national identity data as critical infrastructure and the international experience, as well as two workshops exploring possible scenarios and consequences.

National Identity

Defining national identity

Australia’s national identity is difficult to define. It’s a complex, ever-changing, dynamic collective of Australians and our environment, history, geography, culture and outlook.

For some, it’s the feeling shared with a group of people about a nation, expressed through patriotism, national pride and a positive emotion of love for one’s country.3 It’s a construct of common points—national symbols, language, images, history, culture, music, cuisine, radio, television, landforms—and it’s expanding. It’s the collective experience of who we are as a nation, and, while it crosses public, private and personal information, this report primarily focuses on national identity assets in government digital holdings as a key ingredient in identity and in the functioning of our nation.

Digital national identity assets are the evidence of our national identity

National identity assets are the evidence of who we are, how we see ourselves and how we relate to the rest of the world. They include high-value personal, social, legal, democratic and historical data, such as records of births, deaths and marriages; immigration records; land titles; the decisions of our courts and parliaments; and the many stories told on our screens and airwaves through social and electronic media.

Digital assets include data, digital information, multimedia, imagery and sound. They’re both digitally born (created digitally) and digitalised (analogue material digitised and available electronically). It’s our digital heritage, being created now, that defines our unique Australian identity and is essential for the functioning of our democracy, our society, our culture and our legal system.4

This report doesn’t set out to define or describe all of Australia’s national identity data and digital information, but it does recommend developing a way of identifying and valuing those assets to enable appropriate protection.

Some examples of digital national identity assets include:

  • Digitally born identity assets
    • Hansard (Department of Parliamentary Services, Parliamentary Library)
    • Indigenous War Service Project (Australian National University, Australian Institute of Aboriginal and Torres Strait Islander Studies)
    • evidence and findings from royal commissions (National Archives of Australia)
    • Australian Web Archive (National Library of Australia)
    • ABC Digital Library
    • Lindt Café siege social media collection (State Library of NSW)
    • passport biometrics and passenger arrivals (Department of Foreign Affairs and Trade, Department of Home Affairs, Border Force).
  • Digitalised assets
    • convict records (NSW and Tasmanian archives)
    • Australian Institute of Aboriginal and Torres Strait Islander Studies photographic collection
    • newspaper collections (National Library of Australia and state libraries)
    • World War I records (National Archives, Australian War Memorial, NSW State Library)
  • Hybrid analogue/digital assets
    • Fairfax photographic collection (Fairfax Media)
    • High Court decisions (High Court of Australia)
    • births, deaths and marriages records (state and territory government agencies and archives)
    • parliamentary papers and decisions (federal, state and territory parliamentary departments
    • immigration records (Department of Home Affairs, National Archives of Australia)
    • property ownership records (state and territory government agencies and archives)

Failure to protect national identity assets

Yesterday, the Australian Electoral Commission, the Department of Home Affairs and the NSW Lands Department discovered discrepancies in their election results databases, the public electoral roll, electronic land title registrations and citizenship data. Investigations haven’t identified when the problems occurred. The discrepancies make it difficult to rely on the validity of their data holdings. 

At the same time, the Department of Parliamentary Services received an anonymous report that over the past 12 months changes have been made to Hansard report proofs online. They have five days to remedy the issue before the source goes public, while public complaints, mainly through social media, have already started about digital images and material previously on the website that’s no longer available, particularly Hansard reports of new parliamentarians’ maiden speeches in the Senate and House of Representatives.

A few days ago, the daughter of a World War II veteran was interviewed on ABC Radio’s morning program in the Northern Territory. She had written to the Attorney-General complaining that her father’s war service record is no longer available. An investigation by the National Archives of Australia found that all the digitised service records for World War II on its website have been removed from the database holding and displaying them, and been replaced with images of Donald Trump, Xi Jinping, Angela Merkel and other world leaders.

Today, a major story was leaked to The Australian newspaper that implicated Australian companies involved in the 2006 royal commission into the Iraq oil-for-food program. The leaked documents were released to the public by Wikileaks. Those records are held by the National Archives. Wikileaks also announces that it will shortly be following up the leak with a release of the 2016 Census, which is supposed to be held by the National Archives and not released until 2115.

This is a fictional scenario created by the author.

Issues

A sleeping giant

The increasing vulnerability, invisibility and online exposure of our digital identity is an underappreciated national security issue.

In a global environment of increasing cyberattacks, capable state and non-state actors, information espionage and grey-zone cyber conflict aimed at disrupting nations, the threat to our national identity assets is real.

States such as Russia have demonstrated their intention to disrupt and undermine Western democracies,5 and obvious future targets for such attacks are national identity assets that are poorly protected and offer high-impact results if disrupted, corrupted or destroyed. With more than 30 countries known to possess offensive cyber capabilities,6 and cyber capabilities being in reach of non-state actors from individuals to cybercrime organisations, the number of potential adversaries able to target our national identity assets is significant and increasing.

We’ve bought into the fiction that all of the information we could possibly want to access is there, all of the time—and for all time. But the truth is that the access of future generations to our recent history is more precarious than ever.

—Kylie Walker, Chair, Australian National Commission for UNESCO

Because we’re a liberal democracy, Australian society relies at its deepest level on the trust of the citizen in the state.7

National and state government archives play the role of ‘impartial witnesses’, identifying and holding this information and holding the government to account under the rule of law and in the ‘court’ of history. Many other institutions have additional holdings that collectively form our national identity assets. We need to trust that these impartial witnesses can identify, keep and preserve this evidence. This is a matter of national security and is at the heart of our society.

Previously, victors rewrote history. Now, in the digital age, our adversaries could rewrite our present. If we aren’t vigilant, we run the risk that adversaries could destroy or manipulate our national identity assets, compromising the digital pillars of our society and culture.

If our land titles or our citizenship records were altered, what would be the result? If we lost our immigration and births, deaths and marriages data, how could you prove your citizenship? And what if that information were compromised and unreliable? What would be the authoritative source of information about Australians and their citizenship?

Public trust and perceptions

If you can’t trust the truth holders, then who can you trust?

—Rachel Botsman8

The biggest impact from an attack on national identity assets would be the resulting corrosion of trust in public institutions. As Russian interference in other countries’ elections has demonstrated, the erosion of trust is more corrosive to democracy than the win or loss of any particular candidate. Attacks on truth and trust affect individuals and nations and, while just one breach can erode trust, a concerted campaign can do much more. As US academic and commentator Zeynep Tufekci so accurately describes, ‘we are in an era where misinformation thrives and even true information can confuse and paralyse rather than inform and illuminate.’9

When more than 600 fake Facebook accounts were uncovered, linked to Russian and Iranian influence campaigns, a false and disingenuous dialogue and history were created.10 We’ve already seen the manipulation of video become a reality,11 and, as Peter Singer describes in his latest book, Like war, propaganda has been weaponised en masse and is now threatening democracies.12 Fraud and fakery aren’t new—they’re just happening in a new hi-tech domain, with the potential to do much greater damage at scale. It’s inevitable that they’ll expand into historical data and information. 

For example, in 2008 a British historian added 29 fake documents over five years to write a fake history of members of the British royal family collaborating with the Nazis during World War II.13 Closer to home, between 2007 and 2015 the Western Australian Registrar of Births, Deaths and Marriages removed vital information about Aboriginality and illegitimacy from birth certificates because the registrar deemed it too distressing for people.14 While not fraud, or an external attack, it was an intentional changing of evidence that could have major repercussions personally, socially and historically.

Cybercriminals have already taken individuals’ and organisations’ data ‘hostage’ by encrypting it and demanding ransom to decrypt it. The good news is that this has yet to happen to national identity holdings.

As the physical world meets the digital world, protecting and securing authentic data has become an ongoing challenge. So, who will hold the source of truth, and how will people know whether they can trust the source?

Vulnerability and invisibility

Recent studies by the University of NSW and University of Canberra identified examples of Russian targeting of Australian voters in 2017.15 Our universities, businesses and governments are under a constant attack in which 400 Australian companies were targeted in 2017.16 Countries such as Israel,17 Iran,18 North Korea, China19 and the US20 are also known to have publicly used malicious cyber actions against other nations, including Australia.21

A future frontier for these attacks is likely to be national identity assets, but despite this there’s a lack of engagement and awareness in government and the community about the safety and security of those assets and the government institutions that hold them, and a lack of care about data and information security more generally.22

Our critical infrastructure, defence, border security, privacy, personal information and economic assets attract the headlines, the attention and ultimately the dollars. There’s no strong narrative about the need to protect holdings of digital national identity assets nationally or internationally. Many memory institutions find it difficult to be heard and secure funding, except when the need involves Australia’s military history, or when a tragedy occurs, such as this year’s devastating fire at Brazil’s National Museum.23

The ravages of time

Digital assets aren’t as resilient as most analogue or paper forms and decay over time, including through degradation, obsolescence or the breakdown of computerised information. All digital material is prone to some sort of decay (sometimes known as ‘data rot’).24 This doesn’t take long, particularly with the current speed of technological change and growth in the quantity of data.

All organisations need to be aware of potential decay that can make their information and data unusable.

Resourcing and capability of institutions

Australia’s ultimate information and data custodians— the memory institutions, such as national and state archives, records organisations, libraries and other cultural institutions—struggle to keep even their basic services afloat, let alone to protect and preserve digital heritage and national identity data.

The current parliamentary review of national institutions in Canberra is evidence of that.25

The committee has received numerous submissions and testimonials from the heads of cultural institutions decrying the consequences of continued funding cuts.26 Although a handful of agencies have recently received one-off funding for digital initiatives, the National Archives of Australia, which holds some of the government’s most valuable and sensitive information, unsuccessfully sought funding to build a secure digital archive five times over the past 10 years. Recently, it received an adverse finding in the Australian National Audit Office’s latest cyber resilience audit for not meeting all essential information security requirements.27

Fair funding

A great deal of effort, funding and focus is placed on protecting critical infrastructure such as roads, communications and ports, as well as classified and sensitive information, but the same can’t be said of our national identity data, or of the national and state institutions that protect and provide access to those digital assets.

Digitalisation of information is only going to increase; most Australian governments are committed to being fully digital within the next few years. As custodians of the bulk of national identity data, government agencies have a responsibility to protect it from birth over its life. And, with the creation and retention of fewer paper traces, accessing and preserving this information is becoming more complicated.

Of the 20 government agencies and universities surveyed as part of this project, the rate of change, scale, complexity and resourcing were identified as the biggest problems facing them in their quest to protect our digital information and assets.

Figure 1: Some survey results

A crowded ungoverned space

The plethora of information, data, cyber and security protocols, strategies, policies, frameworks, legislation and agencies involved at the federal and state levels in Australia is confusing and inconsistent. At least 20 organisations are involved in information and data policy, protection and management in the Australian Government space alone. 

In 2015, when it released its Digital Continuity 2020 policy,28 the National Archives of Australia had already recognised the urgent need for information governance, and this was reiterated in the Open Data Initiative as part of Australia’s first Open Government Partnership National Action Plan in 2016.29 The Digital Continuity 2020 policy required agencies to have information governance frameworks and information governance committees in place by June 2016. By September 2017, only 64% of Australian Government agencies had achieved the latter.30

This policy needs to be extended to include governance and coordination at the whole-of-government level to ensure the robust and reliable management of national identity data.

The way forward

Include national identity assets within the critical infrastructure framework

Government archive material, must be considered as equivalent to any critical national infrastructure, given its value to national identity, values, history.

—David Irvine, Chair, Foreign Investment Review Board

Critical infrastructure is firmly in the sights of those conducting cyberwarfare and industrial sabotage.31 Cyberweapons can turn off power grids, derail trains, cause offshore oil rigs to list, turn petrochemical plants into bombs and shut down factories.32

Attacks are increasingly common and becoming more sophisticated. Ukraine’s energy sector was the target of a Russian cyberattack in 2015 that caused power outages that affected more than 200,000 citizens,33 and in 2017 there was an alleged Russian state hack of US electricity companies.34 Both Iran and Russia have been linked to an attack on a petrochemical plant in Saudi Arabia in 2017 that was described as a new kind of cyber assault designed to trigger an explosion.35

Like other countries, Australia is focused on protecting its critical infrastructure. However, there’s a serious gap in our approach, which currently doesn’t include the protection of national identity assets.

Digital national identity assets underpin our democracy

Australia’s Critical Infrastructure Centre describes critical infrastructure as underpinning the functioning of Australia’s society and economy and integral to the prosperity of the nation.36 National identity assets do all that and more—they also underpin our democracy—and should be considered as part of the nation’s critical infrastructure.

Attacks on governments show that we must recognise the threat posed by cyberattacks not only to critical infrastructure services, but also to democratic functioning and government continuity.37

Data and information don’t fit within the traditional conception of critical infrastructure. In Australia, ‘critical infrastructure’ is taken to mean the supply chains, information technologies and communication networks, the destruction, degradation or lengthy unavailability of which would significantly damage the social or economic wellbeing of the nation or affect our ability to conduct national defence and ensure national security.38

Australia has eight critical infrastructure sectors: banking and finance; the Australian Government; communications; energy; food and groceries; health; transport; and water.

There’s an argument that, if national identity assets were included, the existence of digital and analogue information would require differing control measures and consequential tighter controls, making it harder to access, or measures to replicate data holdings so that disruption and manipulation can be dealt with by turning to authoritative alternative holdings. Also, if whole systems—hardware, software, personnel, data and information—are considered critical, that could lessen the meaning and idea of ‘critical’.39

While defining the strict parameters of national identity assets might be problematic, that can be broadly overcome by focusing instead on the organisations that create, keep and preserve them. The intrinsic value of Australian Government national identity assets, such as those held by the National Archives and National Library, should be recognised as part of the Australian Government critical infrastructure sector. Consideration should also be given to how similar assets of state governments should be protected.

Estonia, a country recognised for e-government, has acknowledged the vulnerability of its data and information and is replicating its critical government data in Luxembourg in what’s been called a ‘virtual embassy’ to protect it and ensure that government and services will be uninterrupted in the case of an attack on Estonia.40

The closest Australia has come to officially considering data and digital information as critical infrastructure was the 2017 public consultation on the Security of Critical Infrastructure Bill, which asked whether data centre assets should be included.41 They weren’t. 

Increased focus on data security

Despite this, during 2018 there’s been an increased focus on data security and engagement by the Australian Critical Infrastructure Centre, which is working with the Australian Cyber Security Centre and the Digital Transformation Agency on whole-of-government infrastructure.42 But this isn’t just about systems, security and services. We need to go one step further and consider the data held within them. 

The Australian Productivity Commission’s 2017 Data availability and use report noted that data is an asset, and that there are plenty of datasets and collections the degradation or unavailability of which ‘would significantly impact the social or economic wellbeing’ of Australia.43 

Australia’s electoral roll and Census data are two such cases. The latter not only guides the allocation of much government funding, but also helps to determine electoral boundaries—a key component of our democratic process. As noted by the Productivity Commission, if it were to be compromised that would jeopardise public trust.

There’s valid evidence of a pressing need to review what critical national identity assets are and to include national identity and high-value data within Australia’s critical infrastructure framework.44 We also need to investigate a legislative response to how they should be managed and evaluated nationally, supported by the Australian Trusted Information Sharing Network and focusing on those assets in the critical infrastructure sectors and the states and territories.

We protect what we value

If Australia were a person, and her digital house was on fire, what would she grab and load in her car to save? What would be ready and in a convenient location, so that she could pick it up and run?

Sometimes it takes a disaster before a new or upgraded system is funded.

There’s a disconnect between how we value and how we protect our data and digital information. Currently, more focus and value are placed on the security of classified, national security and personally identifiable information. As a result, the systems that hold and manage that information are prioritised.

The volume of digital information and data is increasing at a rapid rate, and the percentage that needs to be kept for business, legal, evidentiary and archival purposes is also growing.45

Valuing digital identity assets

There’s also no standard, guidance or formula for valuing digital information and data, or any requirement to report data assets in financial reports. In the case of digital national identity assets, there’s no long-term view on their value or their protection, although many memory institutions do include them in financial reporting.

While there’s an accounting standard for valuing cultural and scientific collections, that’s primarily for physical collections. Valuing digital assets is proving more difficult. The valuation industry has developed varied approaches and methodologies and, depending on the volume and complexity, such valuations can come at a significant cost.

What’s being done

The NSW Government is currently valuing its digital collections, and the Australian Bureau of Statistics is valuing its Census data. In 2014, the New Zealand Bureau of Statistics valued its 2013 census data at $1 billion,46 and in 2016 the Australian Bureau of Communications Research estimated that Australia’s open data was worth $25 billion per year, or 1.5% of Australia’s GDP.47

We need to do more about standardising the way we value our national identity assets.

The inability to access, understand and adequately discriminate between what’s valuable and what isn’t is a key challenge, as is maintaining appropriately skilled people to ensure quality, accuracy and analytics, including privacy and ethics considerations.

In 2016, American historian Abby Rumsey argued that we’re now so far ahead of ourselves in the accumulation of data that we may never catch up or truly understand its significance.48 And data is only valuable if it can be explored and we can get insights and information from it.49 We may have a future in which a generation of history is lost because it doesn’t exist or is inaccessible.

A simple way to identify, assess and value national identity data and information needs to be developed, along with a consequence framework to assess the impact should it or its provenance be lost or damaged.

Security, preservation and governance

We have to value our government data holdings as a national asset and within government we have to adjust our behaviours and our policies accordingly.50

—David Fricker, Director-General, National Archives of Australia, President International Council on Archives

Protection of national identity assets is far more than information and cybersecurity.

Internationally, there’s a large ‘infosec’ industry, which continues to grow. Governments and a swag of organisations and agencies are dealing in cybersecurity, information security, big data, privacy and information policy.

The glaring omissions are digital preservation and governance—not just for digital national identity  assets, but for all business-critical information and data. This includes assets relied upon by the public and business for planning, redundancy and technology that can read the data in 10 or 100 years from now.

This crowded landscape calls for a strategic and coordinated approach and stronger focus to address a major vulnerability that all organisations face—the integrity, reliability, authenticity and accessibility of digital assets now and into future, whether it’s three years, thirty-three or forever, as with national identity assets.

Earlier adoption of digital asset preservation

Digital preservation isn’t widely understood or practised except by organisations with dedicated preservation functions. Even then, digital preservation usually involves work streams and professions separate from information security functions. Digital preservation is essential for digital authenticity, reliability and access over time, and is far more than just creating a backup. It ensures the accurate rendering of authentic content over time, including protection from medium failures and software and hardware obsolescence.51

The 2017 edition of Australian Government’s Information security manual includes no digital preservation requirements, other than backup for business continuity and disaster recovery.52 The 2018 manual will expand backup requirements to ensure that information can’t be manipulated or changed, and the author understands that, based on the recommendations of this report, digital preservation is being considered for inclusion from 2018 onwards to guide those Australian Government agencies with national identity and high-value assets.

Increasingly, blockchain technology is being used by industry and government to assure transactions and services, the most recent such use being the pilot rollout of NSW digital drivers’ licences.53 This should continue to be explored to ensure the integrity of national identity assets. We need to start the conversation about digital preservation earlier, at the beginning and not at the end of digital asset creation. Along with information management, digital preservation must be considered by all organisations before they build or upgrade systems that create, use and keep valuable information and data for any length of time. This is for governance, discovery and access, and to ensure that the evidence remains authentic, can be migrated to and managed by memory institutions into the future, and be accessed and read whenever it’s needed.54

Information security reporting and audits

Currently the ‘confidentiality, integrity and availability’ security model is heavily weighted towards confidentiality. This imbalance is a vulnerability, and, despite improvements in cybersecurity,55 many organisations aren’t meeting this base-level security requirement. A recent audit by the Australian National Audit Office (ANAO) found that, out of three Australian government agencies, only one was cyber resilient.56

While the Australian Cyber Security Centre (ACSC) surveys the status of information security in the public and private sectors,57 it’s difficult to assess just how safe Australian organisations are and what they’re doing to ensure that their systems and data are safe. Further work is needed in this space to audit data authenticity and to check for evidence of manipulation or change. This would require new methodology and practices—possibly drawing on digital preservation skills and approaches—that should eventually become business as usual.

There’s no independent or public reporting of the state of cybersecurity within individual organisations, or a ‘state of the nation’ report on how agencies and businesses are managing and protecting data.

Public self-reporting is needed, and more transparency is one of several recommendations made by the ANAO in its 2018 cyber resilience audit.58 A snapshot or dashboard showing how Australian organisations are performing in cybersecurity should also be developed as part of the ACSC’s annual survey.

Lack of coordination and information governance

Immediate business needs tend to overshadow the way information is governed and managed.

Many government and private-sector organisations are easy prey to cyberattack, not just because of weak cybersecurity, but because of the absence of a comprehensive whole-of-organisation view on how all information and data assets are to be managed and protected.

There’s an urgent need to implement better information governance across the public and private sectors in order to protect Australia’s digital national identity assets.

Policy recommendations

  1. Australia’s national identity and high-value data and information, the destruction or corruption of which would have a serious impact on our sovereignty, should be recognised as part of our critical infrastructure framework.
  2. The Trusted Information Sharing Network should examine existing coverage of vulnerabilities and establish a dedicated forum on that data and information.
  3. The Australian Government should explore a legislative response to managing and evaluating that data on a coherent national basis.
  4. National security agencies should engage with the National Archives of Australia to undertake a risk assessment of the archives’ digital national identity assets and jointly develop proposals to defend them from future attack.
  5. The National Archives of Australia should use its legislated powers to prescribe what government information and data constitutes national identity assets and set mandatory management and governance standards to ensure, protect and maintain their long-term integrity and reliability of those assets.
  6. The Australian Productivity Commission should explore the value of digital national identity assets to Australia, defining the parameters to be considered in identifying and valuing them and the cost should they be destroyed or manipulated, or should trust in their authenticity and reliability be eroded.
  7. The Australian Government, through the Department of Finance, should investigate and provide guidance and standards for agencies to assess the value of their information and data assets.
  8. The Australian Government, through the Department of Finance, should develop a tool to assist organisations to assess the value of their data and digital information, to assist in developing strong business cases for protection.
  9. A new funding model for memory institutions should be explored by Australian governments to help protect digital national identity material.
  10. Digital preservation principles should be built into information security requirements, such as those in the Australian Government’s Information security manual.
  11. The Digital Transformation Agency, in conjunction with CSIRO’s Data 61, should explore the use of blockchain technology to track, record and ensure the provenance of national identity and high-value data.
  12. The ACSC should produce a ‘state of the nation’ report on cybersecurity health and readiness.
  13. All public, private and community sector organisations holding national identity assets should be encouraged to publicly report their annual cyber resilience status.
  14. The ANAO, in conjunction with the ACSC, should explore the creation of an authenticity audit, so that internal and external auditors can assess digital assets on a scheduled, regular basis, employing a standardised methodology.
  15. All Australian governments (federal and state) should better coordinate their information, data and related cyber policy agencies and strengthen information governance as the overarching requirement, incorporating all elements of information management, security, privacy and data management.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

Images: ‘Faces of Australia’ from the National Archives of Australia. Design by Lora Maricic. 
Cover animation by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons License Attribution-Share Alike. Users of the image should use this sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by ASPI’s International Cyber Policy Centre’.

  1. Kelsey Munro, ‘Foreign interference in elections “will be repeated”: former US cyber tsar’, SBS News, 22 February 2018, online; ‘Five Country Ministerial 2018’, Department of Home Affairs, 29 August 2018 ↩︎
  2. Dan Tehan, ‘Silent dangers: launch of the Australian Cyber Security Centre’s 2017 threat report’, National Press Club address, 10 October 2017 ↩︎
  3. JC Turner, ‘Some current issues in research on social identity and self-categorization theories’, in N Ellemers, R Spears, B Dossje (eds.), Social identity: context, commitment, content (6–34), Blackwell, Oxford, UK, 1999. ↩︎
  4. Eliza Chapman, ‘Should data be considered critical infrastructure?’, The Strategist, 18 April 2018 ↩︎
  5. Jeremy Herb, Lauren Fox, Manu Raju, ‘Senate committee agrees with intelligence community assessment of election meddling, breaking with GOP House investigation’, CNN, 16 May 2018, online; Culture, Media and Sport Select Committee, Russian influence in political campaigns, UK Parliament, 29 July 2018 ↩︎
  6. Steve Ranger, ‘US intelligence: 30 countries building cyber attack capabilities’, ZDNet, 5 January 2017, online; James R Clapper, Marcel Lettre, Michael S Rogers, ‘Joint statement for the record to the Senate Armed Services Committee: foreign cyber threats to the United States’, 5 January 2017 ↩︎
  7. Tim Gollins, ‘The national archives, big data and security: why dusty documents really matter’, in Jennifer Cole (ed.), Big data for security and resilience: challenges and opportunities for the next generation of policy-makers, proceedings of the Big Data for Security and Resilience Conference, March 2014 ↩︎
  8. Rachel Botsman, Who can you trust? How technology brought us together and why it might drive us apart, Penguin, 2017. ↩︎
  9. Zeynep Tufekci, ‘How social media took us from Tahrir Square to Donald Trump’, MIT Technology Review, 14 August 2018 ↩︎
  10. Sheera Frenkel, Nicholas Fandos, ‘Facebook identifies new influence operations spanning globe’, New York Times, 21 August 2018, Ben Nimmo, Graham Brookie, ‘#TrollTracker: Facebook uncovers active influence operation’, @DFRLab, 31 July 2018 ↩︎
  11. Tim Leslie, Nathan Hoad, Ben Spraggon, ‘Can you tell a fake video from a real one?’, ABC News, 3 October 2018 ↩︎
  12. PW Singer, Emerson T Brooking, Like war: the weaponization of social media, Houghton Mifflin Harcourt, New York, 2018. ↩︎
  13. Paul Lewis, ‘The 29 fakes behind a rewriting of history’, The Guardian, 5 May 2008 ↩︎
  14. Rebecca Turner, ‘“Aboriginal” redacted from birth, death, marriage certificates after being deemed an offensive term’, ABC News, 17 May 2018 ↩︎
  15. Tom Sear, Michael Jensen, ‘Russian trolls targeted Australian voters on Twitter via #auspol and #MH17’, The Conversation, 22 August 2018 ↩︎
  16. Stephanie Borys, ‘Russian hacking: up to 400 Australian companies caught up in cyber attacks blamed on Moscow’, ABC News, 17 April 2018 ↩︎
  17. Ellen Nakashima, Joby Warrick, ‘Stuxnet was work of US and Israeli experts, officials say’, Washington Post, 2 June 2012 ↩︎
  18. Patrick Howell O’Neill, ‘Cobalt Dickens threat group looks to be similar to indicted hackers’, Cyberscoop, 24 August 2018 ↩︎
  19. Jonathan Landay, ‘US intel chief warns of devastating cyber threat to US infrastructure’, Reuters, 14 July 2018 ↩︎
  20. Nakashima & Warrick, ‘Stuxnet was work of US and Israeli experts, officials say’. ↩︎
  21. Nick McKenzie, Angus Grigg, Chris Uhlmann, ‘China uses the cloud to step up spying on Australian business’, Sydney Morning Herald, 20 November 2018 ↩︎
  22. David Donaldson, ‘Password123: public servants risk cyber attacks with weak security’, The Mandarin, 22 August 2018 ↩︎
  23. John McCormack, ‘Think the museum fire in Brazil can’t happen here? Think again’, Los Angeles Times, 9 September 2018 ↩︎
  24. Angela Stringfellow, ‘Digital decay: understanding digital decay, its impacts on modern business, and best practices for preserving digital assets and data’, MerlinOne, 5 March 2018 ↩︎
  25. Joint Standing Committee on the National Capital and External Territories, ‘Inquiry into Canberra’s national institutions’, Australian Parliament, no date. ↩︎
  26. Sally Whyte, ‘More cuts will put national institutions’ “core purposes” at risk’, Canberra Times, 13 May 2018 ↩︎
  27. Australian National Audit Office (ANAO), Cyber resilience, report no. 53 of 2018–18, ANAO, Canberra ↩︎
  28. National Archives of Australia (NAA), Digital Continuity 2020 policy, NAA, Canberra, 5 April 2018 ↩︎
  29. Department of the Prime Minister and Cabinet, Open Government Partnership Australia, ‘3.3—Improve the discoverability and accessibility of government data and information’ ↩︎
  30. NAA, ‘2017 digital continuity statement: whole-of-government snapshot’, NAA, Canberra, 2017 ↩︎
  31. Stephen Cobb, ‘Trends 2018: critical infrastructure attacks on the rise’, WeLiveSecurity, 30 May 2018 ↩︎
  32. Tim Johnson, ‘“Preparing the battlefield”: Hackers implant digital grenades in industrial networks’, McClatchy, 27 June 2018 ↩︎
  33. Donghui Park, Julia Summers, Michael Walstrom, ‘Cyberattack on critical infrastructure: Russia and the Ukrainian power grid attacks’, Henry M Jackson School of International Studies, 11 October 2017 ↩︎
  34. Kanishka Singh, ‘Russian hackers penetrated networks of US electric utilities: WSJ’, Reuters, 24 July 2018, online; US Computer Emergency Readiness Team, ‘Alert (TA18-074A): Russian Government cyber activity targeting energy and other critical infrastructure sectors’, 15 March 2018 ↩︎
  35. Nicole Perlroth, Clifford Krauss, ‘Cyberattack in Saudi Arabia had a deadly goal. Experts fear another try’, New York Times, 15 March 2018, online; David E Sanger, ‘Hack of Saudi petrochemical plant was coordinated from Russian institute’, New York Times, 23 October 2018 ↩︎
  36. ‘What is the Critical Infrastructure Centre’, Department of Home Affairs, no date ↩︎
  37. Dante Disparte, ‘Cities held for ransom: lessons from Atlanta’s cyber extortion’, Forbes, 2 April 2018 ↩︎
  38. Trusted Information Sharing Network, ‘Critical infrastructure’, no date ↩︎
  39. Chapman, ‘Should data be considered critical infrastructure?’. ↩︎
  40. Daniel Cooper, ‘Estonia will back up its government in a “digital embassy”’, engadget, 22 June 2017 ↩︎
  41. Security of Critical Infrastructure Bill 2017, Australian Parliament ↩︎
  42. Asha McLean, ‘Canberra to deliver platform and hosting strategies by November’, ZDNet, 7 May 2018 ↩︎
  43. Productivity Commission, Data availability and use, ‘Overview and recommendations’, report no. 82, 31 March 2017 ↩︎
  44. Chapman, ‘Should data be considered critical infrastructure?’. ↩︎
  45. IDC, The digital universe of opportunities: rich data and the increasing value of the internet of things, ‘Executive summary: Data growth, business opportunities, and the IT imperatives’, April 2014 ↩︎
  46. Statistics New Zealand, Valuing the Census, New Zealand Government, April 2013 ↩︎
  47. Bureau of Communications and Research, ‘Open government and why it matters’, Department of Communications and the Arts, Australian Government, 8 February 2016 ↩︎
  48. Abby Smith Rumsey, When we are no more: how digital memory is shaping our future, Bloomsbury Press, 2015. ↩︎
  49. Susan Bennett, What is information governance and how does it differ from data governance?, Sibenco Legal and Advisory, 2017 ↩︎
  50. David Fricker, ‘Government–citizen engagement in the digital age’, Senate Occasional Lecture, NAA, 28 April 2017 ↩︎
  51. Digital Preservation Coalition, Digital preservation handbook, ‘Glossary’, no date ↩︎
  52. Department of Defence, Australian Government information security manual: controls, Australian Government, 2017 ↩︎
  53. Rohan Pearce, ‘NSW digital licence rollout driven by blockchain’, Computerworld, 10 September 2018 ↩︎
  54. NAA, Digital Continuity 2020 Policy ↩︎
  55. Australian Cyber Security Centre (ACSC), 2017 threat report, Australian Government, 2017 ↩︎
  56. ANAO, Cyber resilience. ↩︎
  57. ACSC, ‘Publications’ ↩︎
  58. Stephen Easton, ‘Auditor-General still waiting on cyber resilience in the Commonwealth’, The Mandarin, 25 July 2018, online; ANAO, Cyber resilience ↩︎

Introducing integrated E-Government in Australia

Foreword

With the 2016 distributed denial of service attack on Australia’s first fully digital Census and Centrelink’s 2017 automated debt-recovery system glitches still fresh in our minds, it would be easy to pause in the pursuit of digitising government services.

The reality, however, is that there are compelling benefits to expediting government digital transformation, and the case for change is not simply one of customer convenience.

Deloitte Access Economics has estimated that the federal and state governments conduct 811 million citizen transactions each year. It calculated that lifting the share of transactions performed digitally from 60% to 80% over a 10-year period would lead to government productivity benefits worth $17.9 billion, plus a further $8.7 billion in benefits to citizens. 

But the benefits of integrated digital government services extend even beyond time and resources saved. Data is the fuel for many new business models and, according to OECD measures, right now Australia performs only moderately well compared to international peers, particularly in relation to the availability of open government data.

The OECD has estimated that adopting more data driven decision-making in government has potential output and productivity benefits of 5% to 6% in the US, while improving data quality and access by 10% could increase labour productivity by an average of 14%. That can have additional flow-on effects across the economy. Almost 2 million people are employed in the three levels of government in Australia, meaning that 16% of the country’s 12.5-million-strong workforce is employed in the public sector.

This represents a strategic capability, enabling knowledge and skills transfer across the broader economy. Based on previous productivity gains from technology take-up, that can have significant benefits for Australia’s output. Further adoption of digital technologies across the economy has the potential to add an extra $66 billion to Australia’s GDP over the next five years alone.

So the case for change is clear; the question is really about how to do it. How do we maximise the opportunities, while best protecting citizens’ data and privacy? This policy brief is intended to start that conversation.

Yohan Ramasundara
President, Australian Computer Society

What’s the problem?

Australia was an early leader in the digitalisation of government services, and some Australian Government departments and state governments have continued to innovate and deliver enhanced services online. However, in the global context, Australia has now fallen behind and has so far failed to adopt an integrated approach to e-government that joins up all government services across all three tiers of government. For citizens, this makes life harder than it needs to be and consumes time that could be spent on other things.

For businesses, it increases transaction costs. Although existing user interfaces are logical and user-friendly, there’s still a limited amount of third-stage e-services enabling two-way interactions between citizens and governmental institutions.1 Critical missing pieces inhibiting the flourishing of e-services are a properly functioning digital identity ecosystem and a digital signature.2

What’s the solution?

The Australian Government should launch a consultation with the states and local governments to develop an integrated approach to e-government that joins up all services from all three tiers of government. The model will need to be customised to Australia’s unique circumstances but should be designed to reduce business transaction costs, allow citizens to engage seamlessly with the federal, state and local governments and prioritise citizens’ control and ownership of their data.

A decentralised architecture should be used to ensure there’s no single point of failure and to allow easy and secure integration with existing digital government platforms. The federal government should provide essential enabling systems: 

  • a digital identity (eID)—one has already been developed by Australia Post, and a second is being built, but significant work is needed to allow eID to take root
  • the legal, organisational and technical preconditions for a digital signature—legislation should ensure that the digital signature has equal legal weight to a traditional handwritten signature
  • secure data exchanges between different government IT systems.

Introduction

Integrated Australian e-government would mean that less of citizens’ and businesses’ time would be wasted engaging with government. A digital signature would make official transactions simple: signing contracts or submitting applications could be done in moments. Mindless hassles when moving between jurisdictions (such as swapping licences from one state to another) would evaporate overnight; there would be no need to conduct 100-point identity checks in person, and time-consuming visits to physical government offices would become a thing of the past. In Estonia, where e-government is a national passion, officials estimate that these efficiencies lift annual GDP by 2%.3

While many government departments already have user-friendly online portals, and some states have begun integrating several services within single online platforms (such as Service NSW and Service Victoria4), Australia has yet to attempt a citizen-centric approach that makes citizen and business engagement with all three tiers of government seamless. It also lacks critical enabling systems. The major building blocks needed to achieve an integrated approach to e-government are an integrated government back office and a simple, easy-to-use and secure eID and digital signature. 

That isn’t to downplay the practical challenges of joining up three tiers of government that have historically resisted cooperation or the attention to detail needed to address cybersecurity challenges. Joined-up e-government is nonetheless essential to a high-functioning 21st-century economy and should be attempted.

E-government in Australia

Australia was initially quick to join the global e-government trend, and even developed an international reputation as an early leader in this area (peaking around 1999).5 However, a joined-up approach to e-government wasn’t achieved.6 The success of some large departments, such as the Australian Taxation Office and Centrelink, has depended more on a joined-up ‘front end’ rather than an integrated back end that allows citizens to engage with government seamlessly.7

A national identification scheme (the Australia Card) was proposed in the 1980s. However, the Australia Card Bill generated significant public concerns about privacy and was defeated in the Senate.8 In 2006, Prime Minister John Howard made another attempt with the Access Card,9 before it too was shut down by the Rudd government in 2007.

The Electronic Transactions Act 1999 meant that when entities were required under federal law to give information in writing, provide a signature or produce a document, they could do it electronically.

However, the Australian Government and state and territory governments exempted a large volume of legislation from the operation of the Act. While the Act was an enabler, it didn’t create a ‘unique and un-forgeable identifier that can be checked by the receiver to verify authenticity and integrity and provide for non-repudiation’.10

At the end of the 1990s, the Department of Communications, Information Technology and the Arts was a central player in the coordination of e-government. Two units were created within the department: the Office for Government Online and the National Office for the Information Economy (NOIE), which provided advice and support to the government on internet-specific matters.11 Some of the functions of the NOIE were subsequently taken over by the Australian Government Information Management Office, which was established in April 2004.

However, government departments and agencies had variable reputations, and innovative cross-government projects usually originated from the biggest departments.12 To an extent, that’s still the case, but with more coordination. In general, the major electronic players (such as the Tax Office and Centrelink) and innovative state governments were leading the field, advising central agencies and driving central initiatives.13

In 2016, the federal government established a new agency to manage the government’s digital and ICT agendas: the Digital Transformation Agency (the successor to the Digital Transformation Office, launched in 2015). The agency aims to integrate digital delivery across the federal government and also enhance the transparency of the government’s ICT and digital projects. It covers strategic and policy leadership on whole-of-government and shared ICT and digital service delivery, including ICT procurement policy.14 The Digital Transformation Agenda, coordinated by the agency, foresees agencies and departments delivering ‘a range of initiatives that will provide benefits to all users and improve their digital experience’, including Single Touch Payroll; My Health Record; health payments; trusted digital authentication and verification; whole-of-government platforms; grants administration; and a streamlined online business registration service.15

The Trusted Digital Identity Framework outlines a consistent approach to digital identity in Australia and will be an important component of any integrated approach to e-government.16 Some $92.4 million in funding was secured in the 2018–19 federal budget17 to create the infrastructure that will underpin an eID (Govpass), and the government is aiming to roll out pilot services to half a million users by the end of June 2019.18 This will largely duplicate an eID recently launched by Australia Post called Digital iD. The challenges to the widespread rollout and adoption of eID in Australia are dealt with in a previous Policy Brief.19

States and local councils also deliver a range of services online. A leading actor is the New South Wales Government, which offers a single sign-on service for secure access to government transactions; more than 1.5 million customers have already signed up.20 Victoria is another leader. In May 2016, it released the Victorian Government Information Technology Strategy, which outlines steps the government is taking to improve the security of information and infrastructure critical to the proper functioning of e-government.

At the local government level, the City of Sydney is contributing to the open data movement by making accessible to the public an ever-growing range of data in a number of formats. The datasets provide information on environmental sustainability, transport, arts and culture, facilities, parks and more.21 Opening up data facilitates the creation and management of open services for the private and community sectors, increases transparency and stimulates the economy. It also decreases the number of information requests and reduces administrative workload.

An integrated approach to e-government in Australia

An integrated approach to e-government in Australia would require detailed consultations across all three tiers of government, and with business and the public. However, several principles derived from the experience of others can help frame the approach. 

The once-only principle

The once-only principle (OOP) is central to joined-up government. The EU addressed this in its eGovernment Action Plan 2016–2020, where the foundations for the EU Digital OOP are laid out.22 The OOP requires that individuals and businesses shouldn’t have to supply the same information more than once to public entities (for example, when notifying a change of address). This requires the existence of public-sector interoperability at different levels: organisational, legal and technical. The conceptual model of the new European Interoperability Framework foresees interoperability levels as integral parts of integrated public service governance, meaning that different public administrations work together to meet citizens’ needs and provide public services in a seamless way.23

A decentralised approach

Facilitating secure data exchanges and interoperability between different government agencies doesn’t require the creation of a single database (a so-called superdatabase) that consolidates all data from other databases. In fact, doing that poses serious security risks. A decentralised approach enables different databases and IT solutions in the three tiers of government to ‘talk’ to each other securely and solves the problem of how to integrate the myriad different government databases and systems that already exist. Four key elements underpin this secure exchange:

  • the identification of both the sender and the receiver of the data
  • the encryption of data exchanged to ensure the data is unreadable in case someone intercepts it
  • the time stamping of data transactions
  • a legal audit trail via archiving and logging of electronic records.

In Estonia, X-Road (Figure 1) is a distributed information exchange platform that makes it possible for different systems to communicate across the entire governmental sector.24

Figure 1: Estonia’s X-Road

A digital identity

Digital identity is central to e-government. It serves two main functions: proving one’s identity in the virtual space and verifying virtual transactions. Given the administrative division of Australia into six states and two territories, specific cross-border solutions promise added efficiencies. The EU has taken steps in the direction of cross-border electronic identification and trust services. Its eIDAS Regulation (no. 910/2014) ensures that people and businesses are able to use their own national eID schemes to access public services in other EU countries where such schemes are available. It also ensures the legal validity of digital interactions; that is, they have the same legal status as traditional paper-based transactions. The EU case highlights the need to provide a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities. With Australia Post’s Digital iD and Govpass, Australia is laying the foundation for a national eID, although some major questions remain to be addressed.

Privacy

Addressing privacy concerns through a citizen-driven e-government model is important in winning public support for integrated e-government, especially given the history of the failed Australia Card and scandals such as eCensus. Mutual trust is the key to interactions in which the government collects information about citizens and citizens provide their own data to the government. The principles of confidentiality, integrity and accessibility of data are all critical. Building trust between citizens and authorities is at the core of a working e-government model, so considerable emphasis should be put on communicating with citizens about how and for what reason their data will be processed by the government.

One lesson learned from abroad is the value of placing citizens in the driving seat. In Estonia, for example, every time a citizen’s personal data is accessed by a government agency, the individual user can see that access via a log and contest it if they believe it to be improper. Another example from Estonia is related to the right to choose whether to use digital identity or not. Those who do not want to use their digital identity can still use a physical service centre. Australia is also planning an opt-in approach to its new digital identity; however, it may become de facto compulsory if private-sector organisations are able to insist as a condition of service that it’s used (for example, to use online banking). Were that to eventuate, it would raise concerns about anonymity and the ability to not share information.

A joined-up back office

In order to provide easily accessible e-government services across all tiers of government, a joined-up back office is central. So far, the success of some major agencies, such as the Tax Office and Centrelink, depends more on a joined-up ‘front-end’ (the interface between the user and the back office). As Catherine Garner has noted: ‘Improving Australia’s cross-agency collaboration and integration will provide efficient, dynamic systems with greater personalisation and support Australia on its journey to become an e-government leader’.25

Evaluating outcomes from government-funded services

The ability to evaluate outcomes of publicly funded services is an important means of measuring the effectiveness of the government services being provided to citizens. Applying strict privacy and information security practices, there would be value in evaluating outcomes from government spending at the population level, rather than on a simple agency-by-agency basis. There would be community benefits in having the secure, de-identified evidence base made available for approved service improvement and evaluation of government-funded programs and policies.

Other issues

In addition to these guiding principles, Australia will need to resolve a number of other important issues. In summary, they include the need to:

  • ensure secure data exchange and security of data
  • manage the integration process and metadata related to systems and services (a clearly defined and regulated approval process, for example via the Office of the Australian Information Commissioner, is needed for adding new components or new services to ensure smooth integration and the maintenance of security and privacy standards)
  • ensure the right of all citizens using e-government services to easily access information about how government is using their data
  • ensure the right of citizens to decide who can access their data
  • ensure the right of citizens to decide whether or not to use their eID.

Lessons learned from abroad

To implement integrated e-government in Australia, work is needed at several organisational, legislative and technical levels. A few conceptual questions were important when Estonia was developing integrated e-government:

  • The question of how to identify people, businesses and real estate had to be addressed. In order to enable trustable and secure data exchanges between different databases and information systems, some identifiers for people, businesses and cadastral units are needed. In Estonia, ID numbers of people and businesses and also cadastral numbers are regulated by law and implemented in all databases and information systems. This is the precondition for secure and trustable data exchanges between different systems.
  • The digital ID and digital signature are issued by the same process.26 Private keys (for use by the public key infrastructure) are generated by crypto-processor (chip) and aren’t downloadable.27 The eID and digital signature constitute a part of the government-issued and guaranteed infrastructure, which is used by both the private and the public sectors.
  • While an eID is obligatory if a citizen wants to use e-government services, the citizen isn’t obliged to use their digital identity (they can use non-eID-based systems if they prefer).
  • Finally, the citizen is the owner of their own data.28 They can control the use of the data managed by the government. The use of personal data is strictly regulated by law. Everyone can restrict the use of their data by blocking access to it if the law doesn’t specify otherwise.

Another lesson from Estonia concerns back-office integration. Several conceptual agreements underpinned the design of the country’s e-government architecture:

  • Decentralisation: The system is decentralised. There’s no single point of failure, and the central management of the system doesn’t ‘see’ the data, but only whether the system is working.
  • Ease of implementation: The system should be easy to implement. Government institutions shouldn’t need to change their existing systems and processes. Training on the integration of the systems should be offered to all technical experts working in e-government back offices.
  • Neutrality of technology platforms: The integration of systems doesn’t mean that all technical systems use the same platform. Usually, governments use a range of proprietary software platforms as well as open-source solutions and technologies developed by different vendors. Integrated e-government should accommodate those variances.29
  • Security of transactions: Integrity, confidentiality and non-repudiation (the assurance that a party to a contract or a communication can’t deny the authenticity of their signature on a document or the sending of a message that originated from them) should be guaranteed.30
  • Security of data and services: Data and services should be secured so they can be transferred via public networks. The use of the public internet should be enabled, and the development of separate (usually very expensive) government data networks should be avoided.
  • Agile planning and implementation: It’s necessary to avoid large, complex projects and instead develop a comprehensive general architecture that can be divided into small components, while still giving due consideration to security requirements.

Recommendations

We make the following recommendations for the further development of e-government in Australia.

  • Avoid large e-government projects. Agile development can minimise risks, enable faster results and avoid implementation challenges.
  • Establish a properly functioning secure eID and digital signature for each citizen. The eID should be simple and user-friendly, issued by government (similarly to passports) and guaranteed by law. It should be used for both e-government services and business e-services.
  • Back-office integration should be coordinated centrally but done in a decentralised way, enabling secure data exchange between systems connected via the internet. The integration platform should enable the integration of different technical platforms in different locations, in different legal environments and with different organisational set-ups. The integration platform should be as simple as possible and not require changes to existing back-office processes and systems. Process redesign can be done step by step.
  • A citizen-centric model is important to win public support for integrated e-government. It should allow people to control their private data and provide legal guarantees, supported by organisational and technical frameworks. Building trust takes time, so carefully planned communication between the government and citizens is critical, including building up and publicising a track record of competent and secure service delivery. This can be assisted by following basic design concepts and data protection principles when designing the eID and the back-office integration of IT systems.

Integrated e-government offers major benefits to businesses and citizens. It reduces the time and costs associated with transacting with government and with each other and makes life easier. A thoughtful approach to designing integrated e-government (such as decentralisation) will also mean that the risks of a data breach won’t be increased. Australia’s geography and population size don’t present any technical obstacles to rolling out a world-class e-government system.

The move to create digital identities in Australia also suggests growing political momentum to take a more holistic approach to e-government. If it’s citizen-centric, it could help win public support, too.


Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.


© The Australian Strategic Policy Institute Limited 2018
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.

  1. The online sophistication ranking assesses service delivery against a five-stage maturity model: information; one-way interaction; two-way interaction; transaction; and targeting/automation. The fourth and fifth stages can be referred to as ‘full online availability’. For more information, see Capgemini, IDC, Rand Europe, Sogeti, DTi, Digitizing public services in Europe: putting ambition into action, 9th benchmark measurement, report for the European Commission, December 2010 ↩︎
  2. The release of the South Australian Government’s digital driver’s licence is a useful case study, highlighting what’s possible, but also the critical missing piece for nationally consistent electronic identity and digital signatures, which inhibits the flourishing of e-services. See Department of Planning, Transport and Infrastructure, South Australian driver’s licences to go digital, South Australian Government, 22 September 2017 ↩︎
  3. Charlemagne, ‘Estonia is trying to convert the EU to its digital creed’, The Economist, 6 July 2017 ↩︎
  4. Along with the Australian Computer Society, both the NSW and Victorian governments contributed funding towards this research and the visit to Australia by Dr Arvo Ott. ↩︎
  5. P Chen, RK Gibson, W Lusoli, SJ Ward, ‘Australian governments and online communication’, in S Young (ed.), Australian government communication, Cambridge University Press, Cambridge, 2007. ↩︎
  6. The Australian Management Advisory Committee’s 2004 Connecting government report defined the concept of whole-of-government in the Australian Public Service as follows: ‘Whole-of-government denotes public services agencies working across portfolio boundaries to achieve a shared goal and an integrated government response to particular issues. Approaches can be formal or informal. They can focus on policy development, program management, and service delivery.’ ↩︎
  7. P Dunleavy, H Margetts, S Bastow, J Tinkler, ‘Australian e-government in comparative perspective’, Australian Journal of Political Science, 2008, 43(1):13–26 ↩︎
  8. G Greenleaf, ‘The Australia Card: towards a national surveillance system’, Law Society Journal, 1987, 25(9), online; R Clarke, ‘Just another piece of plastic for your wallet: the “Australia Card” scheme’, Prometheus, 1987, 5(1):29–45. ↩︎
  9. Office of the Access Card, How will the card benefit you?, Australian Government, no date. ↩︎
  10. Attorney-General’s Department, The Electronic Transactions Act 1999, information sheet, no date. ↩︎
  11. Also, in 1997 the new Liberal–National government launched a major central government outsourcing initiative in order to improve private-sector involvement in government. The aim was to outsource IT across the whole federal government. All departments and agencies were forced to outsource their IT operations to one of the largest international IT corporations with an Australian presence. In 2001, following critical reports from the Australian National Audit Office, the initiative was replaced by more conventional procurement methods. However, the same contractors continued to be important players, consolidating the IT market and leaving little expertise within the government, except for the largest departments. See Dunleavy et al., ‘Australian e-government in comparative perspective’. ↩︎
  12. For instance, the Australian Taxation Office enables individual taxpayers and their agents to use the ‘e-Tax’ electronic tax return lodgement facility to prepopulate their tax returns with data provided through Medicare Australia and Centrelink. Dunleavy et al., ‘Australian e-government in comparative perspective’. ↩︎
  13. Dunleavy et al., ‘Australian e-government in comparative perspective’. ↩︎
  14. Eden Estopace, ‘Australia creates new digital agency to oversee government’s ICT projects’, EGov Innovation, 1 January 2016. ↩︎
  15. Digital Transformation Agency (DTA), ‘Whole-of-government transformation vision’, in Digital Transformation Agenda, Australian Government, no date ↩︎
  16. DTA, ‘Consultation’, in Trusted Digital Identity Framework ↩︎
  17. Australian Government, Budget 2018–19, Budget paper no. 1, 1–22 ↩︎
  18. Michael Keenan, ‘Delivering Australia’s digital future’, transcript, 13 June 2018 ↩︎
  19. Fergus Hanson, Preventing another Australia Card fail: unlocking the potential of digital identity, ASPI ICPC, October 2018 ↩︎
  20. Ping Identity, ‘More than 3 million sign up to NSW’s unified SSO portal’, 2018 ↩︎
  21. City of Sydney, City of Sydney open data portal ↩︎
  22. European Commission, EU-wide digital once-only principle for citizens and businesses: policy options and their impacts, 1 February 2017 ↩︎
  23. European Commission, The new European Interoperability Framework, 13 July 2018, online. The DTA also has a ‘tell us once’ principle; DTA, Digital Transformation Agenda ↩︎
  24. For more information about X-Road in Estonia, see Information System Authority, Data Exchange Layer X-Road, Republic of Estonia, 21 February 2017, online; and ‘X-Road’, Cybernetica, online. One video on e-Estonia is ‘Living in a digital society: e-Estonia’, YouTube, 21 May 2015 ↩︎
  25. Catherine Garner, ‘Can Australia lead the world in e-government?’, The Canberra Times, 27 September 2016 ↩︎
  26. More information on eID in Estonia is accessible at ID, online; and ‘Estonian e-identity corner stone: state issued national ID card’, YouTube, 10 July 2013 ↩︎
  27. Key generation is performed on the user’s card and not by a central facility. ↩︎
  28. Under the Archives Act, all data and information held by the government is owned by the government. Intellectual property may be owned by the originator of the data, but not the object within which it’s contained. Legislative changes are in train to expand the definition so that it isn’t just property based. Legal dilemmas beyond the scope of this paper include whether access approval can be separate from ownership and how far that extends. Another is what happens to and who owns personal data if someone dies. ↩︎
  29. Integrated e-government inherently presents a large and attractive target for attack. To mitigate this, the basic systems participating as servers in this environment must meet ASD EPL levels of security compliance, preferably at EAL4+ and OSLSPP. OSLSPP enables full separation of data and processes with high trust. ↩︎
  30. For some systems, such as those using Windows XP, this wouldn’t be possible to guarantee. ↩︎

Mapping Xinjiang’s ‘re-education’ camps

This report by ASPI’s International Cyber Policy Centre collates and adds to the current open-source research into China’s growing network of extrajudicial ‘re-education’ camps in Xinjiang province.

The report contributes new research, while also bringing together much of the existing research into a single database. This work has included cross-referencing multiple points of evidence to corroborate claims that the listed facilities are punitive in nature and more akin to prison camps than what the Chinese authorities call ‘transformation through education centres’.

By matching various pieces of documentary evidence with satellite imagery of the precise locations of various camps, this report helps consolidate, confirm and add to evidence already compiled by other researchers.

Key takeaways

  • This ASPI ICPC report covers 28 locations, a small sample of the total network of re-education camps in Xinjiang. Estimates of the total number vary, but recent media reports have identified roughly 180 facilities and some estimates range as high as 1,200 across the region.
  • Since early 2016 there has been a 465% growth in the size of the 28 camps identified in this report.1 2
  • As of late September 2018—across the 28 camps analysed—this report has measured a total of 2,700,000 m2 of floor space, which is the equivalent of 43 Melbourne Cricket Ground stadiums.
  • The greatest growth over this period occurred across the most recent quarter analysed (July, August and September 2018), which saw 700,000 m2 of floor space being added across the 28 camps.
  • Some individual facilities have experienced exponential growth in size since they were repurposed and/or constructed. For example, a facility in Hotan that the New York Times reported on in September 20183 expanded from 7,000 m2 in early 2016 to 172,850 m2 by September 2018—a 2469.29% increase over an approximately 18-month period.
  • The growth in construction has increased at a considerably faster pace in the summer months, with a spike in construction during the third quarters of both 2017 and 2018.

Introduction

China’s censors have been expunging evidence of the country’s vast network of extrajudicial ‘re-education’ camps in Xinjiang province from the internet just as fast as researchers have been finding it.

From first-hand testimony to satellite imagery, researchers have now provided empirical data that authoritatively paints a picture of the extent of China’s biggest human rights abuse since the 1989 post-Tiananmen purge.

Word of this rapidly growing network of ‘re-education’ camps first started to spread with interviews of the relatives of detainees.4 Further research drew on information in public construction and service tenders which documented and detailed the sizes and security features of these re-education camps.5

Other documents such as public recruitment notices, government budget reports, government work reports and Chinese articles in local media and social media have helped to reveal details of how Chinese authorities are rapidly expanding this network of camps.

The cumulative effect of this onslaught of evidence, as well as condemnation from US lawmakers6 and the UN,7 has forced Chinese authorities to move from outright denial of the camps’ existence to a public relations offensive in which they present the camps as places for ‘free vocational training’8 rather than anything punitive.

This ASPI ICPC report contributes new research, while also bringing together much of the existing research into a single database. This work has included cross-referencing multiple points of evidence to corroborate claims that the listed facilities are punitive in nature and more akin to prison camps than what the CCP calls ‘transformation through education centres’.

The report matches the plethora of documentary evidence already uncovered with satellite imagery of this sprawling network of camps. The report takes a conservative approach in deciding what the likely use of each facility is. Each potential camp is assigned a red, orange or green tag representing our level of confidence based on the available open-source data.

The data

This report collects and collates a huge amount of data and it attempted to include as much of that as possible into a database. Some subsets of the database are new—for example, our data on the growth in the size of these 28 facilities. Others have been identified by other researchers, NGOs or media outlets. Where possible, data from these sources has been included in the database, with citations and hyperlinks to the original work.

Brief summaries of the collected data are presented and tabulated in this report; however, using the accompanying database, it is possible to explore all data points in more depth and draw individual conclusions. 

The database is by no means an exhaustive list and it will continue to develop and grow as additional datasets are added.9 It is hoped it will provide media outlets, researchers and governments with current and useful information, and become a resource to which they can potentially contribute.

Camps that have multiple points of strong evidence are deemed to be internment camps and were marked green using the traffic light system. These points of evidence include, for example, facilities that are described as ‘transformation through education’ facilities in official documents, that this research has geo-located from tender documents, or that contain physical features captured in satellite imagery such as barbed wire, reinforced walls and watchtowers. 

Orange tags on other camps denote a comparatively smaller amount of publicly available evidence necessary to conclude the ultimate use of the facilities. Red camps denote minimal or incomplete evidence. Because of that lack of evidence, they have not been included in the public database.

This is not meant to suggest that the scope and scale of the system is small. Agence France-Presse (AFP) estimates there are at least 181 such facilities in Xinjiang,10 while research by German-based academic Adrian Zenz suggests there may be as many as 1,200 facilities.11

Instead, this report and its underlying database aim to create a repository of existing research into the Xinjiang camps in order to save for posterity the information that China’s censors are rapidly deleting from the public record.

Figure 1: Heat map showing the distribution and size of the 28 camps across Xinjiang province. The larger the combined size of facilities in an area, the darker the shade on the map. Kashgar City and its surrounds feature the highest density of facility floor space and are therefore likely where the greatest numbers of re-education detainees are held.

Figure 2: The cumulative floor area in the analysed facilities. Following the second quarter of 2017, many already-constructed buildings were converted into re-education facilities (separated into camps tagged green and orange). 

Figure 3: The rate of quarterly additional construction. Spikes can be seen during the summer months (third quarters) of 2017 and 2018. Growth so far in 2018 (1.169 million square metres) has already outpaced growth in the entirety of 2017 (918,000 m2).

Case studies

The devil is in the detail: The Kashgar City Vocational Technical Education Training Center12

Coordinates: 39°27’9.59″N, 76°6’34.24″E

Last month, Global Times editor Hu Xijin visited what he referred to as a ‘vocational training center’ in Kashgar. He posted a two-minute video of the trip on his Twitter account.13

Hu visited Middle School No. 4 located to the east of Kashgar City. This school, as well as Middle Schools 5 and 6, were under construction across the first half of 2017. Over the summer break, ovals at Middle Schools 5 and 6 were turfed with grass. These schools were being built adjacent to two other schools—the Kashgar City High School and the Huka Experimental Middle School (沪喀实验中学).

But by July 2017, when construction was complete, every ‘school’ building in the southwest of the facility (previously Middle School No. 5) was surrounded by tall fencing that had been painted green and topped with razor wire. By August, much of School No. 6 was enclosed with similar fencing. Upon completion in around November 2017, School No. 4 was also highly securitised and a tender was released calling for bidders to oversee and install new equipment, including a new surveillance camera system.14

In March 2018, one of the previously turfed sports ovals was demolished and replaced by four large six-storey buildings, totalling roughly 50,000 m2 of floor space. Each was surrounded by six 10-by-18 m fenced yards for detainees.

Kashgar City High School and Huka Experimental Middle School, only 50 m to the north of Kashgar Middle School No. 4, paint a dramatically different picture. Basketball courts are filled with students playing outside, and people can be seen in satellite imagery walking between buildings in the schools and on the large sports fields. 

The video posted by Hu Xijin of Middle School No. 4 on 24 October shows detainees dancing and playing table-tennis and basketball. However, this visit—and the footage shared on social media—may not reflect the regular daily experiences of the detainees.

Through satellite and imagery analysis—including imagery updated daily—we can determine that these courts are coloured mats that are recent additions to the camp. The mats were placed on a concrete-covered area that is normally bare and appears inaccessible to detainees.

Lifted edge of the basketball mat suggests that these courts are likely not permanent.

Across 25 satellite images between August 2017 and August 2018, which show the facility since its construction, not a single image featured these outdoor courts. But these coloured mats do appear in satellite imagery available from 10 October. Global Times editor Hu Xijin posted about his visit to these facilities on Twitter and Weibo on 24 October.15

The location filmed by Hu Xijin in Kashgar City Vocational Technical Education Training Center. Features outlined in the panorama produced from Global Times reporting correspond to outlines in the same colour in the satellite imagery.

Checking in with the Shule County Chengnan Training Center since the Economist’s May 2018 coverage16

Coordinates: 39°21’27.64″N, 76°3’2.39″E

On 31 May 2018 the Economist included satellite footage of the ‘Shule County Chengnan Training Center’ in a lengthy article it published on China’s ‘apartheid with Chinese characteristics’.17

We have tracked this camp’s enormous growth since the Economist article featured satellite imagery of the camp. Since March 2018—which was the date the satellite image was taken from—the facility has more than doubled in size.

Across the 2.5-year time period covered in this report,18 the facility has grown from 5 to 24 buildings or wings. Its total floor size has increased during that period from 12,200 m2 to 129,600 m2. This represents an increase in size of 1062.3%.

The camp is described in official documents as a ‘transformation through education’ facility, and a tender shows the involvement of the Shule County Justice Bureau.19 Through satellite and imagery analysis, the camp’s physical features—including barricaded facilities, watchtowers, and enclosures surrounded by barbed-wire fencing—can be clearly seen.

But the evidence base for this facility goes beyond satellite imagery, tenders and floor sizes. In addition, we have matched our satellite images to the first-hand accounts, street-view imagery and video footage published by religious freedom advocacy group Bitter Winter in September 2018.20

Bitter Winter’s evidence highlights several key features of the facility. Footage from newly constructed buildings shows the scale of the camp. The reporting detailed the structure of these facilities. Each floor consists of 28 rooms, and each room is monitored by two security cameras.

Footage acquired by Bitter Winter of the Chengnan Training Centre. Features outlined in the photos correspond to outlines in the same colour in the satellite imagery.

Methodology

This report provides a quantifiable picture of the spread and growth of China’s large network of camps throughout the Xinjiang region. These camps were located through various means, including via unique satellite signatures and physical features; official construction bidding tenders from the Chinese government; and media collected from official sources, local and international NGOs, academics and digital activists. Considerable information was drawn from the analysis of freely available or commercial satellite imagery. 

Satellite imagery of these camps shows highly securitised facilities with features such as significant fencing to heavily restrict the movement of individuals, consistent coverage by watchtowers, and strategic barricades with only small numbers of entry points. Often the perimeter around these camps is multi-layered and consists of large walls with tall razor-wire fencing on both the inside and outside. These features allowed us to pinpoint the location of camps mentioned in official construction tenders. 

Locating camps was aided significantly by engaging and sharing information with Shawn Zhang, a student at the University of British Columbia.21 In addition, official media and reporting by NGOs and activists were vital. These sources provided media from some facilities which allowed us to match the features shown—such as buildings and fencing—with the available satellite imagery.

The floor area of every facility was measured. 

The growth in floor area of these facilities was calculated for every quarter from the beginning of 2016 to September 2018. In most cases, this process involved measuring the roof area of every building using Google Earth imagery and other commercial satellite imagery collected by Digital Globe. Floor area was then calculated by multiplying roof area by the number of storeys in each building. The number of storeys was estimated from satellite imagery by either counting the externally visible windows when the building’s facade was shown or, when the facade was not prominently featured, by analysing the length of the shadows cast by the building. Where footage of these buildings from the ground existed, this was used as the primary source for the number of storeys. 

Some facilities contained additional buildings that were constructed after the most recently available Digital Globe imagery. For these cases, the floor area was calculated from lower resolution (3 m pixels as opposed to 30–50 cm pixels) imagery provided by Planet Labs.

No attempt was made in this analysis to differentiate between buildings used for different purposes, and the total area of each facility includes teaching buildings, administrative buildings and dormitories that house detainees. 

In addition, no attempt was made to determine the date of a facility’s first use as a re-education facility. For facilities such as schools or government-built residential housing that have been converted to re-education centres, our measurements represent the total building area within the current facility’s boundaries. 

These measurements were translated into chronological growth by cross-referencing building measurements with monthly satellite imagery accessed through Planet Labs’ Explorer portal to determine the period of time over which each building was constructed or completed. Some buildings that were too small to register in Planet Lab’s lower resolution imagery, such as single-storey utility buildings or sheds, were not included in this analysis. This data can be found in the database accompanying this report.

Facilities were then matched to publicly available construction tenders released by local governments using Chinese-language web-searching and links collected by other researchers (chiefly, Adrian Zenz, a China security expert at Germany’s European School of Culture and Theology). Saving this information often involved a race against time to gather the data before the documents were removed by those censoring China’s cyberspace. Every important document discovered and included in our database was permanently archived online.

Finally, the report drew on media reporting in local, national and international outlets. This media collection—including photographs, videos and geographical data—was used to further confirm key details such as the location, use or purpose, and physical features of each facility.

Conclusion

The speed with which China has built its sprawling network of indoctrination centres in Xinjiang is reminiscent of Beijing’s efforts in the South China Sea. Similar to the pace with which it has created new ‘islands’ where none existed before, the Chinese state has changed the facts on the ground in Xinjiang so dramatically that it has allowed little time for other countries to meaningfully react.

This report clearly shows the speed with which this build-out of internment camps is taking place. Moreover, the structures being built appear intended for permanent use. Chillingly, stories of detainees being released from these camps are few and far between.

Without any concerted international pressure, it seems likely the Chinese state will continue to perpetrate these human rights violations on a massive scale with impunity.
 

Acknowledgments

ASPI ICPC would like to thank Dr Samantha Hoffman and Alex Joske for their contributions to this research.

This project would not have been possible without the crucial ongoing work of Shawn Zhang, Adrian Zenz, journalists and civil society groups.


Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.


© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. The centre featured on state broadcaster CCTV last week is one of at least 181 such facilities in Xinjiang, according to data collected by AFP, online. ↩︎
  2. tandfonline.com ↩︎
  3. Listed as Camp 5 in the ICPC public database, online. ↩︎
  4. hrw.org ↩︎
  5. jamestown.org ↩︎
  6. cecc.gov ↩︎
  7. theguardian.com ↩︎
  8. globaltimes.cn ↩︎
  9. If you would like to highlight new or missing information that you think should be added to the database, please contact icpc@aspi.org.au ↩︎
  10. hongkongfp.com ↩︎
  11. washingtonpost.com ↩︎
  12. Camp 15 in the ICPC public database. ↩︎
  13. twitter.com ↩︎
  14. jzbnet.com ↩︎
  15. twitter.com ↩︎
  16. Camp 3 in the ICPC public database. ↩︎
  17. economist.com ↩︎
  18. January 2016 to September 2018. ↩︎
  19. archive.org ↩︎
  20. bitterwinter.org ↩︎
  21. Shawn Zhang’s Medium blog can be found here: medium.com ↩︎

Picking flowers, making honey

The Chinese military’s collaboration with foreign universities.

What’s the problem?

China’s People’s Liberation Army (PLA) is expanding its research collaboration with universities outside of China. Since 2007, the PLA has sponsored more than 2,500 military scientists and engineers to study abroad and has developed relationships with researchers and institutions across the globe.1

This collaboration is highest in the Five Eyes countries, Germany and Singapore, and is often unintentionally supported by taxpayer funds.2 Australia has been engaged in the highest level of PLA collaboration among Five Eyes countries per capita, at six times the level in the US. Nearly all PLA scientists sent abroad are Chinese Communist Party (CCP) members who return to China on time.

Dozens of PLA scientists have obscured their military affiliations to travel to Five Eyes countries and the European Union, including at least 17 to Australia, where they work in areas such as hypersonic missiles and navigation technology. Those countries don’t count China as a security ally but rather treat it as one of their main intelligence adversaries.3

The activities discussed in this paper, described by the PLA as a process of ‘picking flowers in foreign lands to make honey in China’ (异国采花,中华酿蜜), risk harming the West’s strategic advantage.4

Helping a rival military develop its expertise and technology isn’t in the national interest, yet it’s not clear that Western universities and governments are fully aware of this phenomenon.5 Some universities have failed to respond to legitimate security concerns in their engagement with China. Current policies by governments and universities have not fully addressed issues like the transfer of knowledge and technology through collaboration with the PLA. Clear government policy towards universities working with the PLA is also lacking.6

What’s the solution?

Understanding and responding to PLA collaboration will require closer engagement between governments and universities. While universities haven’t self-regulated on this issue and haven’t controlled the associated security risks, universities and researchers will not effectively limit the risks of PLA collaboration on their own until governments develop clear policies on it.

Governments need to explore a wider range of tools for limiting technology transfer, including better scrutiny of visa applications by Chinese military scientists and further legislation targeting military end users.

Governments should also consider increasing funding to strategic science and technology fields, while actively limiting problematic foreign investment in those fields. Universities must recognise the risks of such collaboration and seek to learn the extent and nature of their collaboration with the PLA by actively working with government, civil society and security professionals.

Introduction

In 2017, the head of the American Association for the Advancement of Science said that ‘Scientific progress depends on openness, transparency and the free flow of ideas.’7 This collaborative and open spirit, including collaboration with Chinese scientists, has led to some of the great scientific achievements of recent times.8

While countries such as Australia and the US pride themselves on their scientific achievements, their universities and research institutes face limited or declining domestic funding.9 To address these issues, many universities have turned to China—an emerging scientific powerhouse that has sought to build ties to scientific communities around the world.10 This collaboration has generally been a productive and welcome part of the Australia–China relationship. 

The Chinese military has also ridden this wave of research collaboration, sponsoring more than 2,500 scientists to travel to universities in technologically advanced countries such as Australia as students or visiting scholars over the past decade.11 The volume of peer-reviewed literature produced by PLA scientists in collaboration with foreign scientists each year has grown steadily since 2008, following increases in the number of PLA scientists sent abroad (Figure 1).12 Those scientists work in strategic and emerging technology sectors such as quantum physics, signal processing, cryptography, navigation technology and autonomous vehicles.

The PLA’s program of sending scientists abroad is different from standard military exchanges, in which military officers visit each other’s institutions. Those open exchanges build understanding, communication and relationships between militaries.

Figure 1: PLA collaboration, as measured by the number of peer-reviewed articles co-authored by PLA scientists with overseas scientists, 2006 to 2017

In contrast, the PLA National University of Defense Technology (NUDT, 解放军国防科学技术大学) appears to conceive of its military exchanges separately from its international research ties, which are concentrated in foreign universities and not military institutions.13 Scientists sent abroad by the PLA have minimal or no interaction with military personnel in their host countries. Some of those travelling overseas have actively used cover to disguise their military affiliations, claiming to be from non-existent academic institutions.

Around half of those sent abroad are PhD scholars who either complete their doctorates overseas or spend up to two years as visiting PhD scholars and who can usually be identified by searching peer-reviewed literature. While most come from NUDT, the Army Engineering University is another major source.14 The remaining half are sent overseas for short-term trips, spending up to a year as visiting scholars. Few of those scientists have left online traces of their time overseas.

While foreign universities’ ties with the PLA have grown, it isn’t clear that universities have developed an understanding of the PLA and how their collaboration with it differs from familiar forms of scientific collaboration. To date, there’s been no significant public discussion on why universities should be directly contributing to the technology of a non-allied military. Importantly, there’s also little evidence that universities are making any meaningful distinction between collaboration with the Chinese military and the rest of their collaboration with China.

A handful of universities have strongly defended their collaboration with the PLA. Among universities in Five Eyes countries, the University of New South Wales (UNSW) has published the most peer-reviewed literature in collaboration with PLA scientists. After attracting scrutiny for this collaboration, the university’s deputy vice-chancellor wrote, ‘Any fears that our intellectual property or security is undermined through our work with international partners are entirely unfounded.’15

Australia’s Curtin University has described its collaboration with the PLA in similar terms, insisting that work by its scientists with PLA experts on explosions and projectiles doesn’t violate any laws and is civilian research.16

Government research agencies have also engaged in collaboration with the PLA. For example, researchers at the Australian Government’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) have collaborated with NUDT scientists on cloud computing technology.

Those same NUDT scientists were using cloud computing technology for combat simulations.17 Large sums of government funds have been used for collaboration with PLA scientists. One professor at UNSW, for instance, worked with PLA scientists using Australian Research Council grants worth $2.3 million.18 Internationally, defence funding has also been used for research with PLA scientists; for example, a paper written by University of Manchester scientists with a visiting student from NUDT lists US Air Force and Navy grants as funding sources.19

International military–civil fusion

In China, the PLA’s overseas research collaboration is described in frank terms. The PLA Daily uses the saying ‘Picking flowers in foreign lands to make honey in China’ to explain how it seeks to leverage overseas expertise, research and training to develop better military technology.20

This is one aspect of what China calls ‘military–civil fusion’ (军民融合). The term refers to China’s efforts to improve its military’s ability to take advantage of the creativity of the civilian sector and develop its own indigenous military–industrial complex. Described by PLA experts as a ‘cornerstone of PRC national defense reform’, military–civil fusion is helping to drive the modernisation of the PLA.21

So important is military–civil fusion to President Xi Jinping’s military reforms that he described it earlier this year as a prerequisite for building strategic capabilities and a strong military.22

Illustrating the benefits that the PLA obtains from its overseas research collaboration, a publication run by China’s Ministry of Education stated that NUDT’s collaboration with the University of Cambridge to train visiting PLA students will ‘greatly raise the nation’s power in the fields of national defence, communications, anti-jamming for imaging and high-precision navigation’.23 Likewise, before travelling to Sweden for doctoral studies in quantum physics, an NUDT scientist was told by his supervisor, ‘Without breakthroughs in physics, how can there be rapid developments in weaponry?’24

Figure 2: Lieutenant General Yang Xuejun (2nd from right) and Xi Jinping, chairman of the Central Military Commission, in July 2017

Lieutenant-General Yang Xuejun (杨学军, Figure 2), who oversaw a substantial rise in NUDT’s overseas links when he was its president from 2011 to 2017, appears to be one of the key figures behind this phenomenon. NUDT, as the Chinese military’s largest science and technology university, can be seen as representative of broader initiatives in this area. The university is the main source of PLA scientists studying abroad and by 2013 had reportedly sent more than 1,600 scientists overseas as students or visiting scholars, including roughly a third of its PhD scholars.25 An article written by NUDT scholars claims that the university received 300m renminbi ($A60m) from the Chinese government to send 765 graduate students to study abroad.26 According to General Yang, who has implied that NUDT’s overseas ties are a form of military–civil fusion, the university ‘has already reaped great benefits from going down the open university path and the military–civil fusion road’.27

General Yang’s recent promotion to membership of the 205-member 19th CCP Central Committee and to leadership of the Academy of Military Sciences, the PLA’s premier research institution, reflects Xi Jinping’s emphasis on ‘rejuvenating the military with science and technology’.28 It was probably also a recognition of the success with which Yang developed NUDT’s international ties.

Yang, himself a supercomputer expert, has collaborated extensively with UNSW and ran the program to develop the Tianhe-1A supercomputer, once ranked as the world’s fastest supercomputer.29 The NUDT supercomputer program’s role in nuclear weapons testing led to NUDT being placed on the US Government’s Entity List in 2015, meaning that the university faces stricter export controls, yet substantial numbers of NUDT scientists continue to train outside China, including in the US, the UK and Australia.30

The PLA encourages scientists to work on areas of interest to the military while they’re overseas. For example, a 2016 article by NUDT specialists in graduate student education recommends that, in choosing where to study overseas, students’ first priority should be the relevance of the research direction of an overseas institution to their work in China, as they ‘must comprehensively consider the continuity of their research work when in China with that when they are studying overseas’.31 When students are overseas, the report adds, they should ‘fully take advantage of the cutting-edge research conditions and environment abroad’ and ‘map out the arrangements of their overseas research and their plans for research after returning to China’. This alignment of domestic and overseas work indicates that the cases of PLA scientists gaining skills while in Australia that they then use for military projects aren’t outliers; they’re representative examples.32

Sources of and destinations for PLA scientists

PLA scientists come from a wide range of institutions and disciplines within the Chinese military. Analysing peer-reviewed publications co-authored by PLA scientists and overseas scientists indicates that the US, the UK, Canada, Australia and Germany were, in that order, the top five countries engaged in research collaboration with the PLA in 2017 (Figure 3). Those countries appear to be the primary destinations for PLA scientists sent abroad.

Figure 3: The top 10 countries for PLA collaboration, as measured by peer-reviewed literature co-authored by PLA scientists, 2006 to 2017

PLA scientists sent abroad as visiting scholars came from institutions such as:

  • the Northwestern Institute of Nuclear Technology (西北核技术研究所), which works on nuclear and high-power microwave weapons
  • the Chemical Defense Institute of the Academy of Military Sciences (军事科学院防化研究院), which specialises in chemical weapons research and has sent a sarin gas expert overseas
  • the Navy Submarine Academy (海军潜艇学院) in Qingdao
  • the Armored Forces Engineering Academy (装甲兵工程学院) in Beijing, which works on tank technology
  • the China Aerodynamics Research and Development Center (中国空气动力研究与发展中心), which has sent scramjet researchers to study overseas
  • the Rocket Force Engineering University (火箭军工程大学), which conducts research for China’s missile programs
  • the Academy of Equipment Command and Technology (装备指挥技术学院), which in 2007 sent a specialist in antisatellite weaponry to the University of Michigan using civilian cover.33

The volume of peer-reviewed literature co-authored by PLA researchers and overseas researchers is a rough indicator of the level of PLA collaboration at each university. Figure 3 shows that the leading countries for PLA collaboration by this measure for 2017 were, in order, the US, the UK, Canada, Australia and Germany, indicating that they’re likely to be the main destinations for PLA scientists studying abroad. Singapore, Sweden and the Netherlands are other major destinations for PLA scientists. Over the past decade, Australia has been engaged in the highest level of this collaboration among the Five Eyes countries per capita, at six times the level in the US.

It’s also possible to estimate the number of PLA scientists sent to each country since 2007, based on the above findings.34 Approximately 500 Chinese military scientists were sent to each of the UK and the US, roughly 300 each to Australia and Canada and more than 100 each to Germany and Singapore. Hundreds more have been sent to other countries, including the Netherlands, Sweden, Japan and France.

Figure 4, using the same dataset, shows the top 10 universities outside China for PLA collaboration. Nanyang Technological University in Singapore has the highest level of PLA collaboration, followed closely by UNSW in Australia. Other universities in Canada, Australia, the UK and the Netherlands also engage in high levels of collaboration with the PLA.35

Figure 4: The top 10 universities outside of China for PLA collaboration, as measured by the number of peer-reviewed publications, 2006 to 2017

The PLA’s links to universities across the world go beyond student admissions. The Chinese military, through its own universities and research institutions, has worked to build relationships with overseas universities and leading overseas researchers. A 2014 document published by NUDT claimed that the university had recruited 20 foreign nationals as teachers and ‘established academic relationships with over 100 universities and research units in over 50 countries and regions’.36

Scientists from Australia, the UK and the US are listed as potential doctoral supervisors for NUDT students in 2018.37

NUDT has also built ties with overseas universities at the institutional level. For example, NUDT’s Quantum Information Interdisciplinary Talent Training Program cooperates with the University of Cambridge’s Cavendish Laboratory.38 The People’s Daily claimed that, in addition to agreements with Oxford and Cambridge, NUDT has established ‘overseas study bases’ at institutions including Harvard University.39 New Zealand’s Massey University also signed a memorandum of understanding with NUDT in 2008.40

Maintaining loyalty to the CCP

The PLA, as the armed wing of the CCP, insists that all overseas party members strictly abide by ‘external exchange discipline standards’.41 According to the PLA Daily, ‘the openness of internationally expanding talent cultivation does not represent a “relaxation”, and we certainly cannot “let go”.’42 General Yang Xuejun has also specifically warned of the need to carefully manage military secrets while increasing the university’s openness.43

Those permitted to study overseas go through intensive training prior to their departure and are ‘all budding shoots with good grades and strong potential for innovation’.44 Alongside academic credentials, political credentials are also of key importance for military scientists hoping to study abroad. The PLA Daily warns that, if students sent overseas ‘develop issues with their politics and ideology, the consequences would be inconceivable (后果不堪设想)’.45 NUDT therefore appears to sponsor only CCP members for overseas study and works hard to maintain their loyalty to the party and negate ‘all kinds of harmful ideologies’.46 Reportedly, all 200 students and researchers from NUDT who were studying or visiting overseas in 2013 were party members.47

The People’s Daily claimed in 2013 that students sent overseas by NUDT had established eight party branches overseas and organised events for party members, so that ‘personnel studying abroad would keep their convictions rock-solid’ (坚守信念如磐).48 Another report from 2015 claimed that NUDT’s College of Optoelectric Science and Engineering alone had established 10 overseas party branches.49 More recent reports hint that such branches are still being established. For example, party media reported in October 2017 that students from one of NUDT’s colleges had established a WeChat group for the college’s more than 30 students overseas to study the 19th Party Congress.50 ‘Their red hearts,’ the report concluded, ‘look to the party.’

Party branches have also been used to coerce overseas Chinese scholars. An investigation by Foreign Policy found that some visiting students from Chinese universities who formed party branches abroad were asked to report on any subversive opinions held by their classmates.51 It’s probable that similar kinds of pressure are exerted on overseas PLA researchers.

Online communication forms an important part of PLA efforts to maintain discipline among overseas personnel and is complemented by in-person contact. One report stated that students from NUDT’s College of Optoelectric Science and Engineering ‘regularly chat with College leaders by video call and exchange emails with NUDT academic supervisors and student cadres to discuss their thoughts, exchange ideas on academic matters, and clarify points of interest’.52 Regulations on the political education of overseas students by the same NUDT college include provisions for ‘overseas inspection’ and for students to return to China in the middle of their study for ‘remedial education’.

One NUDT professor used a trip to an overseas conference as an opportunity to meet eight NUDT scientists studying in the region to ‘pass on the greetings and requests of party organisations’. The regulations also include provisions for ‘joint education and interaction with families’, which may imply that pressure on the family members of overseas PLA scientists is used to maintain discipline.53

The close watch that the PLA keeps on its overseas scientists helps ensure that all those sent abroad return to the Chinese military. NUDT, for example, requires that those applying to study abroad show their intent to return to ‘serve the construction of the nation, national defence and the military’.54

The PLA Daily claimed in 2013 that all the students whom NUDT had sent abroad in recent years returned on time to ‘become key forces in their work units’.55

Institutes that don’t exist: deception by PLA scientists

While most scientists sent abroad by the PLA appear to be open about which institutions they come from, this report has identified two dozen new cases of PLA scientists travelling abroad using cover to obscure their military affiliations. In at least 17 of these cases, PLA scientists used cover to travel to Australia. These scientists use various kinds of cover, ranging from the use of misleading historical names for their institutions to the use of names of non-existent institutions.

Features of deception by the PLA

An article from 2002 on the website of a Chinese overseas study agency offers insights into the use of cover. In response to a question asking whether having graduated from a military institution would affect one’s ability to get an overseas visa, the company responded: 

Many military colleges and military units externally have common names (民间称呼) that don’t reveal their military characteristics. NUDT, for example, is externally known as Changsha Institute of Technology. This is the best way [to avoid having your visa application rejected].56

The Changsha Institute of Technology was a PLA institution subsumed by NUDT in 1975.57 While the quote above doesn’t come from an official source, it at least indicates how these unsophisticated but nonetheless effective covers are understood as tools for hiding one’s military background.

Besides using non-existent institutions with innocuous-sounding names as cover, PLA members also claim to be from real civilian institutions in the same regions as their military units. New Zealand MP Yang Jian, for example, who taught intelligence officers at the PLA Foreign Languages Institute in Luoyang, claimed in his New Zealand residency application to have worked at Luoyang University.58 Before moving to New Zealand in 1999, Yang received an Australian Government aid scholarship to study at the Australian National University, earning a master’s degree and doctorate in international relations. During that period, he interned at the Senate Standing Committee on Foreign Affairs, Defence and Trade, and headed the Canberra Chinese Students and Scholars Association, which retains intimate ties to the Chinese Embassy to this day.59 Yang told media, ‘the system asked me to use the partner university,’ referring to Luoyang University.60

A number of PLA scientists using cover to travel abroad have created LinkedIn profiles using their cover institutions, which may have been used to shore up their claimed affiliations while overseas.61

The use of cover appears to be managed differently by each institution, some of which use cover far more often than others.62 Cover is also not used consistently within each institution. As described below, PLA Information Engineering University (PLAIEU) researchers have both used cover and openly stated their affiliation at the same conferences. It’s unclear whether this indicates that the use of cover is up to the discretion of each researcher or perhaps that it relates to the sensitivity of a researcher’s work or position in the PLA.

NUDT appears to no longer use the ‘Changsha Institute of Technology’ as cover, but it engages in a different kind of deception. A document published by NUDT for students hoping to study abroad advises them that, when providing documentation in their applications to foreign institutions, ‘military and political courses can be excluded’ from their academic records.63 This appears designed to mislead overseas authorities, universities and researchers by downplaying the extent to which NUDT is a military institution and to which these students are military scientists.

The Xi’an Research Institute of High Technology

Scientists from the PLA Rocket Force Engineering University (RFEU, 火箭军工程大学)64, a key research base for the PLA Rocket Force, claim to be from the ‘Xi’an Research Institute of High Technology’ (西安高技术研究所), which appears to only exist on paper.

At least five RFEU scientists claiming to be from the Xi’an Research Institute have travelled overseas as visiting scholars, including one of the PLA’s leading missile experts, Major General Hu Changhua (胡昌华), and three of his close associates at RFEU. General Hu (Figure 5), who heads RFEU’s Missile Testing and Control Simulation Experimental Teaching Centre, visited the University of Duisburg–Essen in Germany for four months in 2008.65 It’s unclear what he worked on in Germany, as he didn’t publish any papers while there, but his work for the PLA focuses on flight control systems and fault diagnosis for missiles.66

Two RFEU scientists who frequently publish with Hu, Zhou Zhijie (周志杰)67 and Wang Zhaoqiang (王兆强),68 were visiting scholars at universities in England; they claim in their English publications to be from the Xi’an Research Institute.69

Figure 5: Major General Hu Changhua, profiled by China Central Television’s military affairs channel in 2016:

‘Right now I’m a professor at RFEU and head of the Military Key Lab on Missile Testing and Control Technology.’ 

Figure 5: Major General Hu Changhua, profiled by China Central Television’s military affairs channel in 2016: ‘Right now I’m a professor at RFEU and head of the Military Key Lab on Missile Testing and Control Technology.’


Source: CCTV, 28 October 2016, YouTube.

Hu Xiaoxiang: a case study

Identifying the Xi’an Research Institute of High Technology as a cover institute helps shed light on the January 2015 expulsion from Norway of a Chinese scientist and his supervisor, a dual citizen of Germany and Iran. The expulsion came after Norwegian authorities determined that the work of the Chinese scientist, later named in court as Hu Xiaoxiang (扈晓翔), could be used to develop hypersonic cruise missiles (Figure 6).70

Figure 6: Hu Xiaoxiang

Hu wrote five papers with his supervisor at the University of Agder, all of which listed the Xi’an Research Institute as his affiliation. The papers focused on air-breathing hypersonic vehicles, which travel at over five times the speed of sound and ‘can carry more payload than ordinary flight vehicles’.71 Hu’s work was supported by a Norwegian Government grant for offshore wind energy research.72

Besides his affiliation with the Xi’an Research Institute, there’s a large body of evidence tying Hu to RFEU. The website of RFEU’s missile research centre states that Hu Xiaoxiang won an award in 2014 for his PhD thesis on hypersonic aircraft, supervised by General Hu Changhua.73 The website also says that in 2014 he received 250,000 renminbi (A$50,000) from the Chinese Government for a three-year research project on hypersonic aircraft (Figure 7).74 In 2016, he was described as a lecturer at the centre, which received 14 awards for missile research between 2010 and 2014.75 In some publications, Hu also listed the Harbin Institute of Technology, a civilian university heavily engaged in military research, as a second affiliation.76

Relations between China and Norway were put on ice when the Nobel Peace Prize was awarded to Chinese democracy activist Liu Xiaobo in 2010, and the Chinese Government was quick to attack Norway for Hu’s expulsion.77 Only in December 2016 did the two countries ‘normalise’ diplomatic relations. Public statements by Norwegian authorities didn’t explain the Chinese scientist’s military affiliation or mention the Xi’an Research Institute, as the information was likely classified.

Figure 7: A paper published by Hu Xiaoxiang shortly after his expulsion from Norway, stating an affiliation with RFEU in the Chinese version of the abstract but the Xi’an Research Institute in the English version.

A few months later, in September 2015, a court overturned the expulsions. Hu’s lawyer stated after the trial that ‘there is no evidence in the case that my client is part of research collaboration on missiles and weapons with China.’78 The University of Agder lauded the decision as a win for academic freedom.

The Norwegian Government later successfully appealed the overturning of Hu’s supervisor’s expulsion. However, it’s unclear whether any appeal was made in Hu’s own case, which hasn’t been made publicly available.79 Neither the Xi’an Research Institute, Hu Changhua nor RFEU was mentioned in the judge’s ruling on the German-Iranian supervisor’s case or any coverage of the expulsions.

The Zhengzhou Institute of Surveying and Mapping

Among the 40 Chinese military scientists listed as presenting papers at the 9th International Symposium on Mobile Mapping Technology, nine claimed to be from an institution with no apparent military affiliation.80 Most of the other 30 military scientists at the conference, hosted by UNSW in December 2015, were openly from NUDT and a research institute of China North Industries Group Corporation (also known as Norinco Group), China’s largest arms manufacturer; the rest came mainly from the PLA Information Engineering University.

The nine claimed to be from the Zhengzhou Institute of Surveying and Mapping. This institute, which was officially known as the PLA Institute of Surveying and Mapping, no longer exists, having been subsumed in 1999 by PLAIEU—itself a major player in cyber operations and a key training ground for signals intelligence officers.81 The Zhengzhou Institute appears to live on as cover for PLA scientists interacting with foreigners. Nearly 300 peer-reviewed papers have been published by authors claiming to be from the institute.82

The use of the Zhengzhou Institute of Surveying and Mapping as cover doesn’t stop at international conferences. Numerous examples of visiting scholars claiming to be from there have been uncovered for this report. They include Zhu Xinhui (朱新慧), a lecturer at PLAIEU specialising in navigation technology, who visited UNSW from 2015 to 2016.83 In numerous journal articles and in the program of the mobile mapping conference mentioned above, however, she is described as being from the Zhengzhou Institute of Surveying and Mapping.84

Guo Jianfeng (郭建锋), an associate professor at PLAIEU, visited Curtin University for a year in 2014. A specialist on navigation system data processing, Guo was described on the website of Curtin University’s Global Navigation Satellite Systems Research Centre as being on ‘sabbatical leave from the Department of Geodesy of the Institute of Surveying and Mapping, Zhengzhou, China’.85

The Zhengzhou Information Science and Technology Institute

Another cover institute, the Zhengzhou Information Science and Technology Institute (ZISTI), which appears to exist only on paper, has also been widely used by PLAIEU scientists to publish research and travel overseas. More than 1,300 pieces of peer-reviewed literature have been authored by individuals claiming to be from ZISTI.86

One paper in a Chinese-language journal by a PLAIEU researcher, which includes an English version of the abstract and author information, clearly shows that ZISTI is a cover institute (Figure 8). The paper’s Chinese text describes the first author as affiliated with PLAIEU, but the English version describes the
same author as affiliated with ZISTI.87 Nearly all of the authors sampled who claimed an affiliation with ZISTI could be shown to be working at PLAIEU.

Figure 8: Chinese and English versions of a paper published by a PLAIEU scientist, demonstrating the use of the Zhengzhou Information Science and Technology Institute as cover.

Scientists claiming to be from ZISTI have attended international conferences both inside and outside China. For example, seven researchers affiliated with ZISTI are listed in the program of a conference on signal processing at the Gold Coast in Australia in 2014. Experts from American, Australian and Korean
defence research agencies were also in attendance.88

As with the Zhengzhou Institute of Surveying and Mapping, ZISTI has been used as cover for PLA scientists travelling overseas as visiting scholars. For example, Zhu Yijun (朱义君) is an associate professor at PLAIEU specialising in signals engineering.89 Claiming to be from ZISTI, in 2011 he visited Canada’s McMaster University, where he worked on wireless communications technology with wide-ranging military applications.90

PLAIEU scientists claiming to be from ZISTI have also travelled to the US as visiting scholars and for conferences.91

Espionage and intellectual property theft

In addition to their overt activities, PLA researchers, especially those who haven’t been forthcoming about their military affiliations, may engage in espionage or steal intellectual property while overseas. The PLA engages in such high levels of espionage that in 2014 the US Government took the unusual step of publicly indicting five Chinese military hackers.92 Military scientists abroad who regularly communicate with superiors in China, receive visits by superiors while overseas and return home in the middle of their time abroad for ‘remedial education’, as described in the examples outlined above, offer safe and convenient channels for Chinese intelligence agencies to access sensitive information from overseas.93

Amateur collectors with STEM expertise have been implicated in a high proportion of intellectual property theft and espionage cases involving China.94 Scientists and engineers involved in military research projects, while they might not have received formal training as spies, are uniquely qualified to identify and exfiltrate valuable information to overcome specific hurdles in the development of new technologies.

Should universities collaborate with the PLA?

Assessing the costs and benefits of research collaboration with the PLA shows that it comes with significant security risks while offering unclear benefits. It isn’t in the national interest of most of the countries examined in this report to help build the capabilities of a rival military. Other forms of cooperation with the Chinese military, such as joint exercises and exchanges that build understanding and communication, are largely beneficial but distinct from the kinds of research collaboration addressed in this report.

The benefits of research collaboration with the Chinese military are difficult to measure, but could include the following:

  • Training PLA scientists and working with them leads to scientific developments and published research while attracting some funding. 
  • A small proportion of collaboration with the PLA appears sufficiently transparent and falls into areas of fundamental research such that the benefits may outweigh security risks. One possible example is cooperation between the American and Chinese governments on the multinational Daya Bay Reactor Neutrino Experiment, which involves NUDT.

A number of benefits usually associated with research collaboration with militaries and foreign countries haven’t been observed in PLA collaboration:

  • PLA collaboration doesn’t lead to long-term improvement in the talent of institutions and countries accepting PLA scientists, as the PLA claims that 100 per cent of scientists sent abroad by NUDT in the years before 2013 returned to China on time.95 
  • The forms of PLA collaboration studied in this report don’t promote understanding and relationships between militaries, as they aren’t military exchanges and often aren’t overt.
  • While overseas, PLA scientists remain under the close watch of the CCP, which works to ensure that they remain loyal and aren’t influenced by their experience living in free societies. 
  • It’s improbable that PLA scientists working with overseas civilian researchers would share with or disclose to those researchers any significant research breakthroughs of military value.

There are many risks and costs associated with current approaches to training and collaborating with PLA scientists:

  • Training PLA scientists improves the scientific talent and knowledge of a military treated by many as a strategic competitor.96
  • PLA scientists often engage in deception in their interactions with foreign institutions and their staff, making it difficult for those collaborating with them to take appropriate security precautions.
  • PLA scientists could gather intelligence and steal technology while they’re overseas, especially if they’re hiding their military affiliations.
  • Failures to address concerns about PLA collaboration and to develop policies differentiating it from wider engagement with China risk tarring all research ties with China with the same brush.
  • Research collaboration with the PLA contributes to technology that may be used against Australia and its partners in a conflict or for intelligence collection.
  • Universities with ties to the PLA risk eroding trust between themselves and funders of research, such as defence research agencies, scientific agencies and industry.
  • Universities risk reputational damage by collaborating with a non-allied military.
  • Public funding worth millions of dollars is being used for collaboration with a non-allied military, with little to no input from taxpayers.

Current policy and legislation are inadequate

Export controls are the primary mechanism by which countries seek to manage the supply of sensitive technology and goods to overseas entities. However, the ability of export control laws to effectively manage the risks posed by PLA research collaboration is limited. In Australia, few cases of research or cooperation contrary to our national interests are believed to have been prevented through the Defence Trade Controls Act 2012.97 The current review of the Act offers an opportunity to address some of these limitations.

There are a few reasons for these difficulties. First, intangible transfer of technology—the primary form of technology transfer taking place through the kinds of collaboration studied in this paper— is extremely difficult to control in practice because it doesn’t involve the export of physical goods.98 Second, the Act doesn’t regulate the supply of controlled technology, which includes instruction and training, to individuals in Australia even if they’re PLA members. Third, some of this collaboration covers emerging technologies, such as quantum physics, that are important but not included in the Defence and Strategic Goods List, as their applications aren’t yet fully known. Export control lists tend to be slow to incorporate emerging technologies, so regulatory power can come well after issues become apparent. Fourth, the Act doesn’t regulate the supply of controlled technology by Australians when they’re outside of Australia, such as training given to PLA members by Australian academics visiting China.
 

Recommendations

The PLA’s collaboration with foreign universities is growing and the expansion of international ties remains one of NUDT’s priorities.99 The developments outlined in this report warrant more attention and different approaches from those currently employed by most governments and universities. Responses to PLA collaboration need to be informed by clear government policies and move beyond export controls, using the full range of tools available to governments and universities. The Australian Government, for example, can do more to work in partnership with our research sector to advance scientific progress while protecting national security and ensuring that relevant research doesn’t advance the Chinese military’s capabilities.

Based on the findings of this report, it is recommended that governments pursue the following measures:

Deepen discussions within government on PLA collaboration to determine how it relates to the national interest

  • Determine what kinds of collaboration with the PLA should be further controlled or even prohibited and establish clear policy on engagement with PLA research organisations and personnel.
  • Foster international discussions on PLA collaboration to develop multilateral responses.
  • Develop interagency responses to PLA collaboration to ensure better integration of efforts by defence and export control agencies, intelligence agencies and immigration agencies.
  • Share information about cases and trends in PLA collaboration, particularly cases of deception by PLA scientists, with partners across the globe.

Increase communication and outreach to universities, companies and publics

  • Establish a committee bringing together members of the national security community and university leaders. This committee could serve as a forum to share key information and foster a more cooperative working environment while also providing a space for the university sector and national security community to better understand each other’s perspectives. The US Federal Bureau of Investigation’s National Security Higher Education Advisory Board is a useful model to emulate.100
  • Ensure that companies funding research at universities are aware of any PLA collaboration and understand future measures to control such collaboration.
  • Politicians and senior public servants should better articulate what’s in the national interest and publicly explain why advancing China’s military capabilities isn’t in the national interest.101

Improve the scrutiny of visa applications by foreign military personnel

  • Enhance and better coordinate efforts by government agencies such as Australia’s Department of Home Affairs, Department of Defence and Australian Security Intelligence Organisation to ensure that military scientists applying for visas are identified and properly vetted.102
  • Create a list of Chinese and other non-allied military and military-linked research institutions, including civilian universities heavily engaged in military research, for use by immigration officials.

Re-examine export controls

  • The Australian Government should consider further controlling technology transfer to certain end users. Transfers of controlled technology to PLA members and civilians heavily engaged in military research should be restricted regardless of their geographical location.
  • The Australian Government should create a list of entities posing national security risks that are subject to special export licence requirements, modelled on the US’s Entity List.
  • The government should help universities train and provide resources for staff with export control compliance duties.
  • Work continuously with experienced scientists in emerging technology fields to determine whether and how emerging technologies should be controlled.
  • Ensure that universities are fully complying with controls relating to the intangible transfer of technology in their collaboration with the PLA.

Regulate scientific training given to foreign military personnel

  • Introduce legislation that draws on the US Code of Federal Regulations’ rules on defence services, which require those offering training to foreign military personnel to first receive a waiver from the US Department of Defense.103 This could take the form of an expansion of the Defence Trade Controls Act that restricts technology transfer to members of certain governments and organisations.

Regulate the use of government resources in collaboration with the Chinese military and other non-allied militaries

  • Update internal policies in government research institutions such as CSIRO to limit or ban collaboration with non-allied militaries, particularly in dual-use areas.
  • Funding bodies such as the Australian Research Council should prohibit funding in some areas from being used in collaboration with non-allied militaries.
  • Carefully evaluate any collaboration with PLA scientists on government-funded projects, particularly defence projects.

Increase government and other funding for research in strategic research areas

  • Fields such as artificial intelligence and quantum physics should receive more government funding to ensure that talent and ideas stay in Australia.
  • Universities working in strategic research areas should be encouraged to collaborate with allied military and defence countries rather than non-allied militaries.

Limit problematic forms of foreign investment in strategic research areas

  • Investment by Chinese defence companies such as China Electronics Technology Group Corporation into strategically important fields should be prohibited.104

Universities should also pursue the following measures:

Build understanding of PLA collaboration

  • Produce credible and thorough assessments of the extent of PLA collaboration on campuses.
  • Develop processes for managing PLA collaboration so that security risks can be identified and resolved

Raise awareness among employees

  • Ensure that those interacting with members of non-allied militaries take appropriate security precautions.

Exercise greater oversight of visiting scholar and student application

Develop internal policies on collaboration with foreign military personnel

  • Require employees to receive approval before collaborating with or training members of non-allied militaries.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.


© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published October 2018

  1. This estimate has sought to exclude PLA medical scientists and doctors by not counting those affiliated with PLA medical institutions. Media reports, many of which are cited in this report, were one important source for determining the number of PLA scientists sent abroad. Feng Chunmei 冯春梅, Cai Weibin 蔡渭滨, Li Zhi 李治, ‘Guofang keji daxue shixiang weilai zhanzheng de rencai hangmu’ 国防科技大学 驶向未来 战争的人才航母 [NUDT—An aircraft carrier of talent steering towards future wars], Renmin Ribao 人民日报, 8 August 2013, online, claims that NUDT had sent 1,600 scientists overseas as students or visiting scholars ‘in recent years’. Assuming the 1,600 figure describes the number of NUDT scientists sent abroad between 2007, when the PLA substantially increased the number of scientists it sent overseas, and 2013, this gives roughly 230 NUDT scientists sent overseas each year. Conservatively, this indicates that well over 2,000 NUDT scientists have been sent abroad since 2007. Accounting for the fact that NUDT is responsible for approximately 80% of publications written by PLA scientists with overseas scientists and assuming that represents the proportion of PLA scientists overseas who are from NUDT, this means that more than 2,500 PLA scientists have been sent overseas since 2007. This estimate was also supported by a second set of open-source data which, to prevent the information from being removed, has not been revealed. ↩︎
  2. New Zealand is not counted here, despite being a Five Eyes country. It has high levels of PLA collaboration, especially relative to its population, but is not among the top countries for collaboration more generally. ↩︎
  3. C Uhlmann, ‘China an “extreme” threat to Australia: ASIO’, 9 News, 31 January 2018, online; Bill Gertz, ‘FBI director warns China is America’s most significant intelligence threat’, The Washington Free Beacon, 19 July 2018, online; ‘German intelligence unmasks alleged covert Chinese social media profiles’, Reuters, 10 December 2017. For a discussion of the case of Huang Jing in Singapore, see John Garnaut, ‘Australia’s China reset’, The Monthly, August 2018. ↩︎
  4. Wang Wowen 王握文, ‘Zouchu guomen, dang zuzhi shenghuo “bu diaoxian”’, 走出国门,党组织生活’不掉线’ [Exiting the country, they stay connected with the life of party organisations], Jiefangjunbao 解放军报, 1 July 2015, online. ↩︎
  5. One of the only papers to address research collaboration with the PLA is Elsa Kania, Technological entanglement, ASPI, Canberra, 28 June 2018, online. ↩︎
  6. Section 1286 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 offers an important starting point for policies on scientific engagement with China and the PLA, seeking to protect scientists from undue foreign influence, safeguard important information and support the growth of domestic talent. ↩︎
  7. Richard Holt, AAAS statement on White House proclamation on immigration and visas, American Association for the Advancement of Science, 25 September 2017, online. ↩︎
  8. See Yangyang Cheng, ‘The future of particle physics will live and die in China’, Foreign Policy, 2 November 2017, for an eye-opening discussion of the level of political involvement in China’s scientific research, even research into particle physics, online. ↩︎
  9. DJ Howard, FN Laird, ‘The new normal in funding university science’, Issues in Science and Technology, 2013, 30(1), online; M Clarke, ‘Federal government university budget leaves 10,000 places unfunded, Universities Australia says’, ABC News, 18 January 2018, online; N Whigham, ‘Medical and scientific research at a crossroads in Australia as funding stagnates’, News.com.au, 7 November 2016. ↩︎
  10. UNSW, for example, has partnered with the Chinese Government’s Torch Program, attracting tens of millions of dollars in R&D funding from Chinese companies. See ‘UNSW celebrates first anniversary of Torch partnership with China’, UNSW Media, 28 March 2017, online. ↩︎
  11. It appears that most of those sent abroad are PLA ‘civilian cadres’ (文职干部), rather than ranking military officers. While they’re counted as members of the PLA, civilian cadres aren’t combat personnel and often work in technical areas, such as scientific research. See information about civilian cadres at the following link. ↩︎
  12. Peer-reviewed literature is the most accessible but not the only measure of PLA collaboration. Other facets of PLA collaboration include visiting and lecturing at PLA institutions, supervising PLA students and visiting scholars, which are correlated with but distinct from the level of peer-reviewed literature. Findings on peer-reviewed literature by PLA scientists with foreign researchers are based on searches in Scopus, the largest database of peer-reviewed literature, covering 16 PLA institutions and aliases. Hong Kong wasn’t counted together with the PRC mainland. Note that publications by PLA scientists from medical institutions have been excluded. The following institutions and aliases were included in the search: National University of Defense Technology, National Key Laboratory for Parallel and Distributed Processing, PLA University of Science and Technology, PLA Information Engineering University, Zhengzhou Information Science and Technology Institute, Zhengzhou Institute of Surveying and Mapping, Air Force Engineering University, Second Artillery Engineering College, Xi’an Research Institute of High Technology, Academy of Armored Force Engineering, Academy of Equipment Command and Technology, National Digital Switching System Engineering and Technological Research Center, Northwest Institute of Nuclear Technology, China Aerodynamics Research and Development Center, Naval University of Engineering and PLA Electronic Engineering Institute. ↩︎
  13. See the section on international ties, which discusses sending students abroad and building academic ties separately from military exchanges, in Liu Hang (ed.), 2015 National University of Defence Technology admissions guide, online. ↩︎
  14. The Army Engineering University was formed in August 2017 through the merger of the PLA University of Science and Technology and a number of other army colleges. See Anonymous, ‘Lujun gongcheng daxue jiepai, you gongchengbing xueyuan deng 5 suo yuanxiao heping zujian’ 陆军工程大学揭牌,由工程兵学院等5所院校合并组建 [The Army Engineering University is unveiled, formed by the merger of the Engineering College and five other institutions], Pengpai 澎湃, 3 August 2017, online. ↩︎
  15. Brian Boyle, ‘Chinese partnerships are vital for universities and global research’, Financial Review, 29 October 2017, online. ↩︎
  16. Clive Hamilton, Alex Joske, ‘Australian universities are helping China’s military surpass the United States’, Sydney Morning Herald, 24 October 2017, online. ↩︎
  17. Clive Hamilton, Silent Invasion, Hardy Grant Books, 2018, 190–193. ↩︎
  18. Hamilton & Joske, ‘Australian universities are helping China’s military surpass the United States’. ↩︎
  19. Mengjian Zhu, Moshe Ben Shalom, Artem Mishchsenko, Vladimir Falko, Kostya Novoselov, Andre Geim, ‘Supercurrent and multiple Andreev reflections in micrometer-long ballistic graphene Josephson junctions’, Nanoscale, 2018, issue 6, online. ↩︎

Huawei and Australia’s 5G Network

Over the course of 2018, ASPI staff and writers for The Strategist participated in a dynamic public debate about the participation of Chinese telecommunications equipment manufacturer Huawei in Australia’s 5G network.

Australia’s 5G network is critical national infrastructure and this was one of the most important policy decisions the government had to make this year.

ASPI felt it was vital to stimulate and lead a frank and robust public discussion, in Australia and throughout the wider region, which analysed and debated the national security, cybersecurity and international implications of Huawei’s involvement in this infrastructure.

In this report, in chronological order, you’ll read a range of views written up in The Strategist, The Australian and The Financial Times.

These articles tackle a variety of issues surrounding the decision, including the cybersecurity dimension, the broader Australia–China relationship, other states’ experiences with Huawei, the Chinese Government’s approach to cyber espionage and intellectual property theft and, importantly, the Chinese party-state’s view of state security and intelligence work.

When it comes to important national security, cybersecurity and critical infrastructure decisions, ASPI will continue to stimulate Australian public discourse and fill gaps in global debates.

We also encourage the Australian Government to take a more forward-leaning approach to its participation in public discourse so that the public and key stakeholders are as informed as possible when hard and complicated policy decisions like this need to be made.

Hacking for ca$h

Is China still stealing Western IP?

Introduction

In September 2015, following mounting pressure exerted by the US on China, Chinese President Xi Jinping agreed to a US proposal that neither country would steal the other’s intellectual property (IP) for commercial gain. This bilateral agreement was quickly expanded when the US succeeded in inserting similar language into the November 2015 G20 communique. A handful of other countries also pursued their own bilateral agreements.

Three years after the inking of the US–China agreement, this report examines China’s adherence to those agreements in three countries: the US, Germany and Australia. This work involved a combination of desktop research as well as interviews with senior government officials in all three countries.

The rationale for this multi-country report was to examine patterns and trends among countries that had struck agreements with China.

In all three countries, it was found that China was clearly, or likely to be, in breach of its agreements. China has adapted its approach to commercial cyber espionage, and attacks are becoming more targeted and use more sophisticated tradecraft. This improved tradecraft may also be leading to an underestimation of the scale of ongoing activity.

Despite initial hopes that China had accepted a distinction between (legitimate) traditional political–military espionage and (illegal) espionage to advantage commercial companies, assessments from the three countries suggest that this might be wishful thinking.

China appears to have come to the conclusion that the combination of improved techniques and more focused efforts have reduced Western frustration to levels that will be tolerated. Unless the targeted states ramp up pressure and potential costs, China is likely to continue its current approach.

United States

By Adam Segal

In September 2015, presidents Barack Obama and Xi Jinping stood next to each other and declared that neither the US nor the Chinese government ‘will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage’.1 Despite significant scepticism about whether China would uphold its pledge, cybersecurity companies and US officials suggested that the number of attacks did in fact decline
in the first year of the agreement. China inked similar deals with Australia, Canada, Germany and the UK, and, in November 2015, China, Brazil, Russia, the US and other members of the Group of Twenty accepted the norm against conducting cyber-enabled theft of IP.2 The agreement has been held up as evidence that a policy of public ‘naming and shaming’ tied to a threat of sanctions can change state actions, and as a success by the US and its allies in defining a norm of state behaviour in cyberspace.

There is, however, increasing evidence that Chinese hackers re-emerged in 2017 and are now violating both the letter and the spirit of the agreement. CrowdStrike, FireEye, PwC, Symantec and other companies have reported attacks on US companies, and the Trump administration has claimed that ‘Evidence indicates that China continues its policy and practice, spanning more than a decade, of using cyber intrusions to target US firms to access their sensitive commercial information and trade secrets.’3 The initial downturn in activity appears less to be the result of US pressure and more of an internal reorganisation of cyber forces in the People’s Liberation Army (PLA). Moreover, it’s increasingly clear that the number of attacks isn’t the correct metric for the Sino-US cyber relationship. A decline in the number of attacks doesn’t necessarily mean a decrease in their impact on US economic interests, as Chinese operators have significantly improved their tradecraft.

Washington and its allies will soon have to decide what they’re going to do (again) about Chinese industrial cyber espionage. The Trump administration’s approach so far has been indirect, raising China-based hacking in the context of a larger critique of Beijing’s industrial policy and failure to protect IP. Without significant pushback, China is likely to believe that it has reached a new equilibrium with Washington defined by an absolute smaller number of higher impact cyber operations.

The challenge of industrial cyber espionage

For at least a decade and a half, Chinese hackers have conducted a widespread campaign of industrial cyber espionage, targeting private sector companies in an effort to steal IP, trade secrets and other information that could help China become economically more competitive. President Xi has set the goal for China to become a ‘world leading’ science and technology power by 2049, and the country has significantly ramped-up spending on research and development, expanded enrolment in science, technology, engineering and mathematics disciplines at universities, and pushed industrial policy in areas such as semiconductors, artificial intelligence and quantum computing. However, the country also continues to rely on industrial espionage directed at high-technology and advanced manufacturing companies. Hackers have also reportedly targeted the negotiation strategies and financial information of energy, banking, law, pharmaceuticals and other companies. In 2013, the Commission on the Theft of American Intellectual Property, chaired by former Director of National Intelligence Admiral Dennis Blair and former US Ambassador to China Jon Huntsman, estimated that the theft of IP totalled US$300 billion (A$412 billion, €257 billion) annually, and that 50–80% of thefts
were by China.4

The US responded to state-sponsored Chinese cyberattacks with a two-step process. First, Washington created a distinction between legitimate espionage for political and military purposes and the cyber-enabled theft of IP. As President Obama framed it:

Every country in the world, large and small, engages in intelligence gathering. There’s a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that.5

Espionage against defence industries, such as the theft of highly sensitive data related to undersea warfare, first reported in June 2018, would be considered legitimate, and the onus would be on the defender to keep hackers out of its systems.6

Second, Washington directly and increasingly publicly confronted Beijing. In the winter of 2013, the incident response firm Mandiant, now part of FireEye, put out a report tracing cyber espionage on American companies to Unit 61938 of the PLA, located in a building on the outskirts of Shanghai.7 A few days later, the Department of Homeland Security provided internet service providers with the IPs of hacking groups in China. In March 2013, at a speech at the Asia Society, National Security Advisor Tom Donilon spoke of ‘serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale’.8 When the two met at Sunnylands in June 2013, then President Obama warned President Xi that the hacking could severely damage the bilateral relationship.

In May 2014, the Federal Bureau of Investigation indicted five PLA hackers for stealing the business plans and other IP of Westinghouse Electric, United States Steel Corporation and other companies.9 In April 2015, the President signed an executive order that would allow for economic sanctions against companies or individuals that profited from the ill-gotten gains of cyber theft. The order threatened to block financial transactions routed through the US, limit access to the US market and prevent company executives from travelling through the US. The Washington Post reported in August 2015 that the administration planned to levy those sanctions against Chinese companies.10 Worried that sanctions or indictments would cast a pall over the September presidential summit, Meng Jianzhu, a member of the political bureau of the Central Committee of the Chinese Communist Party, flew to Washington to make a deal.

First year decline

In the first year, the available evidence suggested that Beijing was upholding the agreement and that the overall level of Chinese hacking had declined. FireEye released a report in June 2016 that showed the number of network compromises by the China-based hacking groups that it was tracking dropping from 60 in February 2013 to fewer than 10 by May 2016.11 However, FireEye noted that Chinese hackers could drop the total number of attacks while increasing their sophistication. Around the same time, US Assistant Attorney General John Carlin confirmed the company’s findings that attacks were fewer but more focused and calculated.

As the report also noted, the decline began before September 2015, undermining the causal link between US policy and Chinese behaviour. There were two internal factors in play. First, soon after taking office, Xi launched a massive and sustained anticorruption campaign. Many hackers were launching attacks for private gain after work, misappropriating state resources by using the infrastructure they had built during official hours. Hacking for personal profit was caught up in a broad
clampdown on illegal activities.

Second, the PLA was engaged in an internal reorganisation, consolidating forces and control over activities. Cyber operations had been spread across 3PLA and 4PLA units, and the General Staff Department Third Department had been managing at least 12 operational bureaus and three research institutes. In December 2015, China established its new Strategic Support Force, whose responsibilities include electronic warfare, cyber offence and defence, and psychological warfare. In effect, PLA cyber forces were told to concentrate on operations in support of military goals and move out of industrial espionage.

The first publicly reported cyber espionage attempts in the wake of the agreement were either against military targets or involved the theft of dual-use technologies that would fall in the grey zone. Cyber industrial espionage attacks didn’t end, but instead were transferred to units connected with the Ministry of State Security.12 While the organisation of these groups is less well understood, the ministry appears more willing than PLA groups to use contractors to maintain plausible deniability and reduce the risk of attribution.

Several US cybersecurity company analysts have described the ministry groups’ tradecraft as significantly better than that displayed by the PLA.13 Hackers have made more use of encryption and gone after cloud providers and other IT services that would provide access to numerous targets. In April 2017, for example, security researchers at PwC UK and BAE Systems claimed that China-based hackers were targeting companies through their managed IT service providers.14 The Israeli cybersecurity company Intezer Labs concluded that Chinese hackers embedded malware in the popular file-cleaning program CCleaner.15 In June 2018, Symantec attributed attacks on satellite communications and telecommunication companies in the US and Southeast Asia to a China-based group.16

Outlook

Almost three years after the agreement, judgements on its effectiveness are much harsher. While a former intelligence official argued that US efforts did succeed in getting Beijing to acknowledge a difference between the cyber-enabled theft of IP and political–military espionage, other security researchers were more sceptical. As one put it, ‘Beijing never intended to stop commercial espionage. They just intended to stop getting caught.’ Another believed that Chinese policymakers decided to get credit for a decline in activity that was inevitable in the wake of the PLA reorganisation—a move that had been long in the works.

The Trump administration has pressed Beijing on cyberespionage but as part of much bigger push on trade policy and economic security. In November 2017, the Justice Department indicted three Chinese nationals employed by Chinese cybersecurity firm Boyusec, charging them with hacking into the computer systems of Moody’s Analytics, Siemens AG, and GPS developer Trimble Inc. ‘for the purpose of commercial advantage and private financial gain’.17 US Government officials reportedly asked for Chinese Government help in stopping Boyusec’s activities, but received no reply. Despite Recorded Future and FireEye claiming a connection between Boyusec and the Ministry of State Security, the indictment didn’t call out Chinese Government support for the hackers.18

The US Trade Representative’s March 2018 investigation of China’s policies and practices related to tech transfer and IP states that the US:

has been closely monitoring China’s cyber activities since this [the September 2015] consensus was reached, and the evidence indicates that cyber intrusions into US commercial networks in line with Chinese industrial policy goals continue. Beijing’s cyber espionage against US companies persists and continues to evolve.19

A draft trade framework allegedly provided by US negotiators to their Chinese counterparts, which circulated on Twitter and Weibo in May 2018, calls on Beijing to ‘immediately cease the targeting of American technology and intellectual property through cyber operations, economic espionage, counterfeiting, and piracy’.20

The current trade war with China has two sources: US concern about the bilateral trade deficit, and opposition to Beijing’s use of industrial policy and the theft of IP to compete in high-technology areas. While President Trump has been focused on the deficit, those within the administration pressuring Beijing on its mercantilism should push the cyber issue further up the bilateral agenda. A more direct policy would include a statement from a high-level US official, perhaps Secretary of State Michael Pompeo, that the hacking has resumed and that the US is prepared to use Executive Order 13694, ‘Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities’.21 Soon after, Washington would sanction individuals involved in the hacking as well as the firms that benefit from it.

Even if the White House were to follow such a policy line, it’s likely that Beijing will continue industrial cyber espionage. James Mulvenon argues that Chinese policymakers now believe that they’ve reached a new equilibrium with the US. Shifting industrial cyber espionage to the Ministry of State Security and deploying a higher level of tradecraft have created an equivalent of the hacking conducted by the US National Security Agency. If this is the case, it means that Beijing never truly accepted the distinction that Washington promoted between ‘good’ and ‘bad’ hacking, between cyber-enabled theft to support the competitiveness of Chinese industry and political–military espionage. Instead, Chinese policymakers saw the issue in terms of a high level of relatively ‘noisy’ activity (for which they were likely to get caught and be called out on). Bringing the hacking more in line with what it believes the National Security Agency conducts—a smaller number of hacks that nevertheless give the US large-scale access to Chinese assets—has, in Beijing’s view, resolved the issue. This isn’t the resolution the US hoped for when it first announced the September 2015 agreement, but it may be the one it has to live with now.

Australia

By Fergus Hanson and Tom Uren

The agreement

On 21 April 2017, Following the groundbreaking Obama–Xi agreement in September 2015 and the G20’s acceptance of the norm against the ‘ICT-enabled theft of intellectual property’,22 Australia and China reached their own bilateral agreement. Buried somewhat within the joint statement that followed the inaugural Australia–China High-Level Security Dialogue was a paragraph on commercial cyber espionage:

Australia and China agreed not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information with the intent of obtaining competitive advantage.23 

As with previous agreements, the statement made an implicit distinction between tolerable espionage for political–military reasons and unacceptable espionage for commercial gain.

Both countries also agreed to act in accordance with the reports of the UN Group of Governmental Experts. The two countries agreed to establish a mechanism to discuss cybersecurity and cybercrime issues with a view to preventing cyber incidents that could create problems between them. This was highlighted in Australia’s International Cyber Engagement Strategy, in which Australia’s dialogues with other states, including China, were characterised as ‘an opportunity to deepen understanding of responsible state behaviour in cyberspace and foster cooperation to deter and respond to malicious cyber activities’.24

In China, the agreement received very limited attention. Xinhua produced a translation of the joint statement, which was then reproduced by the People’s Daily and posted on the Minister of Justice’s website.25

In Australia it received more attention, but the government wasn’t naive about the prospects for success. The Ambassador for Cyber Affairs, Tobias Feakin, was reported as saying ‘We do go into these things with our eyes wide open.’26

Pre-agreement commercial cyber espionage

Reliable public accounts of nation-state cyber espionage in Australia are hard to come by. Both government and industry have been reticent about openly attributing hacks and data breaches to particular nations. The Australian Government has also only more recently begun to ramp up its efforts to deal with the challenge of cybersecurity. The 2009–10 annual report of the Australian Security Intelligence Organisation (ASIO) stated that ‘cyber espionage is an emerging issue’.27 Since that time, ASIO’s annual reports have consistently mentioned that cyber espionage affecting commercial interests and for commercial intelligence is occurring, although details of what’s been stolen and by whom are omitted.

The Australian Cyber Security Centre (ACSC) Threat reports, issued from 2015, have also consistently mentioned threats to commercial IP and to other sensitive information, such as negotiation strategies or business plans.28 But, again, the reports fail to provide enough detail to determine whether it was Chinese espionage that occurred for commercial advantage.

While not publicly named, China is regarded as Australia’s primary cyber adversary, including in the area of IP theft. The fact that it remains unnamed in public statements from the government is perhaps the start of the explanation of why Australia’s policy response so far has been ineffective.

The miners

Australia is a large and significant exporter of iron ore, nickel, coal and other mineral resources to China. Iron ore is particularly significant in the trading relationship—China is the world’s largest importer and Australia the largest exporter, and in 2017 over 80% of Australian iron ore exports were to China.29

Although iron ore contracts are now based on monthly average prices, in the lead-up to 2010 iron ore prices were negotiated between buyers and sellers in fixed one-year contracts.30 Iron ore exports to China were large and growing rapidly, and the price negotiations had tremendous importance for the companies, economies and governments involved. Furthermore, a possible takeover bid for Rio Tinto from BHP led the state-owned Aluminium Corporation of China, Chinalco, to take an overnight 9% stake in Rio Tinto.

In this high-stakes environment, all three major iron ore miners in Australia were the victims of cyber espionage that was informally attributed to China.31 Given the large volume of iron ore trade, any information that could provide advantage in negotiations would be tremendously valuable. In 2012, MI5 Director-General Jonathan Evans revealed that an attack had cost a company—subsequently revealed to be Rio Tinto—an estimated £800 million (US$1.04 billion, A$1.43 billion, €891 million) in lost revenue, ‘not just through intellectual property loss but also from commercial disadvantage in contractual negotiations’.32

It also seems that a bribery case against a Rio Tinto executive and Chinese-born Australian citizen was used to enable further cyber espionage. It’s reported that their Rio Tinto credentials were used to download material from the Rio Tinto corporate network after they were arrested in China.33 If true, this sensational allegation directly links Chinese law enforcement actions to commercial espionage.

Since 2010, the mechanisms that determine prices are now based on market fluctuations, so the very strong incentives to gather information on annual price negotiations have been diminished. However, the high priority that the Chinese Communist Party gives to the secure supply of raw materials means there’s still an ongoing interest in gathering commercial intelligence on Australian mining companies.

The Bureau of Meteorology

In 2015, the Australian Bureau of Meteorology was compromised and a foreign intelligence service — subsequently reported to be Chinese34 — searched for and copied ‘an unknown quantity of documents from the Bureau’s network’.35 In this case it’s hard to definitively categorise the underlying motive. There doesn’t seem to be a direct motive to gather government or defence intelligence, but the bureau’s network could have been used as a launching point for further attacks into government networks. IP theft seems likely, as the bureau is a leading science-based services organisation in Australia, has strong international research partnerships and is involved in international research and development programs. Its compromise also provides the opportunity for widespread economic disruption, given that airlines, logistics organisations and industries such as agriculture rely on its services to operate. Its significant weather forecasting and supercomputer expertise would be valuable, too. But for all that this potential IP would be worth, it’s hard to confirm that it was both stolen and used for commercial advantage.

Operation Cloud Hopper

In April 2017, BAE Systems and PwC UK released a report into what they called Operation Cloud Hopper,36 a systematic global espionage campaign that compromised managed IT service providers, which remotely manage customer IT and end-user systems and generally have direct and unfettered access to client networks. The successful compromise of managed service providers for espionage allows considerable access to client networks and data.

This operation was attributed to a China-based group that’s widely known as APT 10 and Stone Panda. CERT Australia identified 144 partner companies that could have been affected.37 However, it isn’t publicly known which companies were affected and what was stolen. 

Summary

Official statements from ASIO and the ACSC indicate that commercial espionage before 2017 was a large and growing concern, but several factors make it difficult to determine who was stealing data and why they were doing it.

First, both government and business remain reluctant to formally attribute attacks to states because of both technical uncertainty (it takes time, skill and effort to develop high levels of confidence) and because of fears of damaging possibly important diplomatic, economic and intelligence relationships. 

Second, Australia implemented a data breach notification law only in February 2018, and that law doesn’t apply to the theft of IP and commercial-in-confidence data. 

Finally, before the ACSC was formally assigned whole-of-economy responsibilities in July 2018, there was no cybersecurity centre of gravity that could determine whether formal attribution was desirable and necessary.

Post-agreement commercial cyber espionage

The Australian National University hack

In July 2018, it was reported that Chinese hackers had ‘successfully infiltrated the IT systems at the Australian National University’ (ANU)38 and that a remediation effort had been ongoing for several months. As with the Bureau of Meteorology, it’s hard to definitively determine what was stolen and for what purpose. The ANU conducts research that has a wide range of applications, including defence, strategic and commercial applications, and it isn’t known what was stolen.

Many ANU graduates subsequently work in the Australian Government, and the ANU also hosts the National Security College, which conducts courses for defence and intelligence officials. Access to ANU IT systems would possibly be of value to enable follow-on espionage. Disentangling all the possible uses that access to ANU could have been used for is impossible without a forensic accounting of what was stolen. In August, the university advised that ‘current advice is that no staff, student or research data has been taken’, although that assessment was questioned by the International Cyber Policy Centre.39

The only publicly known target of Chinese hacking—the ANU—isn’t directly a government or military espionage target, but it’s possible the stolen data won’t be used for commercial gain (and therefore falls outside the scope of China’s agreement with Australia).

Outlook

Despite China’s commitments to Australia and the limited public evidence of commercial cyber espionage, Beijing doesn’t appear to have ceased commercial cyber espionage activities in Australia. However, assessing the scale of China’s ongoing commercial cyber espionage activity is difficult. The Australian Government has been reluctant to publicly name and shame adversary states engaging in cyber theft for commercial gain. China has also improved its tradecraft, making detection
harder and perhaps leading to a mistaken perception that activity has become more focused. This professionalisation followed the exposure of the PLA’s previously sloppy tradecraft and probably the internal restructure (mentioned in the ‘United States’ section of this report) that shifted responsibility for commercial cyber espionage from the PLA to the Ministry of State Security. Australia also has relatively less commercially attractive IP than countries such as the US and Germany, so few examples come to light.

Official statements from ASIO and the ACSC don’t reflect a significant decline in the threat of IP or commercial-in-confidence data theft. Public statements from government officials and the publicly known target—a university—don’t indicate a significant change in the nature of Chinese cyber espionage. While this review indicates how difficult it is to clearly identify cyber espionage for competitive advantage, China remains Australia’s primary cyber adversary and is making greater
efforts to disguise and focus its commercial cyber espionage.

In a partial nod to keeping its agreements, China seems to be focusing on the theft of dual-use and national security related data. For China, this seems to incorporate a fairly wide range of sectors (such as mining) that goes well beyond sectors such as defence. To begin the process of increasing pressure on China to adhere to its agreements, Australia should identify opportunities to formally name adversary states, including China, in public documents and statements. A good place to start is the annual ACSC Threat report. Australia should also consider partnering with states subjected to similar IP theft by China to build and sustain pressure on Beijing to
adhere to its agreements. The G20 offers a multilateral venue for keeping up pressure, but other ad hoc opportunities should also be identified.

Germany

By Dr Samantha Hoffman

Consultation mechanism

No formal bilateral agreement on preventing commercial cyber espionage exists between Germany and China. However, a joint declaration from the June 2016 4th China–Germany Intergovernmental Consultations stated that the two governments would set up a ‘bilateral cyber security consultation mechanism’.40 Both sides also agreed that neither operates or knowingly supports ‘the infringement of intellectual property, trade or business secrets through the use of cyberspace in order to attain
competitive advantage for their businesses or commercial sectors’.

The first cybersecurity consultation wasn’t held until 17 May 2018.41 Efforts to establish the consultation were delayed, in part because the two sides had different expectations regarding topics and participants. The delays also led to a public exchange between German Ambassador to China Michael Clauss and the Chinese Foreign Ministry. In a December 2017 interview with the Hong Kong-based South China Morning Post, Clauss was quoted saying that he expected the Chinese Government to join Germany in setting up the agreed consultation mechanism. He also said, ‘Our repeated requests to have a meaningful dialogue on [virtual private networks] and cyber-related questions with the relevant Chinese authorities have regrettably not yet received a positive response.’ The comments prompted a reply from Chinese Foreign Ministry spokeswoman Hua Chunying, who claimed, ‘China has repeatedly invited a German delegation to China for consultation, but Germany has never responded on time … It’s unreasonable for Germany now to criticise Beijing for not being sincere.’

The eventual May 2018 consultation, which took place in Beijing, was co-chaired by Chinese Vice Minister of Public Security Shi Jun and German Parliamentary State Secretary at the Federal Ministry of the Interior Professor Dr Günter Krings. The German Government insisted that the Ministry of Public Security and a member of the Central Political and Legal Affairs Commission were also present.

Although the meeting was officially described as a success,42 no tangible progress was made during the consultation to substantively address key issues. The German Government insisted that discussion focus on commercial cyber espionage and issues such as data protection and virtual private networks. These were all topics that the Chinese Government preferred to avoid. The Chinese Government instead wanted to discuss cybercrime and cyber terrorism, but there are major differences in the way those concepts are defined. Chinese officials have regularly pushed the German Government to deport political opponents in the Uygur community, which Berlin has continually refused to do because Beijing can provide no evidence to support its claims.

The cyber consultation was again discussed during the July 2018 5th China–Germany Intergovernmental Consultations in Berlin. A joint statement said that the consultation would continue as a key platform for discussing cyber issues, including cross-border data protection and IP and trade infringements.43

Dealing with commercial cyber espionage

The 2016 and 2017 editions of the German Federal Ministry of the Interior’s Annual report on the protection of the Constitution (published in July 2017 and July 2018, respectively) both specifically identified China alongside Russia and Iran as the primary countries responsible for espionage and cyberattacks against Germany.44 The reports said that ‘Chinese intelligence services focus on industry, research, technology and the armed forces (structure, armament and training of the Bundeswehr, modern weapons technology).’45 A separate July 2017 report by Bitkom, Germany’s digital industry association, found that German companies lose €55 billion (US$64 billion, A$88 billion) annually due to commercial cyber espionage affecting about 53% of German companies.46

The number of known China-originated commercial cyber espionage attacks against German companies dropped in the past two years, according to the head of the Federal Office for the Protection of the Constitution (BfV), the German domestic intelligence agency.47 Other German Government officials confirmed the appearance of a decrease, but added that they’re unsure whether there had been one. There’s an equally high likelihood that cyber espionage has become more sophisticated, and better targeted, and therefore has been undetected.

The decline in known cyber espionage incidents has also been linked to a sharp increase in Chinese foreign direct investment in high-tech and advanced manufacturing industries in 2016. The BfV head, Hans-Georg Maassen, made a similar claim and linked the decline with an increase in the use of legal tools for obtaining the same information, such as corporate takeovers. Maassen said ‘industrial espionage is no longer necessary if one can simply take advantage of liberal economic regulations to buy companies and then disembowel them or cannibalise them to gain access to their know-how.’48 The German Government took steps in July 2017 to address concern by amending the Foreign Trade and Payments Ordinance to tighten restrictions on non-EU foreign investment in Germany. The move was partly triggered by the €4.5 billion (US$5.3 billion, A$7.2 billion) takeover of German industrial robotics maker Kuka by Chinese appliance maker Midea.

The amendment identified several sectors that would be subject to higher scrutiny. They include companies operating critical infrastructure, IT and  telecommunications, and certain cloud computing providers. Previously, non-EU companies weren’t obliged to inform the government of an acquisition (of 25% or more of voting rights) of a German company unless they were involved in the development and manufacturing of defence and encryption technology. The July 2017 amendment, however, expanded the notification requirement to include critical infrastructure and other security-related technology.49 The amendment refers to sectors identified in the 2013 Foreign Trade and Payments Ordinance section 55, which include energy, water, IT, financial services, insurance, transportation, food and health.50

The amendment also extended the period for the Ministry of Economic Affairs and Energy to conduct reviews. There are two foreign investment review categories: ‘cross-sectoral investment review’ and ‘sector-specific investment review’. Cross-sector reviews apply to the acquisition of any company where the investor is located outside the EU or the European Free Trade Association and plans to acquire ownership of 25% or more.51 Sector-specific reviews apply to the acquisition of a company that operates in sensitive security areas. In addition to military weapons and equipment, this includes ‘products with IT security features that are used for processing classified government information’. 52

Similar rules apply for companies that operate high-grade remote sensing systems under the Act on Satellite Data Security.53 Previously, the ministry was required to conduct a cross-sectoral investment review within two months, but is now given four months.54 For sector-specific reviews, it was previously required to conduct a review within one month and is now given three months.55 The German Government has further identified a need to tighten controls on the loss of sensitive information in the area of cross-border data protection.

Outlook

Assessing the scale of Chinese commercial espionage activity is difficult, and very little information is made publicly available. The German Government remains sceptical about China’s commitment to cease the infringement of IP, trade or business secrets through the use of cyberspace. However, the government feels that some dialogue is better than no dialogue. It hopes to leave open the possibility of a more intensive dialogue in future. One German official said that the government is pushing for the Chinese side to ‘behave as [it would] wish to be treated’ in an increasingly interconnected world.


What is ASPI?

The Australian Strategic Policy Institute (ASPI) was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society. It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

We thank all of those who contribute to the ICPC with their time, intellect and passion for the subject matter. The work of the ICPC would be impossible without the financial support of our various sponsors.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

© The Australian Strategic Policy Institute Limited 2018
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.

First published September 2018

Cover image: Illustration by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be re-published under the Creative Common License Attribution-Share Alike. Users of the image should use this sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by ASPI’s International Cyber Policy Centre’.

Sydney Recommendations – Practical Futures for Cyber Confidence Building in the ASEAN region

In the lead-up to the ASEAN–Australia Special Summit, ASPI’s International Cyber Policy Centre launched an initiative with partners across the region to develop the Sydney
Recommendations on Practical Futures for Cyber Confidence Building in the ASEAN region.

These recommendations build on the extensive work undertaken by the think-tank community in the region starting in the early 2010s.

Defining offensive cyber capabilities

Introduction

States are developing and exercising offensive cyber capabilities. The United States, the United Kingdom and Australia have declared that they have used offensive cyber operations against Islamic State,1 but some smaller nations, such as the Netherlands, Denmark, Sweden and Greece, are also relatively transparent about the fact that they have offensive cyber capabilities.2 North Korea, Russia and Iran have also launched destructive offensive cyber operations, some of which have caused widespread damage.3 The US intelligence community reported that as of late 2016 more than 30 states were developing offensive cyber capabilities.4

There is considerable concern about state-sponsored offensive cyber operations, which this paper defines as operations to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.

It is assumed that common definitions of offensive cyber capabilities and cyber weapons would be helpful in norm formation and discussions on responsible use.

This paper proposes a definition of offensive cyber operations that is grounded in research into published state doctrine, is compatible with definitions of non-kinetic dual-use weapons from various weapons conventions and matches observed state behaviour.

In this memo, we clearly differentiate offensive cyber operations from cyber espionage. We address espionage only in so far as it relates to and illuminates offensive operations. Only offensive cyber operations below the threshold of armed attack are considered, as no cyber operation thus far has been classified as an armed attack, and it appears that states are deliberately operating below the threshold of armed conflict to gain advantage.5

This paper examines the usefulness of defining cyber weapons for discussions of responsible use of offensive cyber capabilities. Two potential definitions of cyber weapons are explored—one very narrow and one relatively broad—before we conclude that both definitions are problematic and that a focus on effects is more fruitful.

Finally, the paper proposes normative courses of action that will promote greater strategic stability and reduce the risk of offensive cyber operations causing extensive collateral damage.

Definitions of offensive cyber capabilities

This section examines definitions of offensive cyber capabilities and operations in published military doctrine and proposes a definition consistent with state practice and behaviour. We first define operations and capabilities to clarify the language used in this report.

What are capabilities? In the context of cyber operations, having a capability means possessing the resources, skills, knowledge, operational concepts and procedures to be able to have an effect in cyberspace. In general, capabilities are the building blocks that can be employed in operations to achieve some desired objective. Offensive cyber operations use offensive cyber capabilities to achieve objectives in or through cyberspace.

US military joint doctrine defines offensive cyber operations as ‘operations intended to project power by the application of force in and through cyberspace’. One category of offensive cyber operations that US doctrine defines is ‘cyberspace attack’—actions that manipulate, degrade, disrupt or destroy targets.6

UK military doctrine defines offensive cyber operations as ‘activities that project power to achieve military objectives in, or through, cyberspace. They can be used to inflict temporary or permanent effects, thus reducing an adversary’s confidence in networks or capabilities. Such action can support deterrence by communicating intent or threats.’7 UK doctrine further notes that ‘cyber effects will primarily be in the virtual or physical domain, although some may also be in the cognitive domain, as we seek to deny, disrupt, degrade or destroy.’

In both UK and US military doctrine, offensive operations are a distinct subset of cyberspace operations that also include defensive actions; intelligence surveillance and reconnaissance and operational preparation of the environment—non-intelligence enabling activities conducted to plan and prepare for potential follow-on military operations.

This is consistent with the Australian definition, which is that offensive cyber operations ‘manipulate, deny, disrupt, degrade or destroy targeted computers, information systems or networks’.8

The Netherlands’ defence organisation sees offensive cyber operations as ‘digital resources whose purpose it is to influence or pre-empt the actions of an opponent by infiltrating computers, computer networks and weapons and sensor systems so as to influence information and systems’.9

Two common threads in state definitions are identified. Offensive cyber operations:

  • are intended to deny, disrupt, degrade, destroy or manipulate targets to achieve broader objectives (henceforth called denial and manipulation effects)
  • have a ‘direct real-world impact’.10

Another observation is that these definitions stress that ‘while cyber operations can produce stand-alone tactical, operational, and strategic effects and achieve objectives, they must be integrated’ in a military commander’s overall plan.6  This doctrine, however, originates from military establishments within a relatively narrow range of countries. In other states, offensive cyber operations may well be less integrated into military planning and will occur to achieve the political and/or strategic goals of the state leadership.11

This paper proposes that offensive cyber operations manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.

offensive cyber operations manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.

There are relatively few publicly available offensive cyber doctrine documents, but observed behaviour indicates that states such as Iran, North Korea and Russia are using operations that cause denial and manipulation effects to support broader strategic or military objectives.

By definition, offensive cyber operations are distinct from cyber-enabled espionage, in which the goal is to gather information without having an effect. When information gathering is a primary objective, stealth is needed to avoid detection in order to maintain persistent access that allows longer term intelligence gathering.

This definition does classify relatively common events, such as ransomware attacks, website defacements and distributed denial of service (DDoS) attacks, as offensive cyber operations.

Although the ‘manipulate, deny, disrupt, degrade or destroy’ element of the definition lends itself to segmentation into different levels, further examination shows that segmentation based on the type of attack is not particularly useful. Information and communication technology (ICT) infrastructure is inherently interconnected, and even modest disruption can cause relatively drastic second-order effects. Modifying the state of a control system, for example, could lock a person’s garage or launch a nuclear missile.

Conversely, seriously destructive attacks, such as data wipers, can have damaging effects on different scales. Compare the damage caused when North Korea infiltrated the Sony Pictures Entertainment network12 with the damage caused during the Russian-launched NotPetya attack’13 At Sony Pictures, more than 4,000 computers were wiped and, although that cost US$35 million to investigate and repair, it did not significantly affect the broader Sony corporation14 and did not directly affect other entities. The NotPetya event also involved data destruction, but it was probably the most damaging cyberattack thus far: US$300 million in damages for FedEx; US$250–300 million for Danish shipper Maersk15; more than US$310 million for American pharmaceutical giant Merck; US$387 million for French construction giant Saint-Gobain; and US$150 million for UK chocolate maker Mondelez International. It is possible that flow-on effects from the disruption to the logistics and pharmaceutical industries may have affected the broader global economy.

Table 1 is a selected list of state activities that this paper defines as offensive cyber operations. Those operations are assessed for the scale, seriousness, duration and specificity of their effect.

Ultimately, the seriousness of a cyberattack is based on its ultimate effects or on the effects that it enables. The scale and seriousness of incidents should be based upon measuring the ultimate consequences of an incident and the economic and flow-on effects.

Table 1: State offensive cyber operations

OperationSeriousnessScaleDurationSpecific
NotPetyaHigh—data destructionGlobal. Affected organisations in Europe, US and Asia (Maersk, Merck, Rosneft, Beiersdorf, DHL and others) but also a concentration in Ukraine (banking, nuclear power plant, airports, metro services).Short-term, with recovery over months to a year.No
WannaCryHigh—data destructionGlobal, but primarily in Russia, Ukraine, India and Taiwan, affecting multinationals, critical infrastructure and government.Short-term, with recovery over months to a year.No
Sony Pictures EntertainmentHigh—data destructionFocused on Sony Pictures Entertainment (<7,600 employees), a subsidiary of Sony Corporation (131,700 employees in 2015) (a)Short-term, with recovery in months.Yes
StuxnetHigh—destruction of centrifugesFocused on Iran’s nuclear weapon development programme<1 yearYes
Various offensive cyber operations against ISIS by US, Australia, UKVaried—some data destruction but also denial and manipulation effectsFocused on Islamic StateUnknownYes
Estonia 2007Medium—temporary denial of servicePrincipally Estonian electronic services, affecting many European telcos and US universities3 weeksYes

(a)  Sony Corporation, US Securities and Exchange Commission Form 20-F, FY 2016 [online]

Cyber weapons and arms control

Cyber weapons are often conceived of as ‘powerful strategic capabilities with the potential to cause significant death and destruction’,16 and in an increasingly interconnected world it is easy to speculate about catastrophic effects. It is also difficult to categorically rule out even seemingly outlandish offensive cyber scenarios; for example, it seems unlikely that a fleet of self-driving cars could be hacked to cause mass destruction, but it is hard to say with certainty that it is impossible.17 Although the reality is that offensive cyber operations have never caused a confirmed death, this ‘uncertainty of effect’ is potentially destabilising, as states may develop responses based on practically impossible worst-case scenarios.

In a Global Commission on the Stability of Cyberspace issue brief, Morgus et al. look at countering the proliferation of offensive cyber capabilities and conclude that limiting the development of cyber weapons through traditional arms control or export control is unlikely to be effective.18 This paper agrees, and contends that previous arms or export control agreements may succeed where the following three conditions are present:

  1. Capability development is limited to states, usually because weapons development is complex and highly industrialised.
  2. There is a common interest in limiting proliferation.
  3. Verification of compliance is possible.

Perhaps only one of these three conditions—a common interest in limiting proliferation—exists in the world of cyber weapons, although even this is not immediately self-evident.

In the context of international arms control, a limited number of capability developers usually means that only states (and ideally only a small number of states) have the ability to develop weapons of concern, that states have effective means to control proliferation, or both. In cyberspace, however, there are many non-state actors—in the cybersecurity industry and in the criminal underworld19—developing significant cyber capability. Additionally, the exchange of purely digital goods is relatively difficult for states to control compared to exchanges of physical goods. States do not have a monopoly on capability development and find it difficult to effectively control the spread of digital goods, and so therefore cannot credibly limit broader capability development.

For chemical, biological and nuclear weapons, the human suffering caused by their use is generally abhorred and there is a very broad interest in restraining the use of those weapons. Offensive cyber operations, by contrast, could achieve military objectives without causing human suffering; for example, the warfighting capability of an adversary could be degraded by disrupting their logistics such that military objectives could be achieved without fighting. It has been suggested that states have a ‘duty to hack’ when the application of offensive cyber operations will result in less harm than all other applications of force,20 and the UK’s Minister of State for the Armed Forces, Nick Harvey, noted in 2012 that offensive cyber operations could be ‘quite a civilised option’ for that reason.21

Additionally, cyber weapons can be developed entirely in environments where visibility for verification is impossible, such as in air-gapped networks in nondescript office buildings. Unlike for weapons of mass destruction, there are no factories or supply chains that can be examined to determine whether capabilities exist and stockpiles are being generated.22

Unlike many military capabilities—say, nuclear-armed submarines or ballistic missiles—offensive cyber capabilities are unique in that once defenders have technical knowledge of the potential attack, effective countermeasures can be developed and deployed relatively easily.23

For this reason, states already have considerable interest in limiting the proliferation of offensive cyber capabilities—they want to keep those capabilities secret so they can exploit them. The US Vulnerabilities Equities Process (VEP) policy document24 states that when the US Government discovers vulnerabilities25 most are disclosed, but some will be kept secret to satisfy law enforcement or national intelligence purposes where the risk of the vulnerability is judged to be outweighed by possible intelligence or other benefits. Undoubtedly, all states that engage in vulnerability discovery will have a common interest in keeping at least some secret so that they can be exploited for national security purposes.

Defining cyber weapons

Despite scepticism about the effectiveness of traditional arms control, this paper develops both a narrow and a broad definition of cyber weapons to test whether those definitions could be useful in arms control discussions. The definitions have been developed by examining selected international weapons conventions and previously published definitions.

One problem with defining cyber weapons is that cyber technologies are primarily dual-use: they can be used for both attack and defence, for peaceful and aggressive purposes, for legal and illegal activities. Software can also be quite modular, such that many cybersecurity or administrative tools can be brought together to form malware.

Weapons in the physical domain have been categorised into three groups: small arms and light weapons; conventional arms; and weapons of mass destruction (WMD).26 Given that cyber weapons are often conceived of as potentially causing mass destruction and because WMDs are subject to the most rigorous international counter-proliferation regimes, this paper examines definitions through the perspective of the dual-use WMD counter-proliferation Chemical Weapons Convention and Biological Weapons Convention.27

Biological weapons, a class of WMD, are described as (our emphasis):28

  1. microbial or other biological agents, or toxins whatever their origin or method of production, of types and in quantities that have no justification for prophylactic, protective or other peaceful purposes;
  2. weapons, equipment or means of delivery designed to use such agents or toxins for hostile purposes or in armed conflict.

The Chemical Weapons Convention defines chemical weapons as (our emphasis):29

  • toxic chemicals and their precursors, except where intended for purposes not prohibited under the Convention and as long as the types and quantities are consistent with such purposes; and
  • munitions and devices, specifically designed to cause death or other harm through the toxic properties of those chemicals …

These conventions, both of which deal with dual-use goods, define by exclusion: only substances that do not or cannot have peaceful purposes are defined as weapons. The material of concern is not inherently a problem—it is how it is used.

In the context of armed conflict, the Tallinn Manual characterises cyber weapons by the effects they have, not by how they are constructed or their means of operation:

cyber weapons are cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects, that is, that result in the consequences required for qualification of a cyber operation as an attack.30

Herr and Rosenzweig define cyber weapons as malware that has a destructive digital or physical effect, and exclude malware used for espionage.31 Herr also considers that malware is modular and consists of a propagation element that the malware uses to move from origin to target; an exploit that will allow the malware to execute arbitrary commands on the target system; and a payload that will execute some malicious instructions.

Rid and McBurney define cyberweapons as ‘computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings’.32

A narrow definition

Following the logic of dual-use weapons conventions, a narrow definition of cyber weapons is software and information technology (IT) systems that, through ICT networks, cause destructive effects and have no other possible uses. The IT system aspect of this definition requires some level of integration and automation in a weapon: code that wipes a computer hard disk is not a weapon by itself—by itself it cannot achieve destructive effects through cyberspace—but could form part of a weapon that wipes hard drives across an entire organisation.

Based on this narrow definition, Table 2 shows our assessment of whether reported malware examples would be defined as cyber weapons.

Table 2: Cyber weapon assessment

Malware or systemDescriptionWeapon
Distributed denial of service (DDoS) systemsAggregation of components, including bots and control software, such that they have no other purpose than to disrupt internet services.Yes, although this is arguable because effects tend to be temporary (disruptive and not destructive). Each individual component is likely to have non-destructive uses.
Dragonfly a.k.a. Energetic Bear campaign (a)Espionage campaign against energy critical infrastructure operators that developed industrial control system sabotage capabilities.No. This was both manual and for espionage only; it never disrupted critical operations. However, the intent demonstrated is to develop capabilities to disrupt critical infrastructure.
Blackenergy 2015 Ukrainian energy grid attack (b)Access to Ukrainian energy company was used to disrupt electricity supply.No. Blackenergy malware was very modular and this attack was quite manual. This malware does contain destructive capability.
Industroyer a.k.a. Crashoverride malware (c)Malware in a Ukrainian energy supply company was used to disrupt electricity supply.Yes. Integrated malware disrupted electricity supply automatically.
TRISIS malware (d)Malware intended to sabotage a Saudi Arabian petrochemical plant.Yes. Malware with no espionage capability was specifically designed to destroy a petrochemical plant.
WannaCryA self-propagating data wiper.Yes. Malware with no espionage capability was designed to irreversibly encrypt computer hard drives.
MetasploitAn integrated collection of hacking tools that can be used for defence, for espionage, or for destruction and manipulation.No. Metasploit has many non-destructive uses and is not integrated into a system that causes destruction.
NotPetyaA self-propagating data wiper.Yes. Automatically destroyed data.
Flame, Snake, ReginVery advanced modular malware.No. These could cause denial and manipulation effects and could be automated but have other uses. They seem to be designed primarily for espionage.
StuxnetSelf-propagating malware that subverted industrial control systems to destroy Iranian nuclear fuel enrichment centrifuges.Yes. Highly tailored to automatically destroy targeted centrifuges.
Large-scale man-in-the-middle attack system (e.g. mass compromise of routers) (e)Compromise of many mid-points could enable large-scale access that could be used to enable intelligence, destruction or manipulation, or even to patch systems.No. Intent is everything here.
PowershellA powerful scripting and computer administration language installed by default with the Windows operating system.No. Many non-destructive uses.
A Powershell script designed to automatically move through a network and wipe computers.Destructive intent is codified within the script commands.Yes.
  • a) Symantec, Dragonfly: Western energy companies under sabotage threat, 2014, online.
  • b) Kim Zetter, ‘Inside the cunning, unprecedented hack of Ukraine’s power grid’, Wired, 3 March 2016, online.
  • c) Andy Greenburg, ‘“Crash override”: the malware that took down a power grid’, Wired, 12 June 2017, online; Robert M Lee, ‘Crashoverride’, Dragos, 12 June 2017, online; Anton Cherepanov, Robert Lipovsky, ‘Industroyer: biggest threat to industrial control systems since Stuxnet’, welivesecurity, 12 June 2017, online.
  • d) Nicole Perlroth, Clifford Krauss, ‘A cyberattack in Saudi Arabia had a deadly goal: experts fear another try’, New York Times, 15 March 2018, onlineTRISIS malware: analysis of safety system targeted malware, Dragos, online.
  • e) US CERT, Russian state-sponsored cyber actors targeting network infrastructure devices, Alert TA18-106A, 16 April 2018, online.

This narrow definition is consistent with the narrowness of definitions from both the Biological Weapons Convention and the Chemical Weapons Convention, both of which deal with dual-use goods.

The definition captures intent by excluding all other tools where intent is ambiguous; only tools that can only be used for destruction are included.

This narrow definition is problematic for at three reasons.

First, it does not map directly onto state definitions of offensive cyber activities—actions that manipulate, disrupt, deny and degrade would likely not be captured and so much offensive cyber activity will not involve cyber weapons. The offensive cyber operation, for example, that US Cyber Command conducted against Islamic State’s propaganda operations did not require cyber weapons. Cyber Command obtained Islamic State administrator passwords and deleted content and changed passwords to lock out the original owners.33 This offensive cyber operation could have been entirely conducted using standard computer administration tools. No malware, no exploit, no software vulnerability and certainly no cyber weapon was needed.

Second, even the most destructive offensive cyber operations could be executed without ever using a cyber weapon. For example, a cyber operation that triggered the launch of conventional or nuclear weapons would not require a cyber weapon.

Third, this definition could easily be gamed by adding non-destructive functionality to otherwise malicious code.

A broader definition

A broader definition of cyber weapons could be software and IT systems that, through ICT networks, manipulate, deny, disrupt, degrade or destroy targeted information systems or networks.

This definition has the advantage that it would capture the entirety of tools that could be used for offensive cyber operations.

Many cyber operations techniques, however, take advantage of computer administration tools, and the difference between espionage and offensive action is essentially a difference in intent; for example, the difference between issuing a command to copy files and issuing one to delete files. Indeed, it is possible to conduct cyber operations—both intelligence and offensive operations—using only legitimate tools such as the scripting language Windows Powershell.34 Yet it makes no sense to define what could be used for destructive effects as a cyber weapon; it is nonsensical to label Powershell as a cyber weapon.

This definition would also include perfectly legitimate tools that state authorities and the cybersecurity community use for law enforcement, cyber defence, or both.

These two definitions highlight the dilemma involved in defining cyber weapons. A narrow definition can perhaps be more readily agreed to by states, but excludes so much potential offensive cyber activity that efforts to limit cyber weapons based on that definition seem pointless. The broader definition would capture tools used for so many legitimate purposes that agreement on their status as weapons is unlikely, and limitations could well harm network defenders more than attackers.

Options for control

This paper therefore agrees with Morgus et al.35 that limiting the development of cyber weapons by controlling the development of defined classes of weapons is unlikely to be effective. There are, however, options for more effective responses that focus on affecting the economics of offensive cyber operations and the norms surrounding their application.

Affecting the markets involved in offensive cyber capability development would raise the cost of capability development and encourage states to conduct operations sparingly.

One market associated with cyber capabilities is that for software vulnerabilities and their associated exploits (code that takes advantage of a vulnerability). Software vulnerabilities are often exploited by malware to gain unauthorised access to computer systems and are often—although not always—required for offensive cyber capabilities. Ablon and Bogart have found that the market price for software exploits is sensitive to supply and that prices can rise dramatically for in-demand, low-supply products.36 A multifaceted approach to restricting supply could raise the cost of acquiring exploits and therefore the cost of building offensive cyber capabilities.

Shifting the balance of vulnerability discovery towards patching (rather than exploitation for malicious purposes) would raise the value of all vulnerabilities. As suggested by Morgus et al., one possibility is that software vulnerabilities are bought for the express purpose of developing fixes and patches, as suggested by Dan Geer in a 2014 BlackHat conference keynote.37

A secondary response would be to enable more effective repair of vulnerabilities that would close the loopholes that enable computer exploitation. NotPetya, assessed by the US Government to be the most destructive cyberattack thus far,38 used publicly known vulnerabilities for which patches had been available for months. Effective cyber hygiene would have prevented much of the damage that NotPetya caused.

From a policy point of view, this could be attacked at several levels by encouraging research into vulnerability mitigation and more effective patching processes; educating decision-makers to prioritise and resource vulnerability discovery and patching; government policy to encourage more effective patching regimes; and promoting VEP policies in other states (discussed below).

Whenever a vulnerability is exploited for any purpose—including cyber espionage, offensive operations and cybercrime—there is a risk of discovery, which could ultimately result in patching and loss of the ability to exploit the vulnerability. Raising the value of all vulnerabilities will encourage states to use offensive cyber capabilities sparingly to avoid discovery and hence loss of capability via patching.

A complementary approach would be to change incentives within software development to encourage secure application development. Again, this could be approached at many levels: altering computer science curriculums; promulgating secure coding standards;39 and altering the balance of liability in commercial code, for example.

Reducing the supply of exploits and raising their cost encourages states to conduct cyber operations in a way that avoids attracting attention to mitigate the risk of discovery and loss of capability. This effort to operate quietly would vastly reduce the risk of inadvertent large-scale damaging events.40

Recommendation: Encourage the establishment of national vulnerabilities equities processes

There is a common interest among all states that are conducting cyber operations—defensive or offensive—in actively assessing the risk and benefits of keeping vulnerabilities secret for exploitation. The US VEP document states that in ‘the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest’. Assuming this is true, the presence of VEP policies in many states would tend to result in more responsible disclosure and patching and therefore result in a reduced supply of vulnerabilities and exploits.

This reduced supply of vulnerabilities would raise the cost of offensive capability development and therefore restrict proliferation and reduce the use of offensive operations.

Recommendation: Promote focused operations

Unlike a kinetic weapon, for which direct consequences such as blast radius may be well understood, offensive cyber operations can easily have unintended consequences. Since states are conducting offensive cyber operations below the threshold of armed conflict, another option to limit offensive operations is to promote operations that are tightly focused so that operations do not affect innocent bystanders.

We have assessed that both the Sony Pictures and Stuxnet attacks were specific, as both affected specific targets and did not cause direct effects elsewhere (Table 1). The NotPetya and WannaCry incidents were not specific: they affected many organisations world-wide.

It is possible, therefore, to conduct focused offensive cyber operations that are specific and limit collateral damage; it is not an inherent fact of cyberspace that operations cannot be targeted and specific. To reduce the risks of collateral damage, there would be merit in promoting a norm of ‘due diligence’ for offensive cyber operations, requiring that states invest in rigorous testing to ensure that effects are contained before engaging in offensive cyber operations.

Recommendation: Measure damage for more effective responses

In addition to altering the computer vulnerability lifecycle, governments should also respond directly to cyber operations. Effective responses should be both directed against perpetrators and proportionate. Currently, both the identification of perpetrators (attribution) and the assessment of damage (to determine a proportionate response) are suboptimal. Much has been said about attribution, and this paper will not cover it further.

When state-sponsored operations such as NotPetya and WannaCry occur, there is no independent assessment of damage. An accurate accounting of harm could be used to justify an appropriately proportionate response.

NotPetya has been called ‘the most destructive and costly cyber-attack in history’.41 It seems that total cost estimates of over US$1 billion are based on collating the financial reports of public companies such as Merck,42 Maersk,43 Mondelez International44 and FedEx,45 and then adding a ‘fudge factor’ to account for all other affected entities. Publicly listed companies have formal reporting obligations, but the vast majority of entities affected by NotPetya do not, and it seems likely that the cost of NotPetya has been significantly understated.

An independent body that identifies common standards, rules and procedures for assessing the cost of cyberattacks could enable a more accurate measure of damage. The International Civil Aviation Organization’s system for air crash investigations may provide a framework.46 It assigns a role for various stakeholders, including the airline, the manufacturer, the registrar and so on. The investigation is assigned to an autonomous safety board with the task of assessing what happened, not who was at fault.47 For a cyber incident, an investigation board could include a national cybersecurity centre, the affected entity, the manufacturer of the affected IT system, relevant software developers and other stakeholders.

Using assessments of scope and seriousness to develop proportionate responses would encourage attackers to construct focused and proportionate offensive cyber operations.

Recommendation: Invest in transparency and confidence building

We have noted above that uncertainty about the effects caused by offensive cyber operations has the potential to be destabilising. State transparency in the use of offensive cyber operations could address this concern and help promote norms of responsible state behaviour.

Figure 1 shows the lifecycle of an offensive cyber capability, starting at the point that a state forms an intent to develop capability. Resources are committed; intelligence is gathered to support capability development; capability is developed; the environment is prepared (by deploying malware, for example); and finally the operation is launched and effects are observed. Crucially, there are distinct elements during this lifecycle that require operation on the public internet and are therefore potentially observable: intelligence gathering, operational preparation of the environment, and offensive cyber effects (in orange).48

Figure 1: Offensive cyber capability lifecycle

Although it is not possible to see or measure cyber weapons, to quantify them or inspect ‘cyber weapon factories’, a level of confidence-building transparency can still be achieved. Public doctrine that defines a nation’s strategic intent and its assessment of acceptable and responsible uses of offensive cyber operations would be extremely helpful.

This visibility may be sufficient to enhance confidence building as predictability is increased. Many responsible states will be reluctant to deviate from public statements regarding offensive cyber capability development because effects will possibly become visible at a later stage that will prompt incident response, forensic analysis and maybe political attribution and embarrassment.

There is already some public documentation of offensive cyber capabilities. There are unclassified doctrines, official statements and unofficial reporting on the states that have—or are developing—offensive capability. There are also voluntary national reports in the context of the UNGGE. Additionally, open source verification by research institutes such as the SIPRI Yearbook, IISS Military Balance and reports similar to the Small Arms Survey are authoritative and credible sources that inform policy actions by states. Finally, independent analysis and reporting from cybersecurity companies such as Symantec, Crowdstrike, BAE Systems and FireEye provides invaluable technical information. These firms also play a key role in early detection and response.

Summary and conclusion

Offensive cyber capabilities are defined as operations in cyberspace to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.

This paper has examined narrow and broad definitions of cyber weapons and found them problematic for use in control discussions.

However, a range of other measures would help limit the use of offensive cyber capabilities and reduce the risk of collateral damage when they are used:

  • Markets for the vulnerabilities that are used to create offensive cyber capabilities can be affected to make capability development more expensive. VEP processes would form one element of a broader effort to patch vulnerabilities and restrict supply.
  • Promoting the principle that offensive cyber operations should be focused and taking active steps to limit unintended consequences could limit the effects of operations on innocent bystanders, including through the promotion of the concept of ‘due diligence’.
  • Responses to cyber incidents could also be improved by better accounting of the damage incurred. A robust assessment of damage using agreed standards would enable a more directly proportionate response and would help reinforce the expectation of specific and proportionate offensive cyber operations.

Finally, increased state transparency would promote acceptable norms of behaviour. Although monitoring and verification are difficult, this paper presents an offensive cyber operation lifecycle that indicates that various stages provide some visibility, which could build confidence.


Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.

© The Australian Strategic Policy Institute Limited 2018

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.

  1. Michael S Rogers, Commander US Cyber Command, statement to the Senate Committee on Armed Services, 27 February 2018, online; Prime Minister Malcolm Turnbull, ‘Offensive cyber capability to fight cyber criminals’, media release, 30 June 2017, online; Director GCHQ, speech at CyberUK18, 12 April 2018. ↩︎
  2. Council on Foreign Relations, Europe is developing offensive cyber capabilities: the United States should pay attention, 26 April 2017, online. ↩︎
  3. Council on Foreign Relations Cyber Operations Tracker, online. ↩︎
  4. James Clapper, Marcel Lettre, Michael S Rogers, Foreign cyber threats to the United States, joint statement for the record to the Senate Armed Services Committee, 5 January 2017. ↩︎
  5. Although offensive cyber operations have been used by combatants in the context of armed conflicts. ↩︎

Tag Archive for: Cyber

Cyber wrap

The Pakistani Foreign Office has reached out to the nation’s largest intel body, Inter-Services Intelligence (ISI), for assistance to boost its internal IT security. Government ministries in Pakistan are no strangers to targeted online campaigns (here and here), and the Ministry of Foreign Affairs is seeking to beef-up its cyber resilience in response. The Ministry has requested 80 million rupees in next year’s federal budget—a 130% increase on this year’s budget—to boost the resilience of its Islamabad headquarters and communications security across its network of foreign missions. The move has raised concerns internally that the new role will provide ISI with undue access to the Ministries’ communications, although that’s been dispelled by a government official who said ISI would only have ‘limited access’ and that the work of departments remain protected by ‘encryption codes’.   

The Cyber Space Administration of China (CAC) recently launched an investigation into Chinese search engine Baidu, finding that the site has been inappropriately presenting sponsored links as organically generated search results. The CAC found that Baidu was ranking returned search results based upon the advertising spend received from companies, but neglected to make this clear to the user that the results were in fact sponsored.

Apple CEO Tim Cook is set to visit China this month to undertake talks with senior government and CCP representatives. The visit comes at a tumultuous time in the relationship between the tech giant and economic powerhouse, with Beijing recently suspending several of Apples online services on the mainland and concerns surrounding China’s new counterterrorism law.

Last month US General Vincent Brooks spoke to US Senate leaders about the online threat posed by North Korea. In news that won’t surprise readers of our 2015 Cyber Maturity Metric, Brooks rated North Korea’s online abilities as ‘among the best in the world and the best organized’. To counter the growing cyber threat from North Korea, last week the US and South Korea agreed to deepen cyber cooperation. Speaking in Seoul, Secretary of State John Kerry pointed the finger at Pyongyang for carrying out ‘provocative, destabilizing and repressive actions’ online and warned that North Korea will be ‘will be held accountable for their actions.’

The Canadian government is moving to block two Huawei employees from entering Canada on espionage concerns. Canadian border officials have advised the pair that their entry will be denied under section 31 (1) f of the country’s immigration act, with authorities holding ‘a reasonable belief’ that they are part of an organisation which may be engaged in acts of ‘espionage, subversion or terrorism.’ It’s extremely rare for applicants to be rejected for a Canadian visa based on espionage concerns. The workers and their employer deny any involvement in espionage. Huawei is frequently accused of state-sponsored espionage; the company was barred from tendering for the construction of Australia’s NBN in 2012 on national security grounds.  

On the home front, the International Cyber Policy Centre recently welcomed senior Australian and Spanish public sector and business leaders to Canberra for a 1.5 track dialogue. Co-hosted with the Spain–Australia Council Foundation, discussions centered around national public and private sector perspectives on cyber security and sought to identify areas of possible cooperation between Australia and Spain. Spanish Secretary of State for Foreign Affairs Ignacio Ybañez opened the dialogue, noting that cyber security cooperation and private sector engagement was a significant area of potential growth in our bilateral relationship. He noted that geographic distance was no longer a barrier to the relationship between Spain and Australia given our networked and connected world. He emphasised shared values as an enabler of cooperation on issues such as norms, conflict risk reduction and cyber security incident response. The dialogue identified several areas of potential future cooperation between Spain and Australia—including CERT collaboration, best practice and threat information sharing for critical infrastructure protection and coordination of efforts in global cyber capacity building through shared membership in institutions such as the Global Forum on Cyber Expertise.

Cyber wrap

While last night’s Federal Budget is still being picked apart, it seems that Defence will be funding the lion’s share of the new cyber priorities announced as part of the recent Cyber Security Strategy. Of the $230 million announced as part of the Strategy, money reallocated from Defence will cover $122 million. A further $38 million was already committed as part of the National Innovation and Science Agenda, and the remaining cash comes from nine other portfolios. Defence will get $51 million of this money back to fund the relocation of the Australian Cyber Security Centre.

The World Summit on the Information Society forum (WSIS) has gathered in Geneva this week for its annual dialogue. WSIS, organised by the ITU, UNESCO, UNDP and UNCTAD, is the ‘largest annual gathering of the ICT for development community’. The 2016 forum is focusing on how information technologies can facilitate the implementation of the UN’s Sustainable Development Goals, with participation from representatives of government, the private sector, civil society, academia and international organisations. The forum wraps up on 6 May, so check in next week for some analysis of the outcomes.

It was at last year’s WSIS preparatory meeting that India declared its support for multi‑stakeholder governance of the Internet, which seeks to give governments, the private sector and civil society an equal voice in decision-making related to the Internet’s governance. India previously advocated a multilateral approach, under which governments operating through institutions like the UN are the ultimate decision-makers. However the communique from last month’s Russia–China–India foreign minister’s meeting makes it seem that India has now either jumped back on the multilateral bandwagon, or the two ministries responsible (External Affairs, and Communications and Information Technology) are pushing separate agendas. While the communique is filled with boiler plate language of the kind that Russia and China are well known for, for India it continues a history of indecision on this important issue.

Russia and China also held their first bilateral ‘Cyberspace Development and Security Forum’ on Wednesday last week. A significant part of the agenda was devoted to discussing the reliance on foreign IT firms and exploring possible ways to reduce the exposure to this ‘hidden danger’. One suggestion that China’s Cyberspace Administration had previously made was for the government to buy a financial stake in Chinese IT firms and take a seat on their boards.

The University of Sydney’s Quantum Control Laboratory’s researchhas been boosted by a grant of an undisclosed sum from the US Intelligence Advanced Research Projects Activity, an organisation within the Office of the Director of National Intelligence. Across town, UNSW received a $26 million boost from the National Innovation and Science Agenda earlier this year, making Sydney an emerging centre for quantum computing research.

In Thailand, one of eight dissidents arrested by the junta last week and charged under the country’s Computer Crimes Act for lèse-majesté, has claimed that the police showed him screenshots of his Facebook Messenger chats during interviews. While it seems the dissidents believed they were safe using Facebook, Facebook’s messaging service is encrypted between the user’s device and Facebook, rather than being encrypted end-to-end, which means Facebook can provide private messages to a government if required by law. The Thai junta has been engaged in a struggle with activists online since the 2014 coup, and has previously requested help from service providers including Facebook to filter content that opposes the junta, and once briefly blocked Facebook access in the country.

And finally, several months after Wired pointed to Australian businessman Craig Wright as the hitherto unknown founder of cryptocurrency BitCoin has confirmed that he indeed created the cryptocurrency and the blockchain technology behind it. Some currency experts have expressed doubts about Wright’s claim, which he attempted to prove by using digital signatures known to be owned by BitCoin’s founder, but doubts remain. While Wright’s leadership may help resolve a row over between the BitCoin community over how to expand the currency, he may be hesitant to undertake such a role.

Cyber wrap

Image courtesy of Flickr user Pabs D

The major cyber story of the week is the long-awaited release of Australia’s Cyber Security Strategy, the first document of its kind since 2009. The Strategy outlines $230 million of funding for enhanced cyber security efforts over four years, with a focus on five key themes. Specifically, significant investment will be funnelled into improving the cyber capabilities of the AFP, Crime Commission, Australian Signals Directorate and Australia’s Computer Emergency Response Team (CERT Australia).

The Strategy’s overarching principle of public–private sector partnership informs the establishment of a Cyber Security Growth Centre and Joint Cyber Threat centres in capital cities. The government will also relocate Australia’s Cyber Security Centre from the highly classified ASIO building to allow greater private-sector access.

The Strategy establishes new positions: a Minister Assisting the Prime Minister on Cyber Security, a Special Advisor on Cyber Security (to be filled by Alastair MacGibbon), and a Cyber Ambassador to be appointed by Julie Bishop. Further, the development of a sustainable cyber-savvy workforce will be encouraged through investment in STEM education and the creation of academic centres of excellence in universities.

Notably, the Strategy explicitly refers to Australia’s offensive cyber capabilities—a first in Australia’s rhetoric surrounding cyber security. At the launch, Turnbull stated than an ‘offensive cyber capability, housed in the Australian Signals Directorate, provides another option for the Government to respond’.

The Strategy has been hailed as ‘the most important and innovative government strategy yet written’. However, there has been criticism of the document’s language not addressing the seriousness of contemporary cyber threats strongly or directly enough. Others are concerned that this underestimation is reflected in the funding on offer, which falls short in comparison to the billions being spent by Australia’s peers. Last year, the UK announced plans to invest £1.9 billion (A$3 billion) in cybersecurity, while the US has recently upped its spending by US$5 billion to a total of US$19 billion (A$24.8 billion). Check out some in-depth analysis of the new Strategy from the ICPC team here, here and here.

In the US, tech firms have banded together to oppose a bill that would effectively outlaw end-to-end encryption and require companies to help the government decrypt customer data. A coalition of companies—including Apple, Facebook, Google, Netflix, Microsoft and Twitter—wrote an open letter to the sponsors of the new bill, Senators Richard Burr and Dianne Feinstein. The tech giants warn against the ‘unworkable policies around encryption that would weaken the very defences we need to protect us from people who want to cause economic and physical harm’.

In an amusing concurrent development, popular instant messaging service Viber just announced it will make end-to-end encryption the default for its 700 million users. The company stated that it’s ‘proud that our users can confidently use Viber without war of their messages being intercepted’. This comes only a few weeks after WhatsApp made the same transition.

This week also brought an exciting development in Artificial Intelligence (AI) technology. Scientists from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), in partnership with machine learning start-up PatternEx, have developed a hybrid machine that can learn how to identify 85% of cyber attacks. The findings, which merge state-of-the-art AI and analyst intuition, were published in a paper titled AI2: Training a big data machine to defend. The initiative works on an active learning system, where artificial intelligence network assessments are verified by an analyst, and any corrections are integrated back into the machine as a feedback loop that continues to improve its detection accuracy. The system can reportedly reduce false positives by a factor of five and is about three times more accurate than comparable technologies—a major development in the potential of AI for cybersecurity.

Staying stateside, a Bloomberg report has revealed that a US$12 billion tactical mobile Internet network used by the US Army suffers significant cyber security vulnerabilities. The Warfighter Information Network-Tactical Increment 2, or WIN-T, uses satellite and radio technology to offer secure voice, video and data communications to troops on the move. The network is deployed to 11 of the Army’s combat brigades and is already in use in Iraq and Afghanistan. However, an assessment conducted by Johns Hopkins University and the Army Research Laboratory recommended ‘improvement to user training techniques and hardware and software enhancements to harden against the cyberthreat’. In light of those findings, the US Army and General Dynamics are undertaking efforts to upgrade systems already in use and line-up improvements that will be deployed through 2028.

Notwithstanding its apparently flawed military cyber defences, the US has been having fun with its offensive cyber rhetoric this week. Check out this piece from The New York Times to understand what US Deputy Defense Secretary Roger Work really means when he says the US is dropping ‘cyberbombs’ on ISIS.

Australia’s new cyber strategy: grabbing the international initiative

Image courtesy of Flickr user Eddie Wong

Last August during a speech in Sydney, DFAT Secretary Peter Varghese claimed that ‘all foreign policy starts at home’. This sentiment is echoed in Australia’s brand new Cyber Security Strategy, which firmly establishes ‘global responsibility and influence’ as one the five key themes of the paper.

Our last home-grown cyber strategy, released in 2009, revealed little about our thinking around the key international debates of the day,  such as cyber security norms of behaviour, the applicability international law and internet governance. It also lacked any concrete plan for how Australia could shape and creatively engage the region on cyber issues, as a result Australia missed a golden opportunity to influence regional thinking on cyber matters.

Yesterday morning, Prime Minster Malcolm Turnbull changed all of that when he launched the highly anticipated update to Australia’s cyber security strategy (PDF). This most recent effort offers plenty of detail on Australia’s approach to international cyber policy and sets out a sensible working agenda for the next four years.

Most importantly, it lays out a coherent manifesto on Australia’s ideal view of cyberspace and how we should use our diplomatic tools to pursue, persuade and convince others in our near region of the advantages of our approach and strength of our perspectives.

Briefly summarised, this view calls for an internet that’s open, free and secure based on our values of freedom of speech, right to privacy and rule of law. It supports a multistakeholder internet and the applicability of international law to cyberspace, and argues that closing the digital divide is in everyone’s interest.

To help achieve those new clear and prominent foreign policy goals, the Foreign Minister will soon appoint Australia’s first Cyber Ambassador. Many of Australia’s key partners including the US, the Netherlands and Japan have successfully placed experts in Ambassador-esque roles to help drive their cyber values and agendas overseas.

The creation of such a role is a smart move, and will serve as a quick and sensible way to elevate the profile of cyber issues within DFAT and on the international stage.

The new Ambassador will have a challenging and multifaceted role, with tasks ranging from navigating complex norms work within the UNGGE, to continuing already fruitful work within the ASEAN Regional Forum, to supporting trade promotion efforts and helping reach a resolution on the red hot internet governance agenda. The Ambassador will need to hit the ground running to engage with the many departments and agencies within the APS that work internationally on cyber issues to ensure they’re all singing from the same song sheet.

Pleasingly, the new strategy brings a focus to capacity building in our region. Such forward-leaning activities help to underpin almost the full gamut of international cyber issues, from confidence building and norm formation, to economic exchange, cyber security and incident response. If the staffing, subject matter expertise and infrastructure don’t exist in our neighbourhood, neither does effective international discourse, closing the digital divide or effective network protection.

Over the next four years, the government has allocated $6.7 million to sustain such work. This will be drawn from the government’s $230 million total cyber package. While it’s a significant improvement on DFAT’s existing shoestring budget for cyber work, it remains a modest figure, particularly when compared to the budgets of our key partners, such as the UK’s AU$14.3 million four year commitment to international cyber engagement and capacity building . Without a doubt, the budget allocation should continue to rise in order to keep pace with our lofty international ambitions.

The Cyber Ambassador will also have a key role to play in crafting Australia’s first public international cyber strategy, also announced by Turnbull yesterday. A good International Cyber Strategy will pick up where the new national strategy left off, by laying out a more detailed position on key international debates, presenting a carefully considered plan for international engagement, and integrating the private sector into our international strategic thinking. That won’t be an easy task by any stretch of the imagination.

The international focus of Australia’s new cyber strategy is encouraging. It presents a clear national position on our values and goals in cyberspace, and a roadmap for how we should go about reaching our destination. The challenge our new Cyber Ambassador will face is in implementing such a diverse international program on a slender budget.

Cyber wrap


The release of the
Panama Papers this week has set a new record for the largest volume of data that has ever been leaked. The 2.6 terabytes of data, consisting of 11.5 million documents previous leaks such as WikiLeaks by a significant margin. The leak was provided to news outlets through encrypted channels by an unknown source.

This week another US health care company has fallen victim to ransomware, only a month after a Los Angeles hospital was held to ransom by cyber criminals. Electronic health records at 10 hospitals owned by MedStar Health in Maryland and Washington DC were encrypted on Tuesday last week and held ransom by unidentified hackers causing significant disruption to services. MedStar reported that it had restored 90% of its network by last Saturday, but it’s not clear if the company paid the US$18,500 ransom request. The Washington Post noted that hospitals and other health and insurance providers are obvious targets for hackers as they maintain sensitive personal information, but the industry hasn’t kept up with the financial and retail sectors efforts for cyber security and resilience.

In Japan, planning for the 2020 Tokyo Olympics has prompted the government to implement a program to train a further 1000 cybersecurity analysts within government. A preferential pay system and new senior leadership positions for cybersecurity are intended to boost cybersecurity awareness and skills across the government before the games kick off in four years.

The UK Ministry of Defence (MoD) has announced that it’ll spend £40 million on its new Cyber Security Operations Centre (CSOC), previously announced as part of the UK’s cyber security strategy. The Centre will be located at the MoD Information Systems and Services branch at Corsham in Wiltshire, formerly the location of the UK government’s nuclear war bunker. The CSOC will monitor and defend MoD’s networks, and is part of a larger £1.9 billion investment over five years by the UK in defensive and offensive cyber capability by MoD and GCHQ. The UK also announced last Friday at the Nuclear Security Summit in the US that it will be undertaking joint drills with the US to test the cybersecurity of nuclear power plants in both countries.

It appears that there’s still confusion in the US Department of Defense (DoD) about who’s responsible for leading the charge when responding to a cyber emergency in the US. It seems that both Northern Command and Cyber Command (CYBERCOM) believe that they’d take the lead for DoD assistance to domestic cyber crises, and Pacific Command is of the opinion that it’d take responsibility for responding to cyber incidents in its area of responsibility. The Government Accountability Office (GAO) has warned that until roles and responsibilities of DoD’s various different components are clearly established, it ‘may not be positioned to effectively employ its forces and capabilities to support civil authorities’.

This problem isn’t isolated or new, with the GAO issuing a report back in 2013 that stated that roles and responsibilities for cybersecuirty at the national level also need to be more clearly defined. In a separate interview, the Pentagon’s head of cyber policy Aaron Hughes noted that one of the key accomplishments so far in implementing the DoD Cyber Strategy has been exercises to refine CYBERCOM collaboration with the FBI and Homeland Security—suggesting that work is underway towards overcoming the problems identified by GAO. .

Following the indictment of seven Iranian hackers by the US last week, Iran watchers have been working to scope the country’s cyber capability. Majid Rafizadeh from Harvard notes that while Iran hasn’t yet reached the cyber sophistication of China and Russia, its capability is advancing at a rate that warrants security concern, particularly as the Iranian regime perceives cyberspace as an environment in which it can ‘advance its ideological, geopolitical, and strategic ambitions… by inflicting damage on their major state institutions and infrastructures’. The National Council of Resistance of Iran, a Paris-based shadow Iranian government, has also published a review of Iran’s cyber capability.

And finally, the American Foreign Policy Council has released a primer on cyber security, including briefs on US, Chinese, Russian, Iranian and North Korean cyber capabilities.

Cyber wrap

US Department of Justice

The US Department of Justice is reportedly preparing an indictment against a set of Iranian hackers who allegedly infiltrated a small New York dam in 2013. While the attack only managed to penetrate the dam’s administration network, and not its SCADA operating system, the possible indictment highlights how seriously attacks against critical national infrastructure are handled within the US system.

The impending Iranian indictments will likely largely be seen as a political move, but beyond this, they’ll serve as an important tool to reinforce norms agreed upon at the UN Group of Governmental Experts. In particular, it’ll reinforce the norm that states shouldn’t conduct or knowingly support ICT activity that intentionally damages critical infrastructure. In 2014 when the US Government sought to underline another norm, that the state-backed hacking of secrets for economic gain was off limits, it issued five indictments against Chinese nationals for attacks against American industry, gaining widespread international attention.  

Also in the US, news site ThirdCertainty has compiled a useful cheat sheet on the 2016 Presidential candidates’ views on key cybersecurity issues. That includes their positions on hot topics such as the CISA, hacking-back, the encryption debate and the Snowden leaks. The candidates were also graded on their positions by two IT professionals, with recent drop-out Marco Rubio and Bernie Sanders coming out on top—albeit with the scores of B- and C+ respectively.

The Australian Government’s excellent Stay Smart Online alert service shared news last week of malware targeting ‘leading Australian and New Zealand banks’. The software, which affects Android banking applications, has the ability to intercept the SMS communications many banks use for two-factor authentication. The malware masquerades as an Adobe Flash application which could be inadvertently downloaded by users. For more information head here.

Al-Monitor has an interesting story this week on Palestine’s burgeoning hacking underground. While politically motivated attacks against Israel have been happening online for years, according to the article an increasing amount of skilled technologists are using their talents for economic gain by hacking personal credit cards and corporate networks around the world.

The Singaporean Government has fired the latest shot in the ongoing IT skills battle, establishing a new program designed to lure overseas-based Singaporean talent back to the city-state. The Smart Nation Fellowship Programme, created by the Infocomm Development Authority (IDA), aims to draw overseas-based experts home for three to six month stints working alongside IDA engineers on ‘smart nation’ projects aimed at improving the provision of services to the public in areas including transport and healthcare.

If you’re in Tasmania you might have noticed a dramatic slowing in your internet speeds. The Basslink submarine cable, which brings both telecommunications and electricity from the mainland, was cut late last week as operators attempted to find the location of a fault that has plagued the cable since last December. The cut has all but stopped the connection of several ISPs to the island—including iiNet and Internode—and many are questioning why arrangements weren’t made in advance to route traffic through Telstra’s submarine cables, which remain unaffected.

Wrapping up this week, our friends at the Observer Research Foundation have launched a new paper that assesses the Indian government’s cyber organisational structures and makes recommendations for improved co-ordination, resilience and response.

Cyber wrap

Tim Cook

Western Australia’s parliament was hacked last Tuesday with a computer virus forcing the shutdown of its telecommunications systems. According to Speaker Michael Sutherland, the attack impeded a number of house operations including, ‘Hansard publications, the preparation and processing of questions on notice and answers to questions on notice’. Fortunately, the breach didn’t prevent Parliament sitting as usual.

The incident comes following a 2015 audit of sections of the WA government’s digital infrastructure. The assessment found that some agencies didn’t adequately protect information to prevent unauthorised access and data loss. Specifically, it noted the lack of basic controls over passwords, patching, setting of user privileges, copies of sensitive information across systems and poorly configured databases. Cyber security within state governments in Australia often lags behind best practice, but news last week that Queensland is establishing its own cybersecurity unit can be taken as a welcome sign that this trend may soon reversed.

Last week’s ruling that Apple must assist the FBI to unlock an iPhone linked to San Bernardino gunmen Syed Farook has reignited the smouldering discussion on encryption and the difficult balance between privacy and public safety. More public figures have recently come out on one side of the debate or the other. NSA chief Admiral Mike Rogers surprisingly came out on the side of encryption, saying that it’s ‘foundational to the future’, while Microsoft founder Bill Gates has chastised Apple CEO Tim Cook for opposing the court order. Surveys of public opinion in the US have found that there’s a roughly 50/50 split between support for the FBI or Apple. This is significant as Apple will reportedly seek to propel the case out of the courts this week and into the hands of Congress to decide.

Also in the US, the Hollywood Presbyterian Medical Centre in LA has paid 40 bitcoins (equivalent to US$17,000 in ransom to retrieve access to its patient files after a malware attack. The attack prevented access to the computer systems and restricted the ability to share communications electronically, successfully forcing the hospital to return to manual paper and pen patient submissions. Ransomware locks computer systems through file encryption which then demands a ransom payment in exchange for the decryption key.

Japanese companies have been targeted by a highly skilled and well financed state actor according to cyber security firm Cylance. The campaign, named Operation Dust Storm, previously targeted major industry in Japan, South Korea the US, Europe and South East Asia, but has now narrowed its target set to Japanese organisations. The intent of the hackers appears to be long term presence on networks to exfiltrate data, particularly from electricity, oil, gas and transpiration companies. Japan is a frequent target for hackers, however security consultants to Japanese firms and the government continue to highlight weaknesses in corporate culture that views breaches as a loss of face, preventing disclosure and cooperation on common threats.

Quantum technologies: investing in our future security

20445410520_0f8c325f83_z

The Australian Government recently announced plans to invest $26 million in the development of quantum computing technology as part of the National Innovation and Science Agenda (NISA). Prime Minister Turnbull has argued that NISA is part of a new ‘ideas boom’ designed to ‘create a modern, dynamic and 21st century economy for Australia’. It emphasises quantum computing as an important area for government investment based on its ability to produce ‘jobs and economic growth’. And while this industry could certainly be ‘worth billions’, it offers much more than financial prosperity: quantum technologies could play a significant role in our future defence and security.

Quantum technology harnesses the obscure properties of subatomic matter to achieve computing processes unobtainable with classic computers. Today’s computers run on binary digits, or bits, which exist as either 1s or 0s. In contrast, quantum bits, or qubits, exploit the bizarre principle of ‘superposition’ that enables them to occupy all possible states (both 1 and 0) at the same time. This allows quantum computers to undertake multiple calculations in parallel, unlocking unprecedented processing power that could ‘solve problems that would take conventional computers centuries’.

Another important quantum quality, ‘entanglement’, means two qubits can become inextricably linked, such that a change in one causes a change in the other. The qubits can remain connected even when separated across large distances. This delicate connection can be used for instantaneous communication, and its vulnerability to interference means the act of eavesdropping fundamentally alters the transmission, rendering it provably secure.

NISA asserts that those technological tricks will have a ‘transformational impact on Australian and global businesses’ but fails to mention the revolutionary role they could play in improving Australia’s defence force in three key areas.

Efficiency

The ability of quantum computers to undertake multiple calculations at once makes them an enormous asset for the optimisation of defence logistics. A quantum computer could examine all possible strategies and quickly identify the most rapid or low-energy solution, in order to determine the military’s preferable travel path, which is likely to increase the efficiency and speed of military operations.

Increasingly complex weapons systems also rely on ever-growing volumes of activation software. For example, the F-35 Joint Strike Fighter now requires more than 20 million lines of code to be fully operational. The brute force of quantum computers could offer a strategic advantage by improving the efficiency of code validation where defence assets are deployed in time-sensitive scenarios.

Intelligence

Quantum computers are most infamous for their potential to decrypt communications and other data. Current encryption models rely on the limited computing power available to hackers (both state and non-state) and the unreasonable amount of time required to solve long encryption keys. However, the immense processing power of quantum computers will be able to solve those previously impossible problems in little to no time, eventually rendering the majority of the world’s information security frameworks completely useless. The ability to hack an adversary’s (previously secret) communications would provide a government with access to incredibly sensitive intelligence and a decisive strategic advantage.

The accuracy of a military’s positioning, navigation and timing intelligence could also be improved through the precision of quantum sensor technologies. The old and expensive Global Positioning System (GPS) is increasingly unreliable and vulnerable to denial and sabotage. However, quantum location technologies are expected to be near impossible to jam and ‘1,000 times more accurate’ than today’s systems.

Security

While the advent of quantum computing may mean ‘some widespread and crucial encryption methods will be rendered obsolete’, quantum technology also promises a whole new generation of secure communication. The quantum property of ‘entanglement’ makes ‘Quantum Key Distribution’ possible, providing the basis of an ‘un-hackable’ encryption model that’s ‘impervious to eavesdroppers’, even quantum computers. With quantum computers potentially ushering in a ‘cryptopocalypse’, investing in enduring information security is a sensible insurance policy.

In light of these strategic applications, it’s not only the familiar tech giants such as Intel, IBM, Microsoft and Google racing to harness the power of quantum mechanics, governments worldwide are investing in this area to maintain or obtain strategic advantage.

The US Defense Undersecretary Frank Kendall recently stated that ‘quantum science is an area that could yield fundamental changes in military capabilities’. As such, the US Army, Navy and Air Force are working together with a $45 million grant to establish a secure long-distance quantum communication network ‘for the war-fighter’.

Quantum science also ‘figures centrally in the objectives of the Chinese military’, with the technology having been a focus of the National University of Defense Technology and the People’s Liberation Army’s University of Science and Technology for several years now. In fact, a Chinese project is underway to establish the longest quantum communication network in the world, stretching 2,000km between Shanghai and Beijing and including the world’s first quantum-enabled satellite.

The UK’s National Strategy for Quantum Computing argues that quantum technologies will have a ‘major impact’ on the defence industry, and the Defence Science and Technology Laboratory was already showcasing new quantum navigation technologies early last year.

The good news is that Australia’s quantum technology research is ‘world leading’. The Centre for Quantum Computing and Communications (CQC2T), recipient of the NISA grant, recently made breakthrough proof of concept for silicon quantum computing. In fact, lead scientist Michelle Simmons expects the centre to develop a scalable quantum computer within the next five years. The government’s recent investment is a great step in ensuring Australia’s continued efforts in this field.

There’s no doubt this industry promises enormous economic benefits. However, we mustn’t become complacent by thinking about quantum technology in purely economic terms. It’s also an essential national investment in the context of an ‘international race’ to quantum pre-eminence and the strategic advantage it’s likely to afford. The Australian government must continue to invest in this technology, while broadening its view to see the many benefits that quantum research and innovation brings to our national defence and security.

Cyber wrap

2568510756_c1a4620ed8_z

We’re kicking off this week over the ditch with our Kiwi friends who have been very busy on the cyber policy front. In Auckland last Friday, Communications Minister Amy Adams launched an updated version of the country’s national Cyber Security Strategy. The NZ government also produced an accompanying ‘living’ Action Plan that will be updated annually, and a National Plan to Address Cybercrime. The strategy aims to deepen public–private engagement on cyber issues building upon the already successful Connect Smart initiative, which reaches out to private residences, schools and businesses. Other initiatives include a ‘cyber security tick’ scheme, similar to those used to indicate healthy foods, which will recognise businesses with good cyber security practices. New Zealand will also establish a stand-alone national Computer Emergency Response Team (CERT). Currently CERT responsibilities lie within the National Cyber Security Centre, but the decision has been made to bring New Zealand ‘into alignment’ with its key international partners by creating the new body. The decision mirrors that of the UK government, which successfully launched their first national CERT early last year.

Australia’s national CERT has released a survey of the cyber security postures and attitudes present amongst its major Australian businesses partners. The survey found that over half of the respondents had experienced an incident that had compromised ‘confidentiality, integrity or availability of a network’s data or systems in the last year’. Positively, the survey found that in response many businesses had introduced or improved their information security practices including both policy and technical responses. Mirroring stories throughout the media this year, major Australian businesses reported being subject to a substantial amount of Ransomware attacks—four times as many as were reported in 2013.

Twitter has warned a number of its users this week that their accounts may have been targeted by something a bit more malicious than the usual run-of-the-mill spam. The social media giant informed several account holders via email that their Twitter accounts were part of ‘a small group of accounts that may have been targeted by state-sponsored actors’. Those affected included activists, security specialists and privacy advocates, in what Twitter believes was an attempt to gain access to personal information including phone numbers and email addresses. While Twitter claims there was no evidence that the attempts were successful, it recommended that those affected use identity protections measures, such as the Tor browser.

Joe Nye had an interesting piece published on Project Syndicate on deterrence in cyber space, where he discusses how the traditional difficulties surrounding attribution have hampered effective deterrence and tipped the see-saw in favour of attackers. But he stresses that increased technological capability, more robust encryption and economic enmeshment may tip the advantage back to the defenders and eventually enable more effective cyber deterrence.

And finally, just in time for the holiday break, the US Department of Homeland Security has put out a useful tip sheet on good cybersecurity practices to use while travelling. It includes advice on connecting to Wi-Fi, data protection and maintaining the physical security of personal devices.

Learning lessons from the UK’s confident approach to cyber

An aerial image of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire.

The launch of the 2015 SDSR provided evidence that UK Defence and Security agencies are being re-invigorated after a period of extensive cuts. Over the next ten years £178 billion will be spent on a range of military platforms. While this won’t elevate the UK to the peak of global military powers, it will reassure allied partners that it’s a reliable security partner.

Large quantities of money are often associated with ‘big ticket’ military hardware, yet the UK has spent comparable sums on its cyber capabilities. At the launch of the 2010 SDSR, the sting of looming cuts were softened by the announcement that the Government would invest £500 million in cyber security. In the intervening period, that’s risen to an £860 million investment in a growing area of national security concern and potential advantage.

The 2015 SDSR announced that spending on cyber security will grow again with a commitment to invest a further £1.9 billion (A$S3.9 billion) over the next five years. When that sum is added to the core spending on cyber security capabilities to protect UK networks, the total spend amounts to more than £3.2 billion (A$6.5 billion).

The clear and concise wording of the document is just as significant as the money attached to it. The 2015 SDSR weaves together a clear articulation of the UK’s strategic goals in cyber along with a comprehensive narrative about the importance of cyber security to national and economic security, and introduces measures to enhance capability and skills in both areas. It commits the UK to remaining a world leader in cyber security to protect critical networks, to maintain high levels of confidence in its ability to protect business from cyber threats, to bolstering the digital economy to help it reap the economic rewards of high value cyber security technology and skills.

The lead component of the cyber section of the SDSR is the newly formed National Cyber Centre established under GCHQ’s leadership. This centre will have charge over operational responses to cyber incidents. Not only will it have an operational lead but it will also act as a focal point for companies seeking advice on cyber issues, simplifying previous arrangements.

There are three areas worthy of specific comment. First, the UK has worked hard over the past 10 years to mature the Government’s relationship with the private sector on cyber.. There’s a clear commitment to ‘share knowledge with British industry and with allies’, ‘help companies and the public do more to protect their own data’, and ‘simplifying private sector access to government cyber security advice’. That’s evidenced most strongly in the promise to develop a ‘series of measures to actively defend…against cyber attacks’, alluding to active defence tactics which aim to disrupt attackers prior to, or while they’re attacking a network. The SDSR states that those capabilities will be ‘developed and operated by the private sector’, which is a leap forward in coordination between the UK’s public and private sectors.

Despite efforts to build stronger relationships with the private sector on cyber, Australia is some way off being able to make these kinds of statements. There’s a continuing journey that needs to be undertaken in order to reach the same level of maturity that the UK has achieved.

Second, the SDSR details a significant investment in creating highly qualified and skilled personnel, including £20 million to open an Institute of Coding to fill the current gap in higher education. A £165 million Defence and Cyber Innovation Fund was also announced to support innovative procurement across government, alongside two new cyber ‘start-up’ centres where new companies can incubate their tech in the early stages of development.

Finally, one of the most striking aspects of the plan was the emphasis placed on developing offensive cyber capability. The UK has firmly stated that it has this capability and will use it as a tool of national power and to respond to security threats. George Osborne used strong words to underscore this part of the plan:

‘Part of establishing deterrence will be making ourselves a difficult target…We need to destroy the idea that there is impunity in cyberspace…We are building our own offensive cyber capability—a dedicated ability to counter-attack in cyberspace.’

Following on from the US admission in 2010, this further illustrates an emerging trend among Australia’s allies to publically state their capacity to conduct or develop offensive cyber operations. A clear statement of the way Australia views the use of offensive cyber capabilities would be a welcome addition to the Australian Defence White Paper when it emerges.

There are lessons for Australia on the cyber front here. First is the use of committed, firm ideas and language which are backed financially. We are yet to see how much the Australian Government will invest in this important area of national security. Second, there’s a clear articulation of the linkage between cyber security, economic security, digital innovation and national security. Australian cyber strategy will hopefully follow suit. Finally, there’s evidence of a mature and trusted relationship between Government and the private sector built over time, which Australia can afford to do much better at. With both a Cyber Review and a Defence White Paper due imminently, expectations will be high that Australia can deliver on both fronts.

Tag Archive for: Cyber

Nothing Found

Sorry, no posts matched your criteria