Tag Archive for: cyber strategy

The Pacific needs greater cyber resilience as malicious actors break into networks

Samoa and Papua New Guinea’s recent experiences with cyber intrusions are the latest reminders of the urgent need for enhanced cybersecurity resilience in the Pacific. What’s needed is capacity building and coordinated response initiatives.

On 11 February Samoa’s Computer Emergency Response Team (SamCERT) issued an advisory warning about APT40, a Chinese state-backed hacking group operating in the region. Days later, reports emerged that Papua New Guinea had suffered an unattributed cyberattack on its tax office, the Internal Revenue Commission, in late January.

SamCERT’s advisory marks the first time a Pacific island country has formally attributed a cyberattack to a China-linked group. While the advisory does not directly name China, it identifies APT40 as the perpetrator behind the cyber intrusion and provides a link to the Australian Signal Directorate’s website that details APT40’s connection with the Ministry of State Security, China’s foreign intelligence agency.

The advisory also warns that the hacking group conducts ‘operations directed at sensitive networks administered by Pacific Island nations’. While this reflects a growing awareness of foreign cyber influence in the Pacific, it also shows the caution that smaller nations exercise when publicly attributing cyber threats to state actors.

APT40, classified as an advanced persistent threat, conducts cyber operations by infiltrating networks and maintaining access. By loitering, it can monitor activity, collect data and carry out more sophisticated attacks targeting high-value accounts, including those of government officials.

This group and this method of operation are not new. Australia, the United States and New Zealand have all previously attributed cyberattacks to APT40. In the Pacific, Palau is the only country that has openly accused China of targeting its digital infrastructure, but didn’t issue technical attribution. Samoa’s willingness to publicly acknowledge this threat is a step towards greater cyber transparency in the Pacific and encourages more open discussions among regional leaders and cybersecurity experts.

Beyond the immediate implications of cyber espionage, these incidents highlight the broader hybrid threats Pacific nations face. Malicious actors often exploit weaknesses in cyber hygiene, including in server exploitation, phishing campaigns and web compromises, to gain initial access to networks. The intersection of cyber operations, economic dependencies and diplomatic sensitivities creates a complex security environment for the Pacific. While raising awareness of cyber threats is crucial, strategic communication must be handled in a way that fosters regional cooperation and builds cyber resilience without unnecessarily escalating geopolitical tensions.

Australia has worked with Pacific nations to enhance their incident response capabilities, provide technical assistance and facilitate information sharing. It has supported initiatives such as the Pacific Cyber Security Operational Network and the Cyber Rapid Assistance to Pacific Incidents and Disasters team. Samoa’s ability to issue a public advisory is, in part, a testament to such capacity-building efforts.

In contrast, Papua New Guinea communicated poorly following a cyberattack on its Internal Revenue Commission that paralysed tax administration functions and potentially exposed sensitive financial data. The commission first characterised the 29 January attack as a ‘system outage’, reflecting deeper structural challenges in the region’s cyber resilience framework, such as infrastructure gaps and bureaucratic red tape.

While it’s ideal for organisations to be transparent about being victims of a cyberattack, this requires a level of cyber maturity. Doing so effectively would require a level of technical capability and strategic communications preparedness to manage public awareness and response that many of these institutions in the Pacific have not yet built.

Governments in the Pacific recognise the importance of cybersecurity. PNG launched its National Cyber Security Strategy in 2024 joining several other countries who have published or are drafting their own. But many still face limitations in resources, technical expertise and infrastructure.

Pacific nations and international partners need to prioritise strengthening national computer emergency response teams and fostering regional cooperation. Enhancing incident detection and response capability, as well as promoting intelligence sharing across borders will help mitigate future cyber threats.

Arguably, Australia’s strategic investments in the region’s digital infrastructure, including high-capacity subsea cables, are important to digital transformation in the region. But transformation is outpacing cybersecurity preparedness, creating a widening gap that exposes critical institutions to cyber threats. Support must be matched with comprehensive and sustained cybersecurity capacity-building programs that raise Pacific nations’ agency—not just token efforts.

Although Australia has committed to building cyber capacity across the region, its support should extend beyond government networks to include businesses, critical infrastructure operators and civil society. Long-term resilience will come from increasing public awareness, developing a skilled cybersecurity workforce and integrating cyber resilience into national security strategies.

At least, Australia needs to gather like-minded partners, such as Japan, France and India, to coordinate investment in Pacific cybersecurity, ensuring that the region is equipped with the necessary tools and expertise to counter the growing sophistication of cyber adversaries.

Using open-source AI, sophisticated cyber ops will proliferate

Open-source AI models are on track to disrupt the cyber security paradigm. With the proliferation of such models—those whose parameters are freely accessible—sophisticated cyber operations will become available to a broader pool of hostile actors.

AI insiders and Australian policymakers have a starkly different sense of urgency around advancing AI capabilities. AI leaders like Dario Amodei, chief executive of Anthropic, and Sam Altman, chief executive of OpenAI, forecast that AI systems that surpass Nobel laureate-level expertise across multiple domains could emerge as early as 2026.

On the other hand, Australia’s Cyber Security Strategy, intended to guide us through to 2030, mentions AI only briefly, says innovation is ‘near impossible to predict’, and focuses on economic benefits over security risks.

Experts are alarmed because AI capability has been subject to scaling laws—the idea that capability climbs steadily and predictably, just as in Moore’s Law for semiconductors. Billions of dollars are pouring into leading labs. More talented engineers are writing ever-better code. Larger data centres are running more and faster chips to train new models with larger datasets.

The emergence of reasoning models, such as OpenAI’s o1, shows that giving a model time to think in operation, maybe for a minute or two, increases performance in complex tasks, and giving models more time to think increases performance further. Even if the chief executives’ timelines are optimistic, capability growth will likely be dramatic and expecting transformative AI this decade is reasonable.

The effect of the introduction of thinking time on performance, as assessed in three benchmarks. The o1 systems are built on the same model as gpt4o but benefit from thinking time. Source: Zijian Yang/Medium.

Detractors of AI capabilities downplay concern, arguing, for example, that high-quality data may run out before we reach risky capabilities or that developers will prevent powerful models falling into the wrong hands. Yet these arguments don’t stand up to scrutiny. Data bottlenecks are a real problem, but the best estimates place them relatively far in the future. The availability of open-source models, the weak cyber security of labs and the ease of jailbreaks (removing software restrictions) make it almost inevitable that powerful models will proliferate.

Some also argue we shouldn’t be concerned because powerful AI will help cyber-defenders just as much as attackers. But defenders will benefit only if they appreciate the magnitude of the problem and act accordingly. If we want that to happen, contrary to the Cyber Security Strategy, we must make reasonable predictions about AI capabilities and move urgently to keep ahead of the risks.

In the cyber security context, near-future AI models will be able to continuously probe systems for vulnerabilities, generate and test exploit code, adapt attacks based on defensive responses and automate social engineering at scale. That is, AI models will soon be able to do automatically and at scale many of the tasks currently performed by the top-talent that security agencies are keen to recruit.

Previously, sophisticated cyber weapons, such as Stuxnet, were developed by large teams of specialists working across multiple agencies over months or years. Attacks required detailed knowledge of complex systems and judgement about human factors. With a powerful open-source model, a bad actor could spin-up thousands of AI instances with PhD-equivalent capabilities across multiple domains, working continuously at machine speed. Operations of Stuxnet-level sophistication could be developed and deployed in days.

Today’s cyber strategic balance—based on limited availability of skilled human labour—would evaporate.

The good news is that the open-source AI models that partially drive these risks also create opportunities. Specifically, they give security researchers and Australia’s growing AI safety community access to tools that would otherwise be locked away in leading labs. The ability to fine-tune open-source models fosters innovation but also empowers bad actors.

The open-source ecosystem is just months behind the commercial frontier. Meta’s release of the open-source Llama 3.1 405B in July 2024 demonstrated capabilities matching GPT-4. Chinese startup DeepSeek released R1-Lite-Preview in late November 2024, two months after OpenAI’s release of o1-preview, and will open-source it shortly.

Assuming we can do nothing to stop the proliferation of highly capable models, the best path forward is to use them.

Australia’s growing AI safety community is a powerful, untapped resource. Both the AI safety and national security communities are trying to answer the same questions: how do you reliably direct AI capabilities, when you don’t understand how the systems work and you are unable to verify claims about how they were produced? These communities could cooperate in developing automated tools that serve both security and safety research, with goals such as testing models, generating adversarial examples and monitoring for signs of compromise.

Australia should take two immediate steps: tap into Australia’s AI safety community and establish an AI safety institute.

First, the national security community should reach out to Australia’s top AI safety technical talent in academia and civil society organisations, such as the Gradient Institute and Timaeus, as well as experts in open-source models such as Answer.AI and Harmony Intelligence. Working together can develop a work program that builds on the best open-source models to understand frontier AI capabilities, assess their risk and use those models to our national advantage.

Second, Australia needs to establish an AI safety institute as a mechanism for government, industry and academic collaboration. An open-source framing could give Australia a unique value proposition that builds domestic capability and gives us something valuable to offer our allies

Scarcely ahead: tech titans and the resource race (part 1)

In 1980 US President Jimmy Carter established the Carter Doctrine, asserting the right of the United States to protect strategic interests in the Middle East. The doctrine reflected the reality that oil sustained the US (and world) economy, and without it economies would collapse. ‘Energy geopolitics’—competition between states for energy security—reflected this worldwide resource race; a race as relevant today as it was in the 20th century.

Today we’re approaching an era where clean energy technology outstrips fossil fuels. This means that there will again be an energy race—but the essential component will be the humble battery. Western tech companies and their Chinese counterparts are competing, and right now Western tech companies are on their own, while Chinese companies have the full backing of their government.

Batteries are essential to all wireless electronic equipment. There are many battery technologies, but lithium-ion batteries are the most widely used in portable electronics. Raw materials account for up to 39% of a lithium battery’s cost. The hardest to obtain is cobalt, one of 27 ‘critical’ minerals. Though it comprises only 10–20% of a lithium-ion battery’s materials, cobalt costs six times more than nickel, the primary component. Cobalt is also ‘scarce’, making it a good case study in what tomorrow’s resource race might look like.

Cobalt has always been rare but several factors have made it even more difficult to access. First, it’s being used more and more. Though we may have reached peak smartphone, advances in renewable energy, electric vehicles, robotics and wireless gadgets depend on expected innovations in battery technology.

Reflecting this demand, it’s anticipated that the still-underdeveloped lithium-ion battery market will grow to US$81.65 billion by 2021. On the supply side, cobalt’s economics are complex, partly because it’s a byproduct of copper and nickel mining, and so dependent on fluctuations in those markets.

Second, and more importantly, political instability makes cobalt vulnerable to supply disruption. The Democratic Republic of Congo (DRC) supplies more than half of the world’s cobalt. Armed conflict plagues 10 of the country’s 26 provinces, and most Congolese earn less than US$1.25 a day. In February The Economist warned that civil war in Congo might resume. President Joseph Kabila presides over a state that Steve Reid quips is ‘neither democratic, nor a republic, nor in control of the Congo’.

In response, Western tech companies are looking to alternative sources of supply, such as Canada. That may pan out. Erich Zimmerman argued that ‘resources are not, they become’. That is, deposits are found as the need arises.

On the other hand, according to South Africa’s Mandini Minerals, for now ‘if you want to become a player in the cobalt market, you need to be in the DRC’. A cursory glance at known cobalt reserves speaks to this point. DRC has 3.4 million tons, with Australia second at 1 million tons. That presents an opportunity for Australia, particularly since we can guarantee uninterrupted supply. But for tech companies, this doesn’t solve the immediate problem of rising demand and prices.

China recognises as much. It has piled investment into DRC even as Western mining companies cut jobs. China, the world’s leading producer and supplier of refined cobalt, imports most of its ore from the DRC. The risk of supply disruption became clear last September when DRC briefly ordered China’s Sicomines to stop exporting cobalt.

But the risk may be overstated. China pursues several stratagems to ensure supply, such as contributing peacekeepers and funding to the UN mission in DRC. In addition, President Kabila has personal ties to China.

China’s cobalt market domination has paid off in the battery market. Chinese battery companies are major players in a sector long dominated by Panasonic and Samsung. CATL is the fastest-growing battery producer in China and dominates the country’s electric vehicle market, which is the world’s largest. By 2020, CATL aims to be the world’s largest battery cell manufacturer.

To succeed, the company must secure supply. Recently it and other Chinese companies signed large contracts with suppliers, stealing a march on their Western competitors. For example, last month a Chinese supplier of battery chemicals signed a deal to buy one-third of Swiss miner Glencore’s cobalt production.

Some Western tech firms are looking elsewhere. Tesla proposes buying only North American cobalt (partially in response to human rights concerns). But the US and Canada produce only 4% of the world’s cobalt, too little to meet Tesla’s ambitions.

Vertical integration is another alternative—gaining control over the supply line, as Alcoa did with aluminium. And Apple wants to buy cobalt directly from Congolese miners. But this is risky, not least because tech companies have little experience with mining and conflict zones.

Whatever they choose, Western companies—and governments—cannot be starry-eyed on this issue. Raw material extraction is the ugly side of technology development, as mining operations and oil extraction across the developing world has shown.  Even so, cobalt and other critical minerals will continue to be mined. Leaving lithium-ion batteries aside, cobalt is a ‘high-speed, high-strength wear-resistant alloy’ that’s critical to aerospace and military technology. It can even be used to make bombs.

So if the West loses access to critical minerals like cobalt, it may also lose the energy—and tech—race.

In part two, I will look at options for Western governments.