Tag Archive for: Cyber

Australia’s semiconductor manufacturing moonshot: Securing semiconductor talent

Semiconductors are a critical component in all modern technologies, from personal communication devices and medical devices to weapons systems. Crucial to producing semiconductors is the availability of a highly skilled workforce, managing clean-room facilities and highly specialised equipment to execute the hundreds of unique steps needed to manufacture a single wafer, depending on the complexity of the chip.

ASPI’s 2022 report, Australia’s semiconductor national moonshot, laid out the strategic reasons why Australia must embark on a capacity-building initiative to create a homegrown semiconductor manufacturing ecosystem. Every item on the Australian federal government’s List of Critical Technologies in the National Interest is dependent on semiconductors.

By committing to growing a semiconductor-manufacturing industry from a mature-process-scale baseline, policymakers would position Australia to manufacture chips relevant to the energy, transport, health, IT and defence sectors. Such an industry would enable Australia to execute long-term critical technology strategies in areas such as quantum computing and artificial intelligence, to mitigate supply-chain risk against disruption from conflict or natural disaster, and provide highly skilled jobs in affordable locations, enriching the Australian economy.

It’s important to note that both AUKUS Pillar 2 and the Albanese government’s April 2023 publication of the Defence Strategic Review reflect a shift in Australia’s strategic thinking on defence and national security, and the important correlation and greater cooperation between industry, education and defence priorities, particularly when it comes to technology. Delivering on that shift will be difficult and often costly, but this report provides a series of recommendations of what that correlation and cooperation could look like.

For Canberra, such an endeavour is of the same magnitude as America’s historic ‘moonshots’ during the 1960s and 1970s. It’s a once-in-a-generation challenge that will determine Australia’s place in the world, and human capital is central to ensuring success. Opting out of semiconductor manufacturing for the long term would severely constrain Australia’s growth as a technological nation and consign it to second-tier status.

This report expands on the recommendations made in the 2022 ASPI report for establishing a semiconductor-manufacturing capability in Australia and focuses on the importance of creating a talent pipeline that can support a scaled industry. Achieving a semiconductor moonshot requires stepping up Australia’s very respectable semiconductor device fabrication R&D to industry-compatible prototyping via a dedicated facility, together with attracting (through that capability and by government incentives) a semiconductor manufacturer to locate a mature-process-scale foundry in Australia—which will require support from an upskilled Australian talent pipeline. This is an ambitious move but is an essential step in growing such a capability.

The ability to grow and maintain a high-skilled workforce is a foundational challenge for Australia that can be addressed through close examination of trailblazing public–private partnerships (PPPs) that aim to provide talent-pipeline security in the US, Taiwan and Japan. Australian governments, industry and academia can emulate and engage with the examples highlighted through case studies in this report to attract semiconductor industry investment, boost talent-pipeline development and strengthen industry R&D. Australia’s states and territories all have varied capacity to o›er support to a semiconductor-manufacturing capability.

Surveillance, privacy and agency

Executive summary

ASPI and a non-government research partner1 conducted a year-long project designed to share detailed and accurate information on state surveillance in the People’s Republic of China (PRC) and engage residents of the PRC on the issue of surveillance technology. A wide range of topics was covered, including how the party-state communicates on issues related to surveillance, as well as people’s views on state surveillance, data privacy, facial recognition, DNA collection and data-management technologies.

The project’s goals were to:

  • improve our understanding of state surveillance in China and how it’s communicated by the Chinese party-state
  • develop a nuanced understanding of PRC residents’ perceptions of surveillance technology and personal privacy, the concerns some have in regard to surveillance, and how those perceptions relate to trust in government
  • explore the reach and potential of an interactive digital platform as an alternative educational and awareness-raising tool.

This unique project combined extensive preliminary research—including media analysis and an online survey of PRC residents—with data collected from an interactive online research platform deployed in mainland China. Media analysis drew on PRC state media to understand the ways in which the party-state communicates on issues of surveillance. The online survey collected opinions from 4,038 people living in mainland China, including about their trust in government and views on surveillance technologies. The interactive research platform offered PRC residents information on the types and capabilities of different surveillance technologies in use in five municipalities and regions in China. Presenting an analysis of more than 1,700 PRC Government procurement documents, it encouraged participants to engage with, critically evaluate and share their views on that information. The research platform engaged more than 55,000 PRC residents.

Data collection was led and conducted by the non-government research partner, and the data was then provided to ASPI for a joint analysis. The project details, including methodology, can be found on page 6.

Key findings

The results of this research project indicate the following:

  • Project participants’ views on surveillance and trust in the government vary markedly.
    • Segmentation analysis of survey responses suggests that respondents fall into seven distinct groups, which we have categorised as dissenters, disaffected, critics, possible sceptics, stability seekers, pragmatists and endorsers (the segmentation analysis is on page 12).
  • In general, PRC state narratives about government surveillance and technology implementation appear to be at least partly effective.
    • Our analysis of PRC state media identified four main narratives to support the use of government surveillance:
      1. Surveillance helps to fight crime.
      2. The PRC’s surveillance systems are some of the best in the world.
      3. Surveillance is commonplace internationally.
      4. Surveillance is a ‘double-edged sword’, and people should be concerned for their personal privacy when surveillance is handled by private companies.
    • Public opinion often aligns with state messaging that ties surveillance technologies to personal safety and security. For example, when presented with information about the number of surveillance cameras in their community today, a larger portion of Research Platform participants said they would prefer the same number (39%) or more cameras (38.4%).
    • PRC state narratives make a clear distinction between private and government surveillance, which suggests party-state efforts to ‘manage’ privacy concerns within acceptable political parameters.
  • Project participants value privacy but hold mixed views on surveillance.
    • Participants expressed a preference for consent and active engagement on the issue of surveillance. For example, over 65% agreed that DNA samples should be collected from the general population only on a voluntary basis.
    • Participants are generally comfortable with the widespread use of certain types of surveillance, such as surveillance cameras; they’re less comfortable with other forms of surveillance, such as DNA collection.
  1. ASPI supported this project with an undisclosed research partner. That institution remains undisclosed to preserve its
    access to specific research techniques and data and to protect its staff. ↩︎

Getting regulation right: approaches to improving Australia’s cybersecurity

What’s the problem?

As well as having a global impact, Cybersecurity is one of the most significant issues affecting Australia’s economy and national security. On the one hand, poor cybersecurity presents a risk to the interconnected digital systems on which we increasingly rely; on the other hand, well-managed cybersecurity provides an opportunity to build trust and advantage by accelerating digital transformation. Cyber threats can originate from a diverse range of sources and require a diverse set of actions to effectively mitigate them. However, a common theme is that much better cyber risk management is needed to address this critical threat; the current operation of the free market isn’t consistently driving all of the required behaviours or actions.

Regulation can provide a powerful mechanism to modify incentives and change behaviours. However, securing cyberspace depends on the intersection of many factors—technical, social and economic. Current regulations are a patchwork of general, cyber-specific and sector-specific measures with a lack of cohesion that causes overlaps and gaps. That makes the environment complex, which means that finding the right approach that will truly improve overall security and minimise unwanted side effects is difficult. It’s necessary to analyse the interconnected factors that determine the net effectiveness of cybersecurity regulations.

Furthermore, the pace of technological change is so fast today that, even if regulation is successful when first implemented, it needs to be appropriately futureproofed to avoid becoming irrelevant after even a few months. Recent rapid developments in artificial intelligence are an example of the risks here that will need to be anticipated in any changes to the regulatory regimes.

What’s the solution?

Regulatory interventions have an important role to play as one part of a strategy to uplift Australia’s cybersecurity, if done in the right way. This paper presents a framework for the government to make appropriate decisions about whether and how to regulate. That must start with defining which aspect of the cybersecurity challenge it seeks to address and the specific intended long-term impact. In cybersecurity, the most appropriate metrics or measures that regulation seeks to influence should, where possible, be risk-based, rather than specific technical measures. This is because the actual technical measures required are dependent on the individual context of each situation, will change over time, and are effective only when combined with people and process measures. The impact of the interventions on those metrics needs to be readily measurable in order to enable reliable enforcement at acceptable cost—both direct financial cost and indirect opportunity costs.

There’s often a focus on regulation to compel entities to do or not do something. However, compulsion is only one form of regulation, and others, such as facilitation or encouragement, should be considered first, treating compulsion as only one possible approach, which should used carefully and strategically.

Detailed implementation of cybersecurity regulations should use a co-design process with the relevant stakeholders, who will bring perspectives, experiences and knowledge that government alone does not have. It should also draw upon relevant experience of international partners, not only to benefit from lessons learned, but also to minimise the compliance burden for global companies and operators. Finally, in recognising the complexity of the problem, an iterative approach that measures impact and adjusts approaches to enhance effectiveness, incorporate lessons learned and absorb technological advances needs to be planned from the outset.

De-risking authoritarian AI

A balanced approach to protecting our digital ecosystems

What’s the problem?

Artificial intelligence (AI)–enabled systems make many invisible decisions affecting our health, safety and wealth. They shape what we see, think, feel and choose, they calculate our access to financial benefits as well as our transgressions, and now they can generate complex text, images and code just as a human can, but much faster.

So it’s unsurprising that moves are afoot across democracies to regulate AI’s impact on our individual rights and economic security, notably in the European Union (EU).

But, if we’re wary about AI, we should be even more circumspect about AI-enabled products and services from authoritarian countries that share neither our values nor our interests. And, for the foreseeable future, that means the People’s Republic of China (PRC)—a revisionist authoritarian power demonstrably hostile to democracy and the rules-based international order, which routinely uses AI to strengthen its own political and social stability at the expense of individual human rights. In contrast to other authoritarian countries such as Russia, Iran and North Korea, China is a technology superpower with global capacity and ambitions and is a major exporter of effective, cost-competitive AI-enabled technology into democracies.

In a technology-enabled world, the threats come at us ‘at a pace, scale and reach that is unprecedented’.1 And, if our reliance on AI is also without precedent, so too is the opportunity—via the magic of the internet and software updates—for remote, large-scale foreign interference, espionage and sabotage through AI-enabled industrial and consumer goods and services inside democracies’ digital ecosystems. AI systems are embedded in our homes, workplaces and essential services. More and more, we trust them to operate as advertised, always be there for us and keep our secrets.

Notwithstanding the honourable intentions of individual vendors of Chinese AI-enabled products and services, they’re subject to direction from PRC security and intelligence agencies, so we in the democracies need to ask ourselves: against the background of growing strategic competition with China, how much risk are we willing to bear?

We should worry about three kinds of Chinese AI-enabled technology:

  1. products and services (often physical infrastructure), where PRC ownership exposes democracies to risks of espionage (notably surveillance and data theft) and sabotage (disruption and denial of products and services)
  2. AI-enabled technology that facilitates foreign interference (malign covert influence on behalf of a foreign power), the most pervasive example being TikTok
  3. ‘Large language model AI’ and other emerging generative AI systems—a future threat that we need to start thinking about now.

While we should address the risks in all three areas, this report focuses more on the first category (and indeed looks at TikTok through the prism of the espionage and sabotage risks that such an app poses).

The underlying dynamic with Chinese AI-enabled products and services is the same as that which prompted concern over Chinese 5G vendors: the PRC Government has the capability to compel its companies to follow its directions, it has the opportunity afforded by the presence of Chinese AI-enabled products and services in our digital ecosystems, and it has demonstrated malign intent towards the democracies.

But this is a more subtle and complex problem than deciding whether to ban Chinese companies from participating in 5G networks. Telecommunications networks are the nervous systems that run down the spine of our digital ecosystems; they’re strategic points of vulnerability for all digital technologies. Protecting them from foreign intelligence agencies is a no-brainer and worth the economic and political costs. And those costs are bounded because 5G is a small group of easily identifiable technologies.

In contrast, AI is a constellation of technologies and techniques embedded in thousands of applications, products and services, so the task is to identify where on the spectrum between national-security threat and moral panic each of these products sits. And then pick the fights that really matter.

What’s the solution?

A general prohibition on all Chinese AI-enabled technology would be extremely costly and disruptive. Many businesses and researchers in the democracies want to continue collaborating on Chinese AI-enabled products because it helps them to innovate, build better products, offer cheaper services and publish scientific breakthroughs. The policy goal here is to take prudent steps to protect our digital ecosystems, not to economically decouple from China.

What’s needed is a new three-step framework to identify, triage and manage the riskiest products and services. The intent is similar to that proposed in the recently introduced draft US RESTRICT Act, which seeks to identify and mitigate foreign threats to information and communications technology (ICT) products and services, although the focus here is on teasing out the most serious threats.

Step 1: Audit. Identify the AI systems whose purpose and functionality concern us most. What’s the potential scale of our exposure to this product or service? How critical is this system to essential services, public health and safety, democratic processes, open markets, freedom of speech and the rule of law? What are the levels of dependency and redundancy should it be compromised or unavailable?

Step 2: Red Team. Anyone can identify the risk of embedding many PRC-made technologies into sensitive locations, such as government infrastructure, but, in other cases, the level of risk will be unclear. For those instances, you need to set a thief to catch a thief. What could a team of specialists do if they had privileged access to (that is, ‘owned’) a candidate system identified in Step 1—people with experience in intelligence operations, cybersecurity and perhaps military planning, combined with relevant technical subject-matter experts? This is the real-world test because all intelligence operations cost time and money, and some points of presence in a target ecosystem offer more scalable and effective opportunities than others. PRC-made cameras and drones in sensitive locations are a legitimate concern, but crippling supply chains through accessing ship-to-shore cranes would be devastating.

For example, we know that TikTok data can be accessed by PRC agencies and reportedly also reveal a user’s location, so it’s obvious that military and government officials shouldn’t use the app. Journalists should also think carefully about this, too. Beyond that, the merits of a general ban on technical security grounds are a bit murky. Can our Red Team use the app to jump onto connected mobiles and IT systems to plant spying malware? What system mitigations could stop them getting access to data on connected systems? If the team revealed serious vulnerabilities that can’t be mitigated, a general ban might be appropriate.

Step 3: Regulate. Decide what to do about a system identified as ‘high risk’. Treatment measures might range from prohibiting Chinese AI-enabled technology in some parts of the network, a ban on government procurement or use, or a general prohibition. Short of that, governments could insist on measures to mitigate the identified risk or dilute the risk through redundancy arrangements. And, in many cases, public education efforts along the lines of the new UK National Protective Security Authority may be an appropriate alternative to regulation.

The democracies need to think harder about Chinese AI-enabled technology in our digital ecosystems. But we shouldn’t overreact: our approach to regulation should be anxious but selective.

State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity

As part of a multi-year capacity building project supporting governments in the Indo-Pacific with defending their economic against the risk of cyber-enabled theft of intellectual property, ASPI analysed public records to determine the effects, the actual scale, severity and spread of current incidents of cyberespionage affecting and targeting commercial entities.

In 2015, the leaders agreed that ‘no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.’

Our analyses suggests that the threat of state-sponsored economic cyberespionage is more significant than ever, with countries industrialising their cyberespionage efforts to target commercial firms and universities at a grander scale; and more of these targeted industries and universities are based in emerging economies.

“Strategic competition has spilled into the economic and technological domains and states have become more comfortable and capable using offensive cyber capabilities. Our analysis shows that the state practice of economic cyber-espionage appears to have resurged to pre-2015 levels and tripled in raw numbers.”

In this light, we issued a Briefing Note on 15 November 2022 recommending that the G20 members recognise that state-sponsored ICT-enabled theft of IP remains a key concern for international cooperation and encouraging them to reaffirm their commitment made in 2015 to refrain from economic cyber-espionage for commercial purposes. 

This latest Policy Brief, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, further suggests that governments should raise awareness by better assessing and sharing information about the impact of IP theft on their nations’ economies in terms of financial costs, jobs and competitiveness. Cybersecurity and intelligence authorities should invest in better understanding the extent of state sponsored economic cyber-espionage on their territories.

On the international front, the G20 and relevant UN committees should continue addressing the issue and emphasising countries’ responsibilities not to allow the attacks to be launched from their territories. 

The G20 should encourage members to reaffirm their 2015 commitments and consider establishing a cross-sectoral working group to develop concrete guidance for the operationalisation and implementation of the 2015 agreement while assessing the scale and impact of cyber-enabled IP theft.

State sponsored economic cyberespionage Briefing note
Defending against cyber IP theft Project flyer

‘With a little help from my friends’: Capitalising on opportunity at AUSMIN 2022

The annual Australia-US Ministerial Consultations have been the primary forum for bilateral engagement since 1985. The Australian Minister for Defence and Minister for Foreign Affairs will meet with their American counterparts in Washington in 2022, in the 71st year of the alliance, and it’s arguably never been so important.

The Australian Strategic Policy Institute is proud to release ‘With a little help from my friends’: Capitalising on opportunity at AUSMIN 2022, a report featuring chapters from our defence, cyber and foreign policy experts to inform and guide the Australian approach to the 2022 AUSMIN consultations.

In this report, ASPI harnesses its broad and deep policy expertise to provide AUSMIN’s principals with tangible policy recommendations to take to the US. The following chapters describe Australia’s most pressing strategic challenges. The authors offer policy recommendations for enhancing Australian and US collaboration to promote security and economic prosperity.

The collection of essays covers topics and challenges that the US and Australia must tackle together: defence capability, foreign affairs, climate change, foreign interference, rare earths, cyber, technology, the Pacific, space, integrated deterrence and coercive diplomacy. In each instance, there are opportunities for concrete, practical policy steps to ensure cohesion and stability.”

Frontier influencers: the new face of China’s propaganda

Executive summary

This report explores how the Chinese party-state’s globally focused propaganda and disinformation capabilities are evolving and increasing in sophistication. Concerningly, this emerging approach by the Chinese party-state to influence international discourse on China, including obfuscating its record of human rights violations, is largely flying under the radar of US social media platforms and western policymakers.

In the broader context of attempts by the Chinese Communist Party (CCP) to censor speech, promote disinformation and seed the internet with its preferred narratives, we focus on a small but increasingly popular set of YouTube accounts that feature mainly female China-based ethnic-minority influencers from the troubled frontier regions of Xinjiang, Tibet and Inner Mongolia, hereafter referred to as ‘frontier influencers’ or ‘frontier accounts’.

Despite being blocked in China, YouTube is seen by the CCP as a key battlefield in its ideological contestation with the outside world, and YouTube’s use in foreign-facing propaganda efforts has intensified in recent years. Originally deployed on domestic video-sharing platforms to meet an internal propaganda need, frontier-influencer content has since been redirected towards global audiences on YouTube as part of the CCP’s evolving efforts to counter criticisms of China’s human rights problems and burnish the country’s image.

Alongside party-state media and foreign vloggers, these carefully vetted domestic vloggers are increasingly seen as another key part of Beijing’s external propaganda arsenal. Their use of a more personal style of communication and softer presentation is expected to be more convincing than traditional party-state media content, which is often inclined towards the more rigid and didactic. For the CCP, frontier influencers represent, in the words of one Chinese propaganda expert, ‘guerrillas or militia’ fighting on the flanks in ‘the international arena of public opinion’, while party-state media or the ‘regular army’ ‘charge, kill and advance on the frontlines’.

The frontier accounts we examine in this report were predominantly created in 2020–21 and feature content that closely hews to CCP narratives, but their less polished presentation has a more authentic feel that conveys a false sense of legitimacy and transparency about China’s frontier regions that party-state media struggle to achieve. For viewers, the video content appears to be the creation of the individual influencers, but is in fact what’s referred to in China as ‘professional user generated content’, or content that’s produced with the help of special influencer-management agencies known as multi-channel networks (MCNs).

For the mostly young and female Uyghur, Tibetan and other ethnic-minority influencers we examine in this report, having such an active presence on a Western social media platform is highly unusual, and ordinarily would be fraught with danger. But, as we reveal, frontier influencers are carefully vetted and considered politically reliable. The content they create is tightly circumscribed via self-censorship and oversight from their MCNs and domestic video platforms before being published on YouTube. In one key case study, we show how frontier influencers’ content was directly commissioned by the Chinese party-state.

Because YouTube is blocked in China, individual influencers based in the country aren’t able to receive advertising revenue through the platform’s Partner Program, which isn’t available there. But, through their arrangements with YouTube, MCNs have been able to monetise content for frontier influencers, as well as for hundreds of other China-based influencers on the platform. Given that many of the MCNs have publicly committed to promote CCP propaganda, this arrangement results in a troubling situation in which MCNs are able to monetise their activities, including the promotion of disinformation, via their access to YouTube’s platform.

The use of professionally supported frontier influencers also appears to be aimed at ensuring that state-backed content ranks well in search results because search-engine algorithms tend to prioritise fresh content and channels that post regularly. From the CCP’s perspective, the continuous flooding of content by party-state media, foreign influencers and professionally supported frontier influencers onto YouTube is aimed at outperforming other more critical but stale content.

This new phenomenon reflects a continued willingness, identified in previous ASPI ICPC reports,11 by the Chinese party-state to experiment in its approach to shaping online political discourse, particularly on those topics that have the potential to disrupt its strategic objectives. By targeting online audiences on YouTube through intermediary accounts managed by MCNs, the CCP can hide its affiliation with those influencers and create the appearance of ‘independent’ and ‘authoritative’ voices supporting its narratives, including disinformation that it’s seeking to propagate globally.

This report (on page 42) makes a series of policy recommendations, including that social media platforms shouldn’t allow MCNs who are conducting propaganda and disinformation work on behalf of the Chinese party-state to monetise their activities or be recognised by the platforms as, for example, official partners or award winners. This report also recommends that social media platforms broaden their practice of labelling the accounts of state media, agencies and officials to include state-linked influencers from the People’s Republic of China.

  1. Fergus Ryan, Ariel Bogle, Nathan Ruser, Albert Zhang, Daria Impiombato, Borrowing mouths to speak on Xinjiang, ASPI, Canberra, 7 December 2021. Fergus Ryan, Ariel Bogle, Albert Zhang, Jacob Wallis, #StopXinjiang Rumors: the CCP’s decentralised disinformation campaign, ASPI, Canberra, 2 December 2021,https://www.aspi.org.au/report/stop-xinjiang-rumors. ↩︎

Australia’s semiconductor national moonshot

Foreword

Australia has recently been forced to cross a Rubicon. Its wholehearted embrace of global free trade and just-in-time supply chains has had to confront the hard reality of geopolitics. In many parts of the world, geopolitics is choking free trade, and China—Australia’s largest trading partner—has shown itself particularly willing to use trade coercively and abrogate its free trade commitments, not just with Australia, but with countries all around the world.

Advanced technologies are at the centre of this geopolitical struggle, because of the risk that withheld supply poses to national economies and security. As Covid-19 disruptions have demonstrated, the risks are not even limited to deliberate coercion.

In this environment, bold action is warranted. Continuing to do what we did before is not an option because it will undermine the national interest. A new approach is needed that’s in part heretical to our old market-based approach but is driven by necessity: government intervention that works in tandem with industry expertise and drive.

In this important policy brief, Alex Capri and Robert Clark lay out a vision for Australia to secure its place in the global semiconductor industry—an industry they describe as ‘the single most important technology underlying leading-edge industries’.

Their proposal is to stimulate A$5 billion of semiconductor manufacturing activity through A$1.5 billion of government investment and financial incentives. Those subsidies and tax concessions would mirror similar initiatives such as the US ‘CHIPS’ and ‘FABS’ Acts, but are focused on Australia’s interests.

They identify a logical niche for Australia that would initially establish a distributed commercial compound semiconductor foundry capability across Australia via a public–private partnership. In the longer term, they propose establishing a commercial silicon complementary metal-oxide semiconductor foundry at mature process scale.

Government intervention in a market shouldn’t be made lightly, but Capri and Clark make a compelling case to do so. If policymakers agree that Australia needs access to semiconductors and that their supply from elsewhere can’t be guaranteed, then intervention is imperative.

This policy brief lays out a ‘moonshot’ to get Australia there.

Fergus Hanson
Director, International Cyber Policy Centre

What’s the problem?

Semiconductors (also known as ‘microchips’ or ‘chips’) are the single most important technology underpinning leading-edge industries. They’re essential for the proper functioning of everything from smartphones to nuclear submarines and from medical equipment to wireless communications.

Australia’s notable lack of participation in the global semiconductor ecosystem has put it at a geopolitical disadvantage. As a nation, with some niche exceptions, it’s almost entirely dependent on foreign-controlled microchip technology, making it increasingly vulnerable to global supply-chain shortages, shutdowns and disruptions. Such occurrences have become all too common, either because of events such as the Covid-19 pandemic or because of other governments’ attempts to weaponise supply chains for geopolitical reasons.

Having unfettered access to microchips is a matter of economic and national security, and, more generally, of Australia’s day-to-day wellbeing as a nation. In an increasingly digitised world, policymakers must treat semiconductors as a vital public good, almost on par with other basic necessities such as food and water supplies and reliable electricity—a reality that would become immediately apparent in a time of international crisis resulting from, for example, wars or natural disasters.

What’s the solution?

Australia must conceive, develop and execute a national plan that will enable capacity building in the semiconductor space. To do this, leadership must embrace bold thinking and adopt its own version of a 21st-century ‘moonshot’. Instead of landing astronauts on the Moon, however, as the Americans did in their own original moonshot in a Cold War space race against the Soviet Union, Australia faces an equally daunting task: from a low base, breaking into the world’s most complex, expensive and strategic technology ecosystem.

To achieve that, the Australian Government must do four overarching things.

First, it must embark on an epic technology-transfer initiative. To be successful, Australia must attract and absorb leading-edge technology, human capital (talent) and investment through a range of strategic partnerships with world-class companies, universities and friendly governments. The good news is that Australia already has a wealth of resources and building blocks to which it can turn to bring this to fruition.

Second, it must leverage its security partnerships and alliances with the US, Britain, Japan and others to tether the development of its semiconductor capabilities to evolving mutual defence needs and related innovation. Security alliances such as the Quadrilateral Security Dialogue (the Quad), AUKUS and the Five Eyes network must double up as enablers of Australia’s semiconductor sector (and other critical technology) advancement. The spillover to Australia’s commercial sector will be immense.

Third, Australia’s firms and local talent must become enmeshed in global value chains. Not just any value chains, however. Australia’s strategic industries must seek to secure supply-chain arrangements via bilateral, minilateral and multilateral agreements, and government should continue to participate in high-quality multilateral free trade agreements, assuming those agreements actually enforce rules and standards reflective of Australia’s core values.

Countries such as the US, the UK, Japan and South Korea, along with various EU nations, India, Taiwan and Singapore, show good potential for ‘friend-shoring’, meaning that they could provide safe havens for the ring-fencing of Australia’s strategic value chains. For example, Australia could join Washington’s ‘secure’ (‘China-free’) supply-chain arrangements with Taiwan, Japan and South Korea as part of the US Creating Helpful Incentives to Produce Semiconductors and Science Act (CHIPS Act) or pursue similar agreements with the EU’s nascent supply-chain security agreements as part of the EU’s European Chips Act. Bilateral and minilateral agreements are preferred. Such an outcome would be mutually advantageous to all parties, given the benefits of rationalised global value chains for the world’s most complex sector.

Highly specialised slices of the semiconductor value chain require a dizzying range of materials, processes, equipment and technologies from trading partners that must be relied upon to deliver the goods without the risk of sanctions, blacklists and export bans—or any other geopolitically motivated weaponisation of supply chains. Every niche player in Australia’s microchip ecosystem, therefore, must keep its critical production activities ring-fenced within ‘friendly’ geopolitical and geographical value chains.

Strategic friend-shoring and home-shoring must cover everything from localised rare-earth and critical-materials processing at the bottom of supply chains to the production of specialised microchips at the top end.

Fourth, Australia’s public sector must step up to facilitate the right kinds of public–private partnerships (PPPs), provide targeted funding for semiconductor R&D and education, and create commercial incentives for foreign and local investments. This will require adept ‘techno-diplomacy’ with foreign partners, as well as a deft touch regarding the local technology landscape, as too much government interference could impede Australia’s tremendous entrepreneurial spirit. This is a moonshot: big and bold actions and expenditures are needed, not overly cautious gradualism.

Executive summary

In this report, we set out to make specific recommendations underpinning an Australian semiconductor national plan. This is an urgent task, which is presented in a global context, with special emphasis given to the geopolitical complexity of semiconductor supply-chain issues and Australia’s important strategic alliances and partnerships.

Our analysis emphasises the centrality of a commercial semiconductor chip manufacturing capability, which is nearly absent in Australia. Developing other aspects of the semiconductor ecosystem is important, including critical minerals and microchip design, but those areas must be addressed concurrently, as part of a larger, decisive plan, not through a gradualist approach. Opting out of semiconductor manufacturing will severely constrain Australia’s growth as a technological nation and consign it to second-tier status.

International examples, and recent substantial incentives formalised by governments worldwide for this critical industry, such as the US and European ‘Chips’ Acts, are highlighted and provide guidance.

Australia has an R&D semiconductor fabrication foothold upon which it can build its new capabilities. Viable investment streams via the Australian National Fabrication Facility (ANFF) network under the National Collaborative Research Infrastructure Scheme must be increased substantially.

A sufficiently funded ANFF, with capability increased to pilot production in key nodes, could underpin closely located foundries via public–private partnerships (PPPs) with commercial manufacturing firms. As is the case for PPP developments in the US and UK, it’s proposed that Australia attract appropriately tailored foundry capability in compound semiconductors, and also in complementary metal-oxide-semiconductors (silicon CMOS) at mature process scale. The endgame is to address these key markets with a sovereign talent pipeline.

We provide a dollar amount estimate for that outcome, indicating a pathway to some A$5 billion of semiconductor manufacturing activity, stimulated by A$1.5 billion of government investment and financial incentives, including direct subsidies and tax offsets, which are part of that total.

As well as financial estimates, we address the issue of focus and the scale of an Australian semiconductor ‘moonshot’. We also map the four overarching actions that we’ve outlined under ‘What’s the solution?’ to quite specific recommendations. That mapping considers the current Australian semiconductor status quo to outline an existing foothold that Australia can sensibly build on. We also take note of significant US and UK government incentive schemes recently announced to strategically define and boost those countries’ semiconductor industries and supply chains, which Australia could proportionately finetune to its comparative stage of development.

In a geopolitical context, we focus on the task of creating and executing an Australian national semiconductor plan. At its heart, and notwithstanding the importance of microchip design and marketing, the central and most complex issue that will define such a plan is building a sustainable, appropriately scaled, strategic market-penetrating, trusted commercial semiconductor fabrication capacity across Australia. With this focus, in laying out an analysis of the semiconductor landscape, we highlight topics that should be at the forefront of the national discussion.

Those topics include:

  • concentrating on different business models and capacity-building scenarios, including the medium-term consideration of ‘pure play’ manufacturing of compound semiconductors as well as connected ‘fabless’ activities in research, design and innovation
  • over the long term, exploring the merits of the ‘integrated device manufacturing’ model and silicon chip fabrication at an appropriate entry point
  • focusing on specialised chip production for a growing range of sectors, including the automotive, medical, communications, energy and defence sectors
  • recognising the importance of so-called ‘trailing-edge’, ‘mature’ chip technologies and why they’re as important as ‘leading-edge’ semiconductors, in an economic and geopolitical context
  • understanding the enabling role of trusted PPPs involving Australian and other leading universities and public-sector technology agencies, semiconductor companies and governments
  • understanding the importance of technology transfer via defence-related alliances such as AUKUS and the Five Eyes and the role of government-funded research agencies in that transfer.

Countering the Hydra: A proposal for an Indo-Pacific hybrid threat centre

What’s the problem?

Enabled by digital technologies and fuelled by geopolitical competition, hybrid threats in the Indo-Pacific are increasing in breadth, application and intensity. Hybrid threats are a mix of military, non-military, covert and overt activities by state and non-state actors that occur below the line of conventional warfare. The consequences for individual nations include weakened institutions, disrupted social systems and economies, and greater vulnerability to coercion—especially from revisionist powers such as China.

But the consequences of increased hybrid activity in the Indo-Pacific reach well beyond individual nations. The Indo-Pacific hosts a wide variety of political systems and interests, with multiple centres of influence, multiple points of tension and an increasingly belligerent authoritarian power. It lacks the regional institutions and practised behaviours to help ensure ongoing security and stability. And, because of its position as a critical centre of global economic and social dynamism, instability in the Indo-Pacific, whether through or triggered by hybrid threats, has global ramifications.

Because hybrid threats fall outside the conventional frameworks of the application of state power and use non-traditional tools to achieve their effects, governments have often struggled to identify the activity, articulate the threat and formulate responses. Timeliness and specificity are problematic: hybrid threats evolve, are often embedded or hidden within normal business and operations, and may leverage or amplify other, more traditional forms of coercion.

More often than not, hybrid threat activity is targeted towards the erosion of national capability and trust and the disruption of decision-making by governments—all of which reduce national and regional resilience that would improve security and stability in the region.

What’s the solution?

There’s no silver-bullet solution to hybrid threats; nor are governments readily able to draw on traditional means of managing national defence or regional security against such threats in the Indo-Pacific.

Because of the ubiquity of digital technologies, the ever-broadening application of tools and practices in an increasing number of domains, it’s evident that policymakers need better and more timely information, the opportunity to share information and insights in a trusted forum and models of how hybrid threats work (we provide one here). Exchange of information and good practice is also needed to help counter the amorphous, evolving and adaptive nature of hybrid threats.

We propose the establishment of an Indo-Pacific Hybrid Threat Centre (HTC, or the centre) as a means of building broader situational awareness on hybrid threats across the region.1 Through research and analysis, engagement, information sharing and capacity building, such a centre would function as a confidence-building measure and contribute to regional stability and the security of individual nations.

While modelled on the existing NATO–EU Hybrid Centre of Excellence (CoE) in Finland, the centre would need to reflect the differences between the European and Indo-Pacific security environments. Most notably, that includes the lack of pan-regional Indo-Pacific security institutions and practice that the centre could use. There are also differences in the nature and priorities assigned to threats by different countries: the maritime domain has more influence in the Indo-Pacific than in Europe, many countries in the region face ongoing insurgencies, and there’s much less adherence to, or even interest in, democratic norms and values.

That will inevitably shape the placement, funding, and operations of an Indo-Pacific HTC. A decentralised model facilitating outreach across the region would assist regional buy-in. Partnership arrangements with technology companies would provide technical insight and support. Long-term commitments will be needed to realise the benefits of the centre as a confidence-building measure. The Quad countries are well positioned to provide such long-term commitments, while additional support could come from countries with experience and expertise in hybrid threats, particularly EU countries and the UK.

As with the NATO–EU Hybrid CoE, independence and integrity are paramount. That implies the positioning of the Indo-Pacific HTC core in a strong democracy; better still would be the legislative protection of its operations and data. Accordingly, we propose scoping work to establish policy approval, legislative protection and funding arrangements and to seed initial research capability and networks.

Introduction

Hybrid threats are a mix of military and non-military, covert and overt activities by state and non-state actors that occur below the line of conventional warfare. Their purpose is to blur the lines between war and peace, destabilise societies and governments and sow doubt and confusion among populations and decision-makers. They deliberately target democratic systems and state vulnerabilities, often leveraging legitimate processes for inimical ends, and typically aim to stay below the threshold of detection, attribution and retaliation.2 They’re the same activities that the Australian Government attributes to the ‘grey zone’, involving ‘military and non-military forms of assertiveness and coercion aimed at achieving strategic goals without provoking conflict.’3

Hybrid threats are increasingly of concern to governments as they grapple with the effects of digital technologies, Covid-19 and an increasingly tense geopolitical environment. Ambiguous, evolving, at the intersection of society, commerce and security, and transnational in character, hybrid threats challenge and undercut ‘normal’ conceptions of security. Unmet, they stoke division and anxiety in societies and states. They threaten to erode national security, sovereignty and societal resilience, leaving nations and their people vulnerable to coercion, particularly by authoritarian states and criminal elements.

The immediate targets of motivated hybrid activity are typically non-traditional, in the sense that government security apparatuses aren’t expected to manage and repulse them. Hybrid activity takes advantage of other, easier targets and means of generating confusion and disruption at the nation-state level: individuals may be targeted for repression or assassination; fishing vessels harassed; intellectual property stolen; commercial advantage pillaged; researchers and journalists intimidated; ethnic communities hijacked; and elites co-opted for corrupt ends.

The Indo-Pacific region is particularly vulnerable. For example, it lacks the more practised security frameworks, cooperative mechanisms and understandings present in Europe. There’s little shared awareness and understanding of the nature and consequences of hybrid threats. The region is also especially economically and demographically dynamic and socially diverse, featuring a number of competing political systems and institutions.

That offers both challenge and opportunity. In this paper, we consider the nature of hybrid threats, explore the threat landscape in the Indo-Pacific, turn our attention to the potential ‘fit’ of an Indo-Pacific HTC and make recommendations for the way forward.

A number of the thoughts and insights incorporated in this paper emerged during ASPI’s consultations with governments, businesses and civil society groups in the Indo-Pacific, as well as in Europe and the UK. We thank those respondents for their time and insights.

  1. Danielle Cave, Jacob Wallis, ‘Why the Indo-Pacific needs its own hybrid threats centre’, The Strategist, 15 December 2021. ↩︎
  2. See NATO’s definition, online, and the Hybrid Centre of Excellence’s definition. ↩︎
  3. Defence Department, Defence Strategic Update, Australian Government, 2020, 5. ↩︎

Building genuine trust

A framework and strategy for Indigenous STEM and cyber pathways

Executive summary

Indigenous recruitment and retention in the Australian Defence organisation is defined by a high target of 5% participation in the armed services and 3% in the Australian Public Service component of the Defence Department by 2025. The participation target is a point of pride and a source of clear goodwill and has provided momentum in several areas of Defence for Indigenous employment and pathways.

However, the individual areas of success and effort are yet to translate into an effective whole-of-Defence framework with cohesive lines of effort. This policy report suggests how that can change. It provides a framework and strategy for Defence to support science, technology, engineering and mathematics (STEM) recruitment and retention and cybersecurity careers, particularly through engagement with the vocational education and training system and through targeted relationship building with university- and school-based Indigenous STEM initiatives.

We propose that Defence should enact a wider set of supporting measures—particularly in data and reporting to track professional development—that’s more likely to create more sustainable success that delivers organisational improvements and outcomes for Defence. That should include mechanisms to enhance the achievements of the Indigenous Procurement Policy.

Defence must ensure that it meets its immediate skills shortfalls as well as its long-term obligations under the Closing the Gap initiative and the Defence Reconciliation Action Plan to foster genuine and meaningful relationships built upon trust with Indigenous peoples.

We suggest how that’s possible through a framework and 56 recommendations focusing on 12 areas of activity:

  • data, reporting and user-experience web design
  • career pathways
  • defence and technology contractors
  • community engagement
  • procurement and business development
  • veterans’ employment and procurement
  • the vocational education sector
  • universities
  • recruitment
  • retention
  • coordination with other public agencies
  • international partnerships.

Action on those recommendations will ensure that Defence is an employer of choice and fosters genuine and meaningful trust with Australia’s Indigenous peoples. And it will also build Defence’s capability to keep our nation safe and secure in a more dangerous world.

Introduction: Building trust—what’s visible and what are the blind spots?

The recruitment and retention of Indigenous Australians in the Defence organisation is defined by high ambitions. The aim is to reach 5% Indigenous participation in the armed services and 3% in the Australian Public Service (APS) by 2025. However, the implementation of employment pathways is lagging due to weak engagement with the talent pool, especially with Indigenous Australians who are training in science, technology, engineering and mathematics (STEM) fields in the vocational education and training (VET) and university sectors. Weak talent market mapping means that current success rates in Defence recruiting are unlikely to be maintained, particularly as competition to attract and retain Indigenous workers increases.

A common story in the services and Defence APS is the slow progress on the policy reform that’s urgently needed to build Indigenous employment pathways into Defence and through to the wider defence ecosystem, including veterans’ employment. Defence needs to demonstrate that it invests in the long-term training, retention and advance of Indigenous personnel.

Our discussions with Defence personnel have revealed that silos in the Defence organisation work against Indigenous recruitment and retention. The services are driving much reform, but a comprehensive data picture and an annual public report that canvasses what’s working well—that establishes clear process metrics, benchmarks and areas for attention, including in recruitment, retention, training and professional development—means that many work areas are without a clear guide or a definition of success beyond participation targets, so their efforts are unfocused and can be discordant.

Developing measures and public reporting, including on how senior leadership is achieving Indigenous targets within the workforce, will be an important step forward. It will cement Defence’s leadership role as an exemplar to other parts of government and the wider defence industry. It will also ensure that Indigenous employment is addressed as part of the renewed drive to optimise defence data, as outlined in the Defence Data Strategy 2021–2023.1

Setting up Indigenous employees for success within the One Defence team requires Defence personnel at all levels to have greater situational awareness of the grassroots reasons for Indigenous Australians joining, staying in, or leaving the organisation. Developing career pathways requires policy and procedures geared towards addressing the drivers and impediments to jobs and training in cities, regions and remote Australia for Indigenous men and women of different ages.

Addressing career pathways and enhancing retention require a mindset that anticipates employee issues—including cultural factors—and addresses them so that Indigenous Australians decide to join and stay. The cultural integrity framework for the APS, sponsored by Defence, will be an important part of that effort. The framework seeks to provide support for employees and leaders so that Indigenous personnel are invested in as a resource in Defence and in the Australian Government’s broader strategic thinking and so that their experience and insight are valued appropriately.

The ‘pathway’ metaphor is often deployed to describe Indigenous training and employment programs and equity and social inclusion initiatives.2 Pathways are rarely straight lines. Indigenous employment pathways aren’t just about entry points, but are also about systemic training and development opportunities within Defence and beyond into veterans’ employment. Defence will need to approach attraction broadly to reach school leavers and students in the VET and university sectors. Defence and other agencies will need to ensure that the growth of Indigenous opportunities is part of the government’s revised ‘industry cluster’ model for skills development.3

One bright spot is the Indigenous businesses sector, which is a growing source of employment, labour market information and training for young Indigenous people. Defence is a driver in that sector. In 2020–21, Defence outstripped its target of 676 contracts, awarding 6,476 contracts worth $610 million to Indigenous businesses.4 Although that was a doubling of contract value, from $300 million to $600 million in one year, a House of Representatives committee report tabled in August 2021 suggested various measures to increase the capability of the Indigenous business sector in order to push the sector further up the value chain. Since 2015, Defence has awarded $1.86 billion in contract value to more than 550 Indigenous businesses.

Problems in the Indigenous business sector, such as ‘blackcladding’ (creating a management structure that satisfies the ownership criteria for the Indigenous Procurement Policy but in which control of the enterprise can be vested in non-Indigenous managers), are not adequately addressed by current policy. Indigenous business operators have said that they feel discriminated against in procurement panel processes and that they have higher barriers to overcome. Although that view is also characteristic of many non-Indigenous small and medium-sized enterprises (SMEs), it risks undermining Defence’s current achievements.

The size of Defence’s procurement portfolio creates an expectation that it should take a leading role in procurement policy reform. Improved opportunities that reinforce the expansion and maturation of sovereign industrial capability through Indigenous businesses would be a step forward, given that Indigenous businesses have substantially better employment outcomes for Indigenous people than non-Indigenous businesses.5 However, that will be a real challenge, as the sector needs to mature in its training and finances to deliver to Defence. A veterans’ business procurement policy could strengthen relationships with Indigenous veterans.

Initiatives for Defence and other parts of government that tie together training, scholarships and pre-apprenticeship programs would provide a major lift to current efforts. Initiatives to build capability (business incubators, venture financing and ensuring that existing policy tools are being used effectively and opportunities for veterans’ businesses) would increase the ability of Indigenous businesses to deliver higher value contracts. There are risks in all those areas, so Defence’s activities will need to be communicated clearly to stakeholders and political decision-makers, and the linkage of those policies to Defence’s core purposes—delivering capabilities for the government to use to advance Australia’s security—must be clear.

This is a clear point of difference between the broader defence industry and the Defence organisation. Defence’s ambitions include a market-leading participation target, using procurement as a driver of an economic and social uplift, and a commitment to meet Closing the Gap targets. Defence can encourage industry to take up the challenge, given its stake in key areas such as cybersecurity. In the broader business environment, there’s patchy engagement with reconciliation processes (particularly the registration of reconciliation action plans with Reconciliation Australia) among major defence contractors, including those that provide recruitment advertising or provide technology. This is an area where Defence can influence overall change in the sector.

There will always be tension for Defence and government between targeting problems that are clearly visible (and for which data is available) and addressing blind spots. Labour market data on Indigenous Australia is notoriously unreliable, so government action can be misaligned. For example, an effort to improve the quality of labour force statistics by the Department of the Prime Minister and Cabinet’s Central Analytics Hub was shelved because of the Covid-19 pandemic, the bushfire season and data access problems. Defence can be a powerful advocate for improved federal and state data collection as a basis for policy and implementation in this area.

Visible data creates a bias towards taking action that seems relatively straightforward, but which in fact will require concerted efforts on multiple fronts and involve several government portfolios or work areas. For example, the Certificate IV in Cybersecurity qualification in the vocational sector is only four years old. The curriculum was developed by TAFE administrators and several technology and cybersecurity companies and overseen by the Victorian Registration and Qualification Authority, but with no Defence involvement.

A seemingly straightforward solution, such as directing recruitment efforts towards TAFE cybersecurity students, can be surprisingly complicated. Current data (from 2020) shows that 129 Indigenous students were studying for the Certificate IV in NSW, 55 in Queensland and 275 in Victoria.6 Twenty-four registered training organisations across the country are currently approved to deliver the course.7 However, the National Centre for Vocational Education Research public data isn’t disaggregated to the campus level, so exactly where those students are learning (including online) is difficult.

This is why relationship building comes up so often in discussions with those in Defence charged with attracting Indigenous candidates and with their counterparts in the education sector responsible for guiding students into careers. Relationships trump everything when data is ambiguous, and raw numbers (on, for example, completion rates) might not tell the full story of Indigenous perseverance. For example, Indigenous students are much more likely than non-Indigenous students to experience conflict between study and family commitments, including caring for children or other family members, which affects results.8

Defence hasn’t built strong enough relationships through frequent interactions with the VET and university sectors, including Indigenous Elders in universities and Indigenous pro-vice chancellors (some of whom are ADF veterans). Its signature cyber initiatives—the ADF Cyber Gap and Cyber Defence College—don’t have a visible Indigenous engagement strategy or a clear link to the Defence TAFE Employment Scheme. TAFE is a major trainer of Indigenous Australians.

Defence has set itself an ambitious goal in the Defence Reconciliation Action Plan 2019–2022: ‘fostering genuine relationships built on trust.’9 Trust is intangible, but high-trust organisations have lower costs and ensure social cohesion in the face of rising uncertainties.10 How Defence holds itself to account and builds long-term relationships with Indigenous Australians will be a key marker of its future success.

To build trust makes the task of Defence more ambiguous and success more difficult to assess in the short term. Box-ticking exercises will risk jeopardising Defence’s ambitions to be an employer of choice. Defence isn’t a social policy portfolio, but it does have obligations under wider government policies, particularly the National Agreement on Closing the Gap. The population growth of Indigenous Australia is shifting towards the southern capital cities and the more populous states and territories, which is something to keep in mind when allocating resources because of the potential to exacerbate existing inequalities in access.11

The harder task is to forge relationships with communities and address the impacts of Defence’s past policies with Indigenous people, as indicated in the Defence Reconciliation Action Plan. Aspects of this work are being done through the engagement activities of the Indigenous Liaison Officer network and through initiatives such as the appointment of Indigenous elders to military bases. But some foundational blocks are missing, such as an Indigenous youth engagement strategy and a digital service design attuned to the way Indigenous candidates access internet services, including for labour market information.12

Fostering genuine trust is necessary for Defence to truly represent the nation that it protects. There are opportunities to partner with Indigenous Australians, build capacity alongside them and prioritise their leadership so that the collection and use of data, strategies on staff training and development, and strategies on youth, veteran, business and community engagement are developed in genuine partnership.

Full Report

We warmly encourage you to download and read the full report, which can be found here.

Acknowledgements

ASPI ICPC would like to thank all of those who peer-reviewed drafts of this report, including Major General Marcus Thompson, Stephen Chey, Michael Shoebridge, Fergus Hanson, John Coyne, Miah Hammond-Errey and Anastasia Kepatas. We’re also grateful to individuals we consulted in government, industry and academia, including participants at a workshop with Indigenous members of the Australian Defence Force that helped to shape and focus this report.

This report was commissioned by the Australian Department of Defence Strategic Policy and Intelligence Group. The work of ASPI ICPC would not be possible without the support of our partners and sponsors in governments, industry and civil society.

Within this report, the term ‘Indigenous’ is used to refer both to Aboriginal people and to Torres Strait Islanders.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies and issues related to information and foreign interference and focuses on the impact those issues have on broader strategic policy. The centre has a growing mixture of expertise and skills, including teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity-building, satellite analysis, surveillance and China-related issues. The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The centre enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and the Indo-Pacific region, the ICPC has a capacity-building team that conducts workshops, training programs and large-scale exercises for the public and private sectors. We thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre, contact: icpc@aspi.org.au

Important Disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2022

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published April 2022.
Front and back cover images: ‘Silhouettes in the sky’, Marcus McGregor Cassady.

Funding

Funding for this report was provided by the Australian Department of Defence Strategic Policy and Intelligence Group.

  1. Department of Defence (DoD), Defence Data Strategy 2021–2023, Australian Government, 2021, online. ↩︎
  2. Jack Frawley, James A Smith, Andrew Gunstone, Ekaterina Pechenkina, Wendy Ludwig, Allison Stewart, ‘Indigenous VET to higher education pathways and transitions: a literature review’, ACCESS: Critical Explorations of Equity in Higher Education, 2017, 4(1), online. ↩︎
  3. Department of Education, Skills and Employment (DESE), ‘New industry engagement arrangements—Industry clusters’, Skills Reform, Australian Government, 2022, online. ↩︎
  4. Huon Curtis, Khwezi Nkwanyana, ‘Where to next for government policy on Indigenous procurement?’, The Strategist, 17 December 2021 ↩︎
  5. Boyd Hunter, ‘Indigenous employment and businesses: Whose business is it to employ Indigenous workers?’, Centre for Aboriginal Economic Policy Research (CAEPR), Australian National University, 2014. ↩︎

  6. ‘Table builder’, National Centre for Vocational Education Research (NCVER). ↩︎
  7. ‘Organisation / RTO search’, Training.gov.au, 2022. ↩︎
  8. K Hillman, The first year experience: the transition from secondary school to university and TAFE in Australia, Australian Council for Educational Research, Camberwell, 2005. ↩︎
  9. DoD, Defence Reconciliation Action Plan 2019–2022, Australian Government, August 2019. ↩︎
  10. A Green, G Janmaat, H Cheng, ‘Social cohesion: converging and diverging trends’, National Institute Economic Review, 2011, 215, R6-R22. doi:10.1177/0027950111401140; O Schilke, KS Cook, ‘A cross-level process theory of trust development in interorganizational relationships’, Strategic Organization, 2013, 11(3):281–303, doi:10.1177/1476127012472096; P Spoonley, P Gluckman, A Bardsley, T McIntosh, R Hunia, S Johal, R Poulton, He oranga hou: Social cohesion in a post-COVID world, Centre for Informed Futures, University of Auckland, 2020. ↩︎
  11. Australian Bureau of Statistics (ABS), ‘Estimates and projections: Aboriginal and Torres Strait Islander Australians’, Australian Government, 2019. ↩︎
  12. Defence has a youth engagement and development strategy but not one that’s specific to Indigenous youth. DoD, ‘The Defence Youth Engagement and Development Strategy’, Australian Government, no date. ↩︎

Tag Archive for: Cyber

Nothing Found

Sorry, no posts matched your criteria

Tag Archive for: Cyber

Economic cyber-espionage: a persistent and invisible threat

Economic cyber-espionage, state-sponsored theft of sensitive business information via cyber means for commercial gain, is an invisible yet persistent threat to national economies. As more states use cyber tools to secure economic and strategic advantages, a growing number of countries, particularly emerging economies, are vulnerable.

In response, G20 members agreed in 2015 that no country should engage in cyber-enabled theft of intellectual property (IP) for commercial gain.

That resulted in expectations that states could provide assurances that their cyberspace activities didn’t seek foreign IP for unfair economic advantage, that they could provide IP holders with a protective framework, and that they could attain a level of cybersecurity maturity for protection of IP-intensive sectors.

Unfortunately, the reality is different. The number of cyber operations targeting private forms has quadrupled since 2015. As technological capabilities become central to national power, states are increasingly seeking shortcuts to competitiveness. Cyber operations seemingly offer an effective and attractive means.

The shift in cyber-espionage to target emerging economies is evident in the data analysed by ASPI. Our first report, State-sponsored Economic Cyber-espionage for Commercial Purposes: Tackling an invisible but persistent risk to prosperity, noted that in advanced economies accounted for 60 percent of reported cyber-espionage cases in 2014. By 2020, that proportion had reversed, with emerging economies now bearing most campaigns.

Two follow-up reports, released today, shed light on how countries confront this growing threat. In State-sponsored Economic Cyber-Espionage: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, we evaluated the readiness of 11 major emerging economies to counteract cyber-enabled IP theft: Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. They represent some of the fastest-growing innovative economies in the world. Many are rapidly expanding in knowledge-intensive sectors such as biotech, advanced manufacturing and digital services. However, the report’s findings are concerning.

Most countries in South Asia, Southeast Asia and Latin America don’t recognise cyber threats to innovation and knowledge sectors as a major issue. This stance is reflected at the political-diplomatic level, where no government of an emerging economy has weighed in on these threats to innovation. Indonesia, India and Brazil, during their G20 presidencies, refrained from including cyber-enabled IP theft on the forum’s agenda.

When authorities in South and Southeast Asia and Latin America have strengthened their capacities to investigate and prosecute IP theft cases, it’s been driven by efforts to achieve conformity with World Trade Organization standards. But most governments struggle to live up to expectations in terms of securing and respecting higher-end IP, particularly when cases involve trade secrets and sensitive business information and when threat actors are believed to operate from foreign jurisdictions.

While no economy is safe from the risk of economic cyber-espionage, some are likelier targets, and some are more prepared to withstand the threat. Defending against economic cyber-espionage is an exercise in matching a response posture with an ongoing assessment of an economy’s risk profile

In our second report, State-sponsored Economic Cyber-espionage: Governmental practices in protecting IP-intensive industries, we looked at measures that governments in various parts of the world have taken to defend their economic crown jewels and other important knowledge-intensive industries from cyber threats.

Most prominently, in October 2023 the heads of the Five Eyes’ major security and intelligence agencies appeared together in public for the first time. In front of a Silicon Valley audience, they called China out as an ‘unprecedented threat’ to innovation across the world. That was followed up in October 2024 with a public campaign, Secure Innovation, which mirrored similar efforts by European and Japanese governments.

But still, IP-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure, despite accounting for the bulk of GDP growth, innovation and future employment.

Defending against economic cyber-espionage is complex. It involves defending against other states, or groups operating with their consent. These actors tend to be well resourced or insulated from consequences. At the coalface of those malicious cyber activities stand private and public companies—big and small—as well as research labs and universities. They’re the first line of defence against many cyber threats, including state-sponsored threat actors.

Governments can and must play an outsized role in shaping standards for making a country’s innovation ecosystem more cyber and IP secure. This involves strengthening domestic enforcement mechanisms. The issue must also be re-energising in forums such as the World Trade Organization, United Nations General Assembly and ministerial meetings under such organisations as the Quad and Association of Southeast Asian Nations. Interventions must focus on measures that prevent IP theft. After all, once IP is stolen, it’s stolen for good—along with all research and development investments made up to that point.

Editors’ picks for 2024: ‘Exclusive: Inside Beijing’s app collecting information from Belt and Road companies’

Originally published on 27 September 2024.

China’s Ministry of Foreign Affairs operates a secure digital platform that connects it directly with Chinese companies operating abroad, requiring participating companies to submit regular reports about their activities and local security conditions to the government, internal documents reveal.

The documents obtained and verified by ASPI’s China Investigations and Analysis team show how the platform, called Safe Silk Road (平安丝路), collects information from companies participating in the Belt and Road Initiative (BRI), Chinese leader Xi Jinping’s signature foreign policy initiative. The BRI has facilitated Chinese infrastructure projects and other investment in more than 100 countries, particularly developing regions. The Safe Silk Road platform was initially launched in 2017 and is now used by at least dozens of Chinese companies across several continents.

By tapping into the extensive network of Chinese companies engaged in projects around the world, the platform demonstrates how Beijing is finding new ways of improving its global information and intelligence collection to better assess risks, and ultimately protect its interests and its citizens, even in the most remote corners of the world. The Safe Silk Road platform is one more building block in the growing global infrastructure that seeks to place the Chinese government at the center of the Chinese experience abroad, and that replicates some of the structures of information collection and surveillance that have now become ubiquitous within China.

The MFA’s External Security Affairs Department (涉外安全事务司), which operates the Safe Silk Road, has said the platform is a direct response to the difficulty of obtaining information relevant to Chinese companies abroad. The information the app collects feeds into the department’s assessments. The platform is also part of a trend across Chinese government ministries of creating apps to facilitate some of the work they were already doing.

ASPI is the first organisation to report on the Safe Silk Road platform. It is mentioned on some regional Chinese government websites but has not been covered by Chinese state media. The platform operates through a website and an associated mobile app that can only be accessed with registered accounts.

The platform is not available for download in app stores. The documents state that the platform is only intended for companies’ internal use, and that users are strictly prohibited from circulating information about it online. Companies can apply for an account through the MFA’s External Security Affairs Department or their local consulate and, once approved, designate an official contact person within the company, called a ‘company liaison officer’ (公司联络员), who is authorized to submit reports and use the app’s full functionality. The MFA provides companies with a QR code to download the app and requires companies to use the platform’s bespoke VPN with the app and desktop version.

 

 

Companies are asked to submit quarterly reports through the app. Those reports include basic information such as the name, national ID number and contact information of the owner, the region in which the company operates, its sector or industry, the amount of investment in US dollars, the number of Chinese and local employees, and whether it has registered with a local Chinese embassy or consulate, according to internal company documents viewed by ASPI analysts.

The app has a feature called ‘one-click report’ for ‘sudden incidents’ (突发事件) that allows users to report local security-related incidents directly to the MFA, according to the documents and other materials. The reporting feature includes the following categories: war/unrest, terrorist attack, conflict between Chinese and foreign workers, protest, kidnapping, gun shooting, production safety accident, contagion/epidemic, flood, earthquake, fire, tsunami, and other. The user can then provide more information including date, location and other details about the incident.

The reporting form also asks the company to provide information about its ‘overseas rights protection object’ (海外权益保护对象) and ‘police resources database object’ (警务资源库对象). An ‘overseas rights protection object’ may refer to patents, trademarks, and copyrights held by the company; the Chinese government has made protecting the intellectual property of Chinese companies a key focus in recent years. ‘Police resources database object’ is a vague term that may refer to security contractors, Chinese overseas police activity, or physical assets or company personnel that need protecting.

Users can subscribe to real-time security updates for their region and register to attend online safety training classes. There is even a video-conference feature within the app that allows embassy officials to call the app user directly. It is common for foreign ministries to create digital services that provide information and security alerts for their citizens abroad—such as Australia’s ‘Smartraveller’, the US Smart Traveler Enrollment Program (STEP), and China’s own ‘China Consul’ (中国领事).

The Safe Silk Road platform, however, is different. It is not public-facing, it is tailored specifically for BRI companies and, most importantly, it asks for detailed information from those companies about their own activities and local conditions, rather than just offering helpful information. For some companies, participation may even be compulsory.

ASPI’s analysis of the Safe Silk Road platform underscores Beijing’s determination to safeguard its global infrastructure and investment power play under the BRI. As China’s investment in developing regions has grown, so has Beijing’s emphasis on protecting its citizens, companies, and assets abroad.

As of December 2023, about 150 countries had joined the BRI. According to the official Belt and Road Portal, China has 346,000 workers dispatched overseas. BRI-affiliated companies often run projects in regions with underdeveloped infrastructure, high poverty, poor governance, lack of quality medical care, domestic political instability, violent crime, and terrorist attacks. Private security contracting companies are increasingly offering their services to Chinese companies abroad. The number of Chinese private security contractors has expanded dramatically in recent years as BRI companies have faced growing security challenges.

Several events over the past few years, including the pandemic and a string of attacks in Pakistan in 2021 targeting Chinese nationals supporting BRI projects, have underscored to Beijing the need for better security measures. At the third Belt and Road symposium in 2021, Xi Jinping said China needed ‘an all-weather early warning and comprehensive assessment service platform for overseas project risks’. The External Security Affairs Department said the same year that ‘the difficulty of obtaining security information is one of the major problems faced by companies who “go out”’, referring to Chinese companies that invest overseas. To address this concern, the department ‘launched the Safe Silk Road website and the related mobile app to gather information about security risks in Belt and Road countries to directly serve company personnel engaged in projects overseas’. The department said that in 2021 the app was used to disseminate 13,000 pieces of information, including more than 2,800 early warnings.

More broadly, the platform is illustrative as a digital tool to help Beijing protect its interests abroad. The External Security Affairs Department was established in 2004 in response to a perceived increase in kidnappings and terrorist attacks targeting Chinese nationals abroad, but its role in China’s security policy has expanded since then.

The department’s leading role in ‘protecting China’s interests abroad’ (中国海外利益保护) meets an objective increasingly found in official Chinese Communist Party documents and Chinese law. This objective appears in China’s National Security Strategy 2021–2025, the new Foreign Relations Law 2023, and new regulations on consular protection and assistance passed in 2023. The party’s ability and readiness to protect China’s interests abroad is considered one of the historic achievements of the party, according to a resolution it passed in 2021.

But the exact scope of China’s interests abroad is still a matter of debate in the public commentary among Chinese national security and foreign policy academics and analysts. Are China’s interests just the physical security of Chinese nationals and commercial or strategic assets in foreign countries? Or do they also include ‘intangible interests’ (无形利益), such as protecting China’s national image and reputation, and anything else that should be within China’s national interest as a major global power? How the Chinese government currently defines China’s interests abroad is probably somewhere in the middle, and may broaden.

China has a widely recognised deficiency: gaps in its overseas intelligence collection capabilities. Safe Silk Road is part of the toolbox that the External Security Affairs Department uses to extend the range and effectiveness of Beijing’s information-gathering and to better understand the situation on the ground everywhere that China has interests.

CrowdStrike glitch sounds a cybersecurity alarm we cannot ignore

The recent CrowdStrike outage was not just a technical hiccup; it was a seismic tremor that exposed the brittle foundations on which Australia’s digital economy stands. 

A faulty security update, a false positiveand suddenly thousands of businesses worldwide found their digital defences compromised. It wasn’t a cyberattack, but it provided a glimpse into the chaos that could follow if a widespread cyber attack were launched against critical infrastructure.

As such, the CrowdStrike incident exposed several glaring weaknesses in our current approach and has underscored the need for a fundamental shift in our cybersecurity culture. To mitigate these risks, Australia must adopt a proactive and multi-faceted approach to cybersecurity, moving beyond reactive measures and embracing a culture of resilience. 

Many organisations still underestimate the gravity of cyber threats, viewing them as an IT problem rather than a strategic business risk. This complacency is a dangerous luxury we can no longer afford. Cybersecurity is not just about firewalls and antivirus software; it’s about building a resilient organisation that can withstand and recover from cyberattacks.

CrowdStrike, a cybersecurity behemoth, found itself red-faced as its Falcon platform, designed to safeguard clients from cyber threats, ironically turned into the threat itself. The faulty update meant Falcon misidentified legitimate files as malicious, crippling endpoint protection and meaning clients could only continue operating if they disabled their security, which would leave them vulnerable to intrusions.

In Australia and around the world, airlines, financial services, supermarkets and ports were disrupted and in some cases forced temporarily to shut down.

This incident is far from an isolated event. In 2017, British Airways suffered a catastrophic IT failure that grounded flights worldwide, causing chaos for hundreds of thousands of passengers. The 2021 Fastly outage took down major websites, including Amazon, Reddit, and The New York Times, for hours. 

The CrowdStrike outage once again showed the vulnerability of our digital ecosystem. We are tethered to a complex web of interconnected systems, each with its potential points of failure.

Our digital economy, while a marvel of innovation and efficiency, is also a sprawling attack surface for malicious actors. The increasing sophistication of cyber threats, from ransomware attacks to state-sponsored espionage, demands a robust and multi-layered defence strategy.

The first clear problem is our over-reliance on a single vendor for critical security services. When that vendor stumbles, the impact can be disproportionate. The lack of redundancy and backup systems in many organisations leaves them vulnerable to operational paralysis in the event of a disruption.

We must dismantle this dangerous reliance on single vendors for critical services. Instead of putting all our eggs in one basket, we must diversify our cybersecurity providers to reduce the impact of any single vendor’s failure and also foster a more competitive and innovative market for security solutions. 

This could involve distributing critical functions across multiple providers, ensuring that a disruption in one doesn’t cripple the entire system.

We must invest heavily in redundancy and backup systems. Our critical infrastructure, from banking systems to power grids, should be designed with multiple layers of redundancy, ensuring that even if one component fails, the system can continue to operate seamlessly. Regular backups of data and critical applications are non-negotiable. This includes not just storing backups onsite but also maintaining secure off-site copies to protect against physical disasters or targeted attacks.

Second, the incident highlights the need for more comprehensive and agile incident response plans. Organisations need to be able to quickly identify and address disruptions, minimizing the impact on their operations and customers. 

They need comprehensive, well-documented plans that are regularly tested and refined. These plans should clearly delineate roles and responsibilities, establish robust communication channels, and detail escalation procedures for different types of incidents. The goal is to create a well-oiled machine that can spring into action at the first sign of trouble, minimizing downtime and mitigating damage.

Third, Australia needs to adopt a zero-trust approach to cybersecurity. This means assuming that every user and device, even those within the network perimeter, could be compromised. This approach necessitates continuous monitoring and verification of all users and devices, micro-segmentation of networks to limit lateral movement, and the use of multi-factor authentication to secure access to sensitive data.

Finally, we must foster a culture of cyber awareness that permeates all levels of society, from the boardroom to the classroom. This means educating not just IT professionals but also business leaders, policymakers, and the general public about the evolving cyber threat landscape. Regular training and awareness programs should be mandatory for all employees, emphasizing the importance of vigilance, secure practices, and prompt reporting of suspicious activity.

By embracing these measures, Australia can transform its digital economy from a house of cards into a fortress. We can create a system that is not just resilient to cyberattacks and technical glitches but also adaptable to the ever-evolving threat landscape. This is not just about protecting our economic interests; it’s about safeguarding our way of life in the digital age. 

The CrowdStrike outage is a wake-up call—a reminder that our digital economy is not invincible.  The question is not whether another incident will occur, but when. 

The time for complacency is over. We need to act now to safeguard our digital future.  The stakes are too high to ignore.

Australia needs to talk more openly about offensive cyber operations

Australia’s 2023 cybersecurity strategy makes clear that most of the things we need to do to protect ourselves in cyberspace are essentially defensive. The strategy is usefully organised according to six ‘shields’.

But sometimes we also need a sword. Offensive cyber is the pointy end of cybersecurity. It can be understood expansively as encompassing all the threats that defensive cyber is, in the strategy’s terms, trying to ‘block’. ASPI’s cyber, technology and security program defines offensive cyber as operations that ‘manipulate, deny, disrupt, degrade or destroy targeted computers, information systems or networks’. Offensive cyber is usually—but contestably—distinguished from operations whose main goal is to collect intelligence.

Offensive cyber is fraught with risk. The long list of unintended potential consequences includes spillovers, blowback and escalation. One of the earliest and most successful offensive cyber operations was the US–Israeli attack on Iran’s nuclear program. The Stuxnet virus destroyed Iranian centrifuges but probably went on to infect more than 100,000 computers around the world before it was stopped. The attack also accelerated the development—and destructive use—of Iran’s offensive cyber capabilities.

Liberal democracies are much more interested than states like Iran in preventing cyberspace from becoming a battlespace and, more broadly, in maintaining the integrity of the global information environment. The decisions they make about when and how to engage in offensive cyber operations involve fundamental questions about international order and the future of the digital information revolution. They demand extremely complex assessments of cause and effect.

Leading Western cyber powers are developing more sophisticated doctrines and concepts to guide these decisions. After Stuxnet, President Barack Obama’s administration put the United States Cyber Command on a tight leash. That was reversed by Donald Trump, who promulgated a defend-forward doctrine. Joe Biden’s administration has embraced that approach: USCYBERCOM’s more assertive posture probably blunted the Russian cyber offensive that accompanied the invasion of Ukraine. The UK is developing its own concept of responsible cyber operations accompanied by a doctrine of cognitive effects.

This work is unfinished. The issues are complex and consequential. Compelling arguments have been made that there’s no meaningful distinction between offensive and defensive cyber operations or even between information and cyber operations. Importantly, much of this discussion and debate is taking place in public.

Offensive cyber operations are usually undertaken covertly. But that’s precisely why democratic governments need to be clear with their citizens about how decisions to undertake them are made. Debating these matters publicly also allows for better consideration of the big issues involved, especially because a wider range experts can be engaged.

Australia shouldn’t be a bystander to these debates. The Australian Signals Directorate’s REDSPICE project, announced by the previous government, includes a tripling of Australia’s offensive cyber capability. The new cybersecurity strategy promises to ‘build world-class innovative offensive cyber capabilities that can deliver real world impact to deter, disrupt, degrade and deny cybercrime’. The strategy commits an additional $587 million from 2023 to 2030 for cybersecurity. That’s in addition to the $10 billion that REDSPICE will add to ASD’s budget over 10 years.

So, what is Australia’s concept of offensive cyber? Despite promising to make Australia a ‘world leader’ in cybersecurity, the strategy sheds little light. It commits to ‘transparency about the rights and obligations that govern’ the use of offensive cyber capabilities but doesn’t say much more than that Australia will comply with existing laws and help develop new ones. The best sources are the speeches of ASD’s directors-general. Since Prime Minister Malcolm Turnbull first revealed Australia’s offensive cyber capability in 2016, these speeches have incrementally disclosed more about what ASD does and why.

Australia frequently reiterates that its use of offensive cyber complies with international and domestic law. Notably, ASD’s current director-general, Rachel Noble, has emphasised that Australia defines offensive cyber operations conducted by other countries against Australia as criminal activity to which Australia may respond in kind. But international norms are unclear, are contested and lag rapid technological change. Saying that Australia complies with them therefore doesn’t reveal much about when and how it uses offensive cyber capabilities.

Following the release of ASD’s November 2023 threat report, Defence Minister Richard Marles was asked whether Australia was ‘striking back’ at cyber attackers. He responded only that, ‘We have a full range of capabilities in the Australian Signals Directorate and we’re making sure that we are as capable as we can be.’ He could have provided a much more useful and informative answer if Australia had, as the US and UK have done, developed a public offensive cyber doctrine. Australians should be told more.

The government’s public discussion of its approach to offensive cyber still falls well short of those of its Five Eyes partners. The charge that Australia has put ‘capability before concept’ in its decision to acquire nuclear-powered submarines can be more accurately applied to its approach to offensive cyber. But fixing this doesn’t require Australia to reinvent the wheel. It can and should build on intellectual work already undertaken by its Five Eyes partners.

Australia will be compelled by an increasingly complex and contested world to compete more in the grey zone. Decision-makers will face tough choices. A stronger and more public offensive cyber doctrine would keep them tethered to Australia’s values and interests as they make those decisions.

Shields beyond the horizon: landing Australia’s 2023 cybersecurity strategy

Australia’s new cybersecurity strategy is all but released. Home Affairs Minister Clare O’Neil and National Cyber Security Coordinator Darren Goldie have familiarised the government and industry with the strategy’s six ‘cyber shields’ and timeline of two-year ‘horizons’ out to 2030.

The six shields remix the 2009 strategy’s seven ‘strategic priorities’, the 2016 strategy’s five ‘themes’ and 2020’s 16 ‘key themes’. That’s not a bad thing. Over these four iterations, Australia has avoided pigeonholing cybersecurity as only a national security issue and correctly characterised it as a whole-of-nation problem that needs multistakeholder solutions.

Strategies are hard to write, but they’re even harder to land. Cyber is a contested space—every person and their dog have opinions about what should and shouldn’t be included. The process of developing a coherent and actionable strategy thus becomes one of cruel prioritisation—not only excluding things from the strategy’s scope, but making hard, clear decisions on where the government’s responsibility starts and ends. This makes O’Neil’s push to have the new strategy ready for release less than a year after its announcement all the more impressive.

Once the strategy is released, the real work begins. A good strategy has actions and an implementation plan. The next step is real-world scoping, resourcing and scheduling of those actions. It’s one thing to say that agency X will deliver action Y by year Z. It’s another to put people to work and make it happen. The new strategy needs make a soft landing and keep momentum across the vagaries of agency restructures and future governments.

To steer and propel the strategy after its release, O’Neil and Goldie should focus on three communication themes: merge, maintain and modify.

First, communications around the strategy should merge cyber’s national security importance with a compelling vision that speaks to the average Australian. Cybersecurity is a whole-of-nation effort. The strategy should seek to recruit all Australians into this conversation.

Any national cybersecurity strategy must have defence and national security at its core. But outside the Canberra bubble, these ideas tend to be unfamiliar and irrelevant. In a recent survey of Australians by market research firm Ipsos, defence ranked 17th among the 19 top issues, falling from its average of 14th place over the past 12 years. Surveys by universities and a polling company support that finding.

This isn’t about the government seeking the community’s social licence to manage aspects of cybersecurity. It’s about our ability to improve cybersecurity depending in large part on the community’s informed participation. Everyone has a phone in their pocket, everyone has data, everyone has a role to play in cybersecurity. Communications around the strategy should avoid selling cyber as only a national security issue and instead illustrate a concept that’s more familiar and positive.

The concept of public health gives Australians a recognisable and compelling vision for cybersecurity. The public health metaphor has hovered for years around the edges of cybersecurity discourse. It’s time to centre it. Like health, cyber is a problem we can’t entirely solve, only manage. And like with health, there’s a whole-of-nation system paired with personal accountability. Communicating Australia’s cybersecurity strategy through a public health lens will help explain roles, responsibilities and structures.

Second, O’Neil and Goldie should focus on how they will maintain the strategy through shifting governments, agencies and budgets. Cybersecurity strategy in Australia has been plagued by short‑term thinking, fluctuating policy, on-and-off official positions and reactionary regulatory regimes. The 2023 strategy’s three horizons over seven years are a welcome early peek at a structured, long‑term view.

Undoubtedly, the strategy will be supported by the ongoing funding of $9.9 billion over 10 years for the Australian Signals Directorate’s REDSPICE program announced in 2022. That alone gives some certainty. But public assessment and communication of how well the government is using this funding will further boost its effectiveness. In other words, regular evaluation will help the government maintain the new strategy.

Evaluation builds transparency, keeps the conversation alive and adds to the evidence base that supports better cyber policy and strategy. The 2016 strategy had one public evaluation with its first (and only) annual update. The 2020 strategy did better, with its industry advisory committee releasing annual reports in 2021 and 2022 that evaluated progress on the 19 actions. These were excellent products. They delivered much-needed specifics—such as metrics and accountabilities for actions—and held the government to account.

The 2023 strategy should reproduce a similar arrangement for annual reviews and add major strategy updates in 2026 and 2029 at the dawns of horizons two and three. However, evaluation should be on more than just how well it is implementing its actions. It should also be clear about how well the actions improve our cybersecurity. While that may be technically difficult and politically fraught, it is essential to understanding whether the new strategy has put us on the right path.

This brings us to the third communication theme. O’Neil and Goldie should state publicly that they will modify the strategy when necessary. The 2023 strategy should be able to maintain a steady strategic focus and be able to react to changes in the technology and security environments.

Seven years is a long time in cyber. Accelerating technologies such as artificial intelligence, ambient computing and brain–computer interfaces will radically shift the meaning of cybersecurity over the strategy’s three horizons. Like the concept of public health, cybersecurity is a broad, complex concept in constant flux. The strategy should look to include new concepts and actions that help us get better outcomes, while keeping cruel prioritisation front of mind. Scope creep is the enemy. The government cannot and should not be at the centre of every cybersecurity issue.

In many ways, the 2023 strategy finds itself with the easiest job of the four national cyber strategies Australia has developed over the past 14 years. Yes, cyber threats are more dangerous, technology more pervasive, personal data more vulnerable and the strategic environment more turbulent. But over those 14 years, cybersecurity has become a mainstream political issue. Our cyber policies and organisational architecture have matured. And REDSPICE funding will fuel ongoing cyber capability growth. Careful narrative building and implementation vigilance will help ensure we don’t miss the opportunity this presents.

Walking the artificial intelligence and national security tightrope

Artificial intelligence (AI) presents Australia’s security as many challenges as it does opportunities. While it could create mass-produced malware, lethal autonomous weapons systems, or engineered pathogens, AI solutions could also prove the counter to these threats. Regulating AI to maximise Australia’s national security capabilities and minimise the risks presented to them will require focus, caution and intent.

One of Australia’s first major public forays into AI regulation is the Department of Industry, Science and Resources (DISR)’s recently released discussion paper on responsibly supporting AI. The paper notes AI’s numerous positive use cases if it’s adopted responsibly—including improvements in the medical imagery, engineering, and services sectors—but also recognises its enormous risks, such as the spread of disinformation and harms of AI-enabled cyberbullying.

While national security is beyond the scope of DISR’s paper, any general regulation of AI would affect its use in national security contexts. National security is a battleground comprised of multiple political, economic, social and strategic fronts and any whole-of-government approach to regulating AI must recognise this.

Specific opportunities for AI in national security include enhanced electronic warfare, cyber offence and defence, as well as improvements in defence logistics. One risk is that Australia’s adversaries will possess these same capabilities, and another is that AI could be misused or perform unreliably in life or death national security situations. Inaccurate AI-generated intelligence, for instance, could undermine Australia’s ability to deliver  effective and timely interventions, with few systems of accountability currently in place for when AI contributes to mistakes.

Australia’s adversaries will not let us take our time pontificating, however. Indeed, ASPI’s Critical Technologies Tracker has identified China’s primacy in several key AI technologies, including machine learning and data analytics—the bedrock of modern and emerging AI systems. Ensuring that AI technologies are auditable, for instance, may come at strategic disadvantage. Many so-called ‘glass box’ models, though capable of tracing the sequencing of their decision-making algorithms, are often inefficient compared to ‘black box’ options with inscrutable inner workings. The race for AI supremacy will continue apace regardless of how Australia regulates it, and those actors less burdened by ethical considerations could gain a lead over their competitors.

Equally though, fears of China’s technological superiority should not lead to cutting corners and blind acceleration. This would exponentially increase risk the likelihood of incurring AI-induced disasters over time. It could also trigger an AI arms race, adding to global strategic tension.

Regulation should therefore adequately safeguard AI whilst not hampering our ability to employ it for our national security.

This will be tough and may overlap or contradict other regulatory efforts around the world. While their behaviour often raises eyebrows, big American tech companies’ hold over most major advances in AI is at the core of strategic relationships such as AUKUS. If governments ‘trust bust’, fragment or restrict these companies, they must also account for how a more diffuse market could contend with China’s ‘command economy’.

As with many complex national security challenges, walking this tightrope will take a concerted effort from government, industry, academia, civil society and the broader public. AI technologies can be managed, implemented and used safely, efficiently and securely if regulators find a balance that is neither sluggish adoption nor rash acceleration. If they pull it off, it would be the circus act of the century.

Policy, Guns and Money: Cyber conflict, competition and cooperation

In this episode, ASPI’s executive director, Justin Bassi, speaks with Jason Healey, a senior research scholar at Columbia University’s School of International and Public Affairs specialising in cyber conflict, competition and cooperation.

Jason wrote and edited the book A fierce domain: cyber conflict, 1986–2012 and has held a number of senior cybersecurity roles, including in the Pentagon as a founding member of Joint Task Force—Computer Network Defense, and as director for cyber infrastructure protection in the White House from 2003 to 2005.

Bassi and Healey discuss the importance of understanding the implications of cyberspace on security and society and explain why cyber needs to be at the heart of national security.

Quad’s ransomware commitment could help shore up regional software supply chains 

The Indo-Pacific’s importance to the security of Australia and regional allies continues to dominate public discourse. Last month, the Quad foreign ministers from Australia, India, Japan and the United States released a joint statement on ransomware, recognising that vulnerabilities in cyberspace are compromising the security of critical national infrastructure and economic continuity in the region.

The statement is an important acknowledgement that ransomware is a transnational threat that can’t be mitigated purely through domestic policy. The rise of ransomware attacks on software supply chains demonstrates this much. The multistakeholder approach that the Quad statement highlights is key to addressing the vulnerabilities that enable this type of ransomware attack.

Ransomware is a highly profitable and disruptive cyberattack technique that serves both criminal and state actors alike. Companies in the information and communication technology sector are at particular risk because they are critical infrastructure providers that also hold rich data troves that can be exploited as leverage or for profit on the dark web.

Since the Covid-19 pandemic, ransomware attacks have increased dramatically worldwide. The latest annual report on the state of ransomware, by cybersecurity firm Sophos, indicated a 78% rise in attacks globally between 2020 and 2021. Nearly two-thirds of the organisations surveyed reported having been affected.

Australia is the most targeted ransomware victim in the Indo-Pacific region, and the third most cyberattacked nation globally. The likelihood of an attack is high and, as recently as September, Australian telecoms provider Optus was successfully targeted in the largest ever national data breach. Outside of critical-infrastructure providers, ransomware targets are typically large organisations that have the capacity to pay high ransom demands due to their extensive operations. Australian-owned multinationals providing ICT products and services to domestic and regional clients that require regular software updates and installations fall into this category and have a high chance of being hit by supply-chain attacks.

A software supply-chain attack exploits the trust relationship between the vendor and client. A common scenario is when a vulnerability is exploited that enables hackers to compromise the provider’s source code with malicious malware. Software updates containing malicious code are then unwittingly installed by users, infecting their networks. This is also known as a downstream attack.

Effective cybersecurity programs require assessment of third-party vulnerabilities; however, they can’t always identify or mitigate source code compromises in software because they’re hard to detect and can evade firewalls when disguised within trusted code. Detection and prevention of this type of attack are best managed at the source by the software vendor itself.

This is where the multistakeholder approach emphasised by Quad ministers comes into play. Cyber policy that aims to secure critical national infrastructure needs to recognise that third-party vulnerabilities—or links in the supply chain—are often the points most prone to compromise. Governments need to work collaboratively to identify the links between critical-infrastructure providers in their jurisdictions and organisations in the region. From there, domestic policy in each nation needs to reinforce the efforts of regional counterparts to ensure that baseline security standards, vulnerability reporting mechanisms and ransomware mitigation and response practices are comparable, if not interoperable.

The Kaseya ransomware attack in 2021 is an example of how the effects of supply-chain attacks can go beyond the intended victim. Kaseya was targeted by a Russia-based ransomware group called REvil that leveraged a vulnerability in the company’s software. Kaseya provides ‘virtual system administrator’, or VSA, software products—remote monitoring and management products that use cloud technology to handle a range of activities for businesses. The VSA software that was compromised had a high degree of trusted access to client systems. When the software was automatically updated, the ransomware infected clients in 17 countries. Customers included small businesses such as supermarkets, as well as schools and pharmacies. REvil then demanded a ransomware payment from Kaseya. While Kaseya was a US company operating under California law, the ransomware attack had downstream supply-chain consequences globally.

A ransomware attack on an Australian business with downstream supply-chain relationships like Kaseya’s would have significant ramifications for regional stability and Australia’s broader national security interests, particularly if the business were held to ransom for an extended period.

State actors could easily leverage this technique for disruptive or coercive purposes, particularly since sophisticated attacks can ensure that malicious code is programmed to stop operating when it is uploaded to a network with specific language settings. This enables more refined and accurate targeting by adversaries and mitigates the risk of cyber fratricide.

Economic productivity and supply chains will be disrupted in the region if businesses are repeatedly taken offline. Such attacks could also damage Australian providers’ reputation for reliability and security, resulting in regional business seeking similar services from other major providers in the region. Australia’s economy would suffer, and adversaries could be given more control of digital trade. The reputational damage could also extend to diplomatic partnerships.

While these concerns have been framed in an Australian context, other Quad members are vulnerable to the same scenarios. The implications of a supply-chain attack are therefore significant for both Australia and regional partners. The importance of the Quad’s ransomware statement shouldn’t be lost. Public pressure should be placed on governments to keep them accountable to the Quad’s call for states to uphold the shared responsibility of assisting each other when faced with malicious cyber activity, particularly when ransomware threatens critical national infrastructure.

As a starting point, the Australian parliament should review the proposed amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2021 in this context and take it as an opportunity to demonstrate Australia’s commitment to combating regional cybersecurity risks to critical national infrastructure. There is also an opportunity to apply the lessons learned from the recent Optus and Medicare ransomware attacks.

It’s time for Canberra to step up its leadership in this area and help spearhead the formulation of robust, consistent and enduring ransomware mitigation and response policies and practices that can be developed and emulated by regional partners. Only through collaboration can the threat of instability that ransomware poses be managed.

Former US Cyber Command and NSA chief makes the case for a cyber competition strategy

Cyber threats to national security and prosperity are today better understood, better prioritised and far better resourced than in decades past. Cyber as a domain, as a threat and as a key opportunity is now a firmly established and essential element of military strategy and capability.

Yet today, state, non-state and individual cyber actors have greater capability, capacity and willingness to use cyber tools aggressively for malicious purposes, and their tolerance for risk has grown.

In the view of former US National Security Agency and US Cyber Command boss Mike Rogers, despite the positives, the overall picture of the cyber domain is one of increased threat and complexity.

Most countries, even if they leverage all the power and capability of their military and defence cyber sectors, can’t effectively respond to this complex threat environment alone. Many nations, Western and non-Western, democratic and non-democratic alike, now understand that their national capabilities and their private sectors are engaged in a competition that is fundamentally unfair.

For decades, countries with market-based economies, such as the United States, have sought to create national frameworks that enable their research and development ecosystems and free-market private sectors to pursue global competitive advantage, largely by keeping government out of their way.

The assumption that market-based economies by their nature could continue to enable the private sector to out-compete and out-innovate their rivals has been disproven. Rogers notes that the approach of an enabled and unencumbered free market served the US well for a time after the end of the Cold War; it led to the invention and dominance by the US and other Western nations of key capability areas like stealth technology, the internet and wireless connectivity.

But between the fourth and fifth generation of these technologies, the playing field has definitively tilted in favour of actors that exploit highly controlled, centralised and coordinated strategies leveraging all the resources and capability in their private and public sectors, including intelligence and espionage capabilities.

China—now openly described as a peer competitor and strategic rival to most Western countries—has assessed that cyber and a range of critical and emerging technologies are game-changers with both domestic and international implications. Cyber is considered by China (and the US and others) as being among a range of technologies that can offer decisive strategic advantages for future prosperity and security.

The Chinese state has poured, and continues to pour, billions of dollars into building its cyber capabilities. Its strategy includes blatant theft of advanced Western intellectual property and excessive requirements for technology transfer from the West as a precondition for access to the lucrative Chinese market, and to the billions of dollars of Chinese state investment.

No company, R&D outfit, or sector of companies operating under free-market principles and on the assumption of a level playing field can compete with China’s strategy. Competing under these circumstances requires a team approach bringing together government and the private sector, and working with partners and allies across national boundaries.

In no way should a team strategy between like-minded players emulate what China has done. Competing effectively doesn’t necessitate cyber-enabled IP theft, the employment of state espionage capabilities to unfairly benefit Chinese state-owned and ‘private’ companies, or forced technology transfer. But it does require policy settings that protect innovation and cutting-edge technology developed and commercialised in the US and other centres of technological excellence and dynamism (including and especially in the Indo-Pacific).

It also requires export-control and inward-investment regimes that differentiate between international actors with which technological cooperation is a strategic imperative and those that present significant strategic risks.

It certainly involves a clear articulation that competition—fair competition with clear rules for acceptable and unacceptable behaviour—is the strategy. And it involves action to create a policy environment that enables competition in a way that protects and extends existing rules and norms and that safeguards IP and key sources of innovation.

It also requires forums and mechanisms that bring together the perspectives, incentives and imperatives that drive the activities of governments, the technology sector and civil society. These communities don’t yet talk to one another effectively, don’t harness their collective power for shared benefit, and don’t align on common interests in a way that produces superior outcomes for them all.

The need to get to that is urgent. The Sydney Dialogue, an ASPI initiative, brings government, private-sector and civil-society leaders together at the highest levels and provides a platform for enhanced cooperation between international actors. It offers a constructive space for the urgent conversation needed to enable stronger, fairer, more integrated competitive strategies between countries that share a commitment to the rule of law and a vision for the use of existing and future technologies in the global good.

Rogers discussed the need for better, more integrated strategies to compete with China in key technology areas. He delved into the implications of the use of cyber capabilities in the Russian invasion of and ongoing war against Ukraine, and described it as a ‘watershed’ moment. The growing reality of, and increasing calls for, decoupling of cyber and other technologies from China, Russia and other actors is also explored.

Importantly, Rogers talked about the enormous potential of the technology priorities and objectives of the AUKUS partnership. Australia, the UK and the US have a real opportunity to demonstrate and enhance their ability to achieve effective integration between government, industry and civil society, and to work across national borders through a joined up, multi-sectoral technology strategy for national security.

To meet the objectives of partnerships like AUKUS, there’s a need to move beyond cooperation to integration, including between parts of our systems that have operated independently for good reasons in the past. We must preserve the best and most productive characteristics of our free and open systems. But government, the private sector and civil society must also be brought into closer alignment for the benefit of all. It is past time to move beyond understanding the problem and start organising more effectively for the geostrategic technology competition that we know we’re now in.

The policy challenges posed by critical, emerging, cyber and space technology require a new approach. That starts with answering a key question Rogers asks: ‘What is our vision of the key technologies, the most critical sectors that are really going to drive economic advantage … and [that] if placed at risk would cause us harm, [and] what are the policies we need to create advantage for ourselves?’

A new cybersecurity strategy based on what is required to become and remain competitive, secure and resilient should focus on this central question.

Artificial intelligence isn’t that intelligent

Late last month, Australia’s leading scientists, researchers and businesspeople came together for the inaugural Australian Defence Science, Technology and Research Summit (ADSTAR), hosted by the Defence Department’s Science and Technology Group. In a demonstration of Australia’s commitment to partnerships that would make our non-allied adversaries flinch, Chief Defence Scientist Tanya Monro was joined by representatives from each of the Five Eyes partners, as well as Japan, Singapore and South Korea. Two streams focusing on artificial intelligence were dedicated to research and applications in the defence context.

‘At the end of the day, isn’t hacking an AI a bit like social engineering?’

A friend who works in cybersecurity asked me this. In the world of information security, social engineering is the game of manipulating people into divulging information that can be used in a cyberattack or scam. Cyber experts may therefore be excused for assuming that AI might display some human-like level of intelligence that makes it difficult to hack.

Unfortunately, it’s not. It’s actually very easy.

The man who coined the term ‘artificial intelligence’ in the 1950s, cybernetics researcher John McCarthy, also said that once we know how it works, it isn’t called AI anymore. This explains why AI means different things to different people. It also explains why trust in and assurance of AI is so challenging.

AI is not some all-powerful capability that, despite how much it can mimic humans, also thinks like humans. Most implementations, specifically machine-learning models, are just very complicated implementations of the statistical methods we’re familiar with from high school. It doesn’t make them smart, merely complex and opaque. This leads to problems in AI safety and security.

Bias in AI has long been known to cause problems. For example, AI-driven recruitment systems in tech companies have been shown to filter out applications from women, and re-offence prediction systems in US prisons exhibit consistent biases against black inmates. Fortunately, bias and fairness concerns in AI are now well known and actively investigated by researchers, practitioners and policymakers.

AI security is different, however. While AI safety deals with the impact of the decisions an AI might make, AI security looks at the inherent characteristics of a model and whether it could be exploited. AI systems are vulnerable to attackers and adversaries just as cyber systems are.

A known challenge is adversarial machine learning, where ‘adversarial perturbations’ added to an image cause a model to predictably misclassify it.

When researchers added adversarial noise imperceptible to humans to an image of a panda, the model predicted it was a gibbon.

In another study, a 3D-printed turtle had adversarial perturbations embedded in its surface so that an object-detection model believed it to be a rifle. This was true even when the object was rotated.

I can’t help but notice disturbing similarities between the rapid adoption of and misplaced trust in the internet in the latter half of the last century and the unfettered adoption of AI now.

It was a sobering moment when, in 2018, the then US director of national intelligence, Daniel Coats, called out cyber as the greatest strategic threat to the US.

Many nations are publishing AI strategies (including Australia, the US and the UK) that address these concerns, and there’s still time to apply the lessons learned from cyber to AI. These include investment in AI safety and security at the same pace as investment in AI adoption is made; commercial solutions for AI security, assurance and audit; legislation for AI safety and security requirements, as is done for cyber; and greater understanding of AI and its limitations, as well as the technologies, like machine learning, that underpin it.

Cybersecurity incidents have also driven home the necessity for the public and private sectors to work together not just to define standards, but to reach them together. This is essential both domestically and internationally.

Autonomous drone swarms, undetectable insect-sized robots and targeted surveillance based on facial recognition are all technologies that exist. While Australia and our allies adhere to ethical standards for AI use, our adversaries may not.

Speaking on resilience at ADSTAR, Chief Scientist Cathy Foley discussed how pre-empting and planning for setbacks is far more strategic than simply ensuring you can get back up after one. That couldn’t be more true when it comes to AI, especially given Defence’s unique risk profile and the current geostrategic environment.

I read recently that Ukraine is using AI-enabled drones to target and strike Russians. Notwithstanding the ethical issues this poses, the article I read was written in Polish and translated to English for me by Google’s language translation AI. Artificial intelligence is already pervasive in our lives. Now we need to be able to trust it.