Nothing Found

On the whole, the internet has been a tremendous boon for society, but it has also exposed all of Australia—our people, our economy and our government—to sources of unexpected danger from across the entire planet. Criminals, crooks and scammers in other countries can now reach out and hurt us by stealing our data, our identities and our money, and by disrupting our businesses. And although these crimes can be perpetrated in cyberspace, our justice system is historically designed for the physical world and these criminals are usually beyond the reach of our laws.

When it comes to national security, cyber operations are now one of the main ways that states engage in strategic competition to gain advantage without warfare.

The entirety of online Australia is subject to attack, but the sad truth is that only a minority of Australian people and organisations are able to defend themselves. According to the latest official figures, a new cybercrime is reported to Australian authorities every 10 minutes—a staggering statistic given that perhaps less than a third of these crimes are actually reported.

Even large businesses are not immune from online dangers. This year alone BlueScope Steel, transport company Toll Holdings and brewer Lion Australia have had their operations interrupted by ransomware. If large operations are not immune, how are the 98% of Australian businesses with fewer than 20 employees to cope?

An ASPI International Cyber Policy Centre report released today examines ‘Clean Pipes’, the concept that internet service providers (ISPs) offer enhanced levels of default security to their customers.

Some of the most effective security interventions in recent decades have involved providing ‘invisible’ security—security that is delivered by default to end users without requiring any skills or work on their part. These default protections have occurred at many different layers in our computing and communication infrastructure.

For example, one of the ways that operating systems manufacturers such as Microsoft and Apple have made their products more secure is through automatic updates that allow security improvements to be distributed without requiring any user intervention. Building on top of these operating system improvements, browser manufacturers have built systems (Google’s Safe Browsing and Microsoft’s Defender SmartScreen, for example) that warn users before they head to dangerous sites. These initiatives aren’t perfect, but Google’s transparency report states that its Safe Browsing service issues five to 10 million warnings a week to users.

Our ISPs are well placed to implement similar initiatives that improve the security of millions of Australians without their needing to be cybersecurity experts. Conceptually, this requires that ISPs positively identify threats, have some ability to proactively deal with them (such as warning users, blocking attack traffic or removing bogus traffic), and be able to adjust their responses dynamically as the environment changes.

ISPs already have some of these systems in place to protect their own networks and, to a greater or lesser extent, already use that capability to protect their customers. So this is not a case of building an entirely new system to protect Australians. Until now there’s been no widespread belief—among either ISPs or their customers—that providing enhanced default security to customers was an ISP’s job, and nor has any obligation or regulation been imposed by government. In the absence of any expectation or obligation, the investments needed to provide a more secure service haven’t been made.

This hands-off approach to security may have been appropriate for the early days of cyberspace, but as the internet has become increasingly important and the consequences of online crime and interference have become more dire we need more robust protections. The Australian government should drive greatly expanded adoption of Clean Pipes to provide more effective protection across more ISPs—protecting more Australians more effectively. The key advantage of this approach is that it provides advanced scalable protection for the millions of Australians who cannot provide for their own online security.

Recently announced government funding of over $35 million to develop a ‘new cyber threat-sharing platform’ and over $12 million towards ‘strategic mitigations and active disruption options’ could certainly assist in the implementation of a Clean Pipes program. Without an injection of government funds and leadership, it’s likely that the status quo will continue.

Australian governments don’t have a stellar track record of explaining their internet initiatives to the public. To avoid Clean Pipes being mired in unnecessary controversy, government actions and communications should maintain a clear focus on protecting users, and keep copyright enforcement and removal of abhorrent material to their own separate mechanisms.

Clean Pipes is an idea whose time has come. Everyone involved in delivering services on the internet needs to accept an obligation to protect their users.

This article is part of a series on women, peace and security that The Strategist is publishing in recognition of International Women’s Day.

In an era in which disruption rules, suggesting we should say no to some innovation could be seen as revolutionary. Because there’s good innovation, there’s bad innovation, and there’s just plain evil innovation. Not all change is progress.

But the values that determine what is good, bad and evil are not bound by time and should remain eternal. They are the lights that guide us on an uncharted path, as the stars guided navigators at sea for thousands of years. If they hadn’t been there—and constant—many more adventurous innovators would have foundered on the rocks.

So, in our quest for knowledge, we need to take the time to pause and think about the kind of world we want as we innovate. That means we have to consider the unintended consequences and alternative applications.

And we must ensure women are at the table shaping our technology-dependent future.

Because a tracking device in a key ring can save us from ourselves. But it can also allow a control-freak boyfriend to monitor his girlfriend’s every move.

A doll with a camera can delight your child with its novelty. But it can spy on an abused woman fleeing domestic violence by her estranged partner.

A centralised locking system can secure your home remotely. But it can also imprison you.

In its Innovation for gender equality report, UN Women acknowledged that good innovation can be a ‘driver for change’ by accelerating access to opportunities for women across the globe.

But ‘it is increasingly clear that technology and innovation can be rejected; that they can create new, unforeseen problems of their own; and that they do not benefit all equally. Not only are women under-represented across core innovation sectors, including science, technology, engineering and mathematics, but new technology brings risks of bias and possibilities for misuse, creating new human rights challenges for the 21st century.’

Fortunately, the under-representation of women in science, technology, engineering and mathematics and the impact that has on national security, productivity, innovation, research and the economy have been acknowledged by governments, industry and academia.

In Australia, programs now target attracting, retaining and progressing girls and women studying and working in STEM. Peak associations, mentoring groups and ambassadors encourage, support and provide role models for girls and women. Schools and universities offer coding subjects and run hacking competitions.

From a cybersecurity perspective, this is all good work that must continue apace, particularly given the massive and well-documented international and national skills shortage—some say crisis—in the sector.

But the challenges of cyberspace are as much, if not more, human than technical.

While technical knowledge will always be important, it will be ‘institutional, cultural and social changes that will be most effective in mitigating cyber insecurity. New ways of thinking, new understanding and new strategies to the emerging digital age realities will be vital.’ This will require a workforce with political, social, legal, people and technical skills.

So, to fill the enormous and immediate demand for these skills, we need to think and recruit creatively and laterally so that we harness the full potential of our talent pool and bolster diversity in a dynamic and fast-changing industry.

This seems to be underway.

In a survey of more than 300 women in cybersecurity, less than half entered the field through information technology or computer science, coming instead from compliance, psychology, internal audit, entrepreneurship, sales, arts and other backgrounds.

Because of new thinking, understanding and strategies, the dial appears to be shifting on the number of women in cybersecurity, since the alarm was raised when it was found just 11% of the sector was female.

Women now make up 24% of the sector in North America, Latin America and the Asia–Pacific—thanks in part to a new, more inclusive definition of the cybersecurity workforce—and 25% in Australia.

Women now head Australia’s signals intelligence, cybersecurity, cyber research and cybersecurity growth network agencies, to name just some of the female leaders in the sector.

Women have made real gains in cybersecurity in recent years. These wins are important, and they should be celebrated. But we need to keep the pedal firmly to the metal.

We need to continue to address pay gap, systemic bias, recruitment pool, workplace culture, role definition and work–life balance issues. And we need to continue to invest our energies in attracting, retaining and progressing women in STEM and the technical and non-technical fields of cybersecurity.

This is not just an economic and national security imperative. It’s a human rights imperative—to ensure women are liberated by the innovation and technology of the future, not enslaved by it.

Those of us older than a certain age will recall an excellent British television series, Yes, Minister, and its successor, Yes, Prime Minister: they were required viewing for young and enthusiastic public servants in Canberra.

One of the more memorable episodes, ‘The compassionate society’, involved a hospital with no patients, though it did have 500 administrators and ancillary workers to ensure things ran smoothly. Not having patients both prolonged the life of the facility and cut running costs, ensuring it was one of the best-run hospitals in Britain.

Unfortunately, we find the same attitudes in other walks of life. The ‘socio-technical divide’ is a well-known phenomenon in technology. If only people weren’t involved, or just did what we told them, we’d have perfect systems.

That also reflects a lot of thinking and commentary around cybersecurity—‘people are the problem’. After all, most intrusions and attacks start with people being persuaded or misled into going onto disguised or infected sites, to handover details or otherwise compromise their own systems. One estimate is that 94% of malware is delivered via email—phishing—which requires someone to preview, open and/or click on a link or file. If only people—users, clients, members of the community—didn’t do what people naturally do, we’d all have much more secure and efficient systems.

That’s muddled thinking.

First, people—thankfully—are messy. They’re changeable. They work in a variety of different styles, with different information. They desire both privacy and openness—mediated on their own terms, and with people whom they get to choose. They’re impatient, focused, curious, biased, distracted, inspired and sometimes plain lazy. They’re driven by motivations that generally have little do with the incentives of engineers and managers who build and oversee systems and data.

They’re also the reason why we build technologies, systems, organisations and institutions to start with—to enable, support, help and entertain. We need more than cybersecurity specialists; we need good people to conceive, construct and care for good, adaptable, human-centred, secure, resilient systems, that account for the people who use or are supported by them.

Technology is inherently reductionist: that it fails to capture the complexity of humans and their systems should be unsurprising. Despite attempts to map ‘personas’ or ‘life journeys’, technological systems will always struggle to keep up—there’s no universal, singular human experience. The fact that systems and system design either neglect or fail to accommodate the messiness of people and their underlying needs is fundamentally a human concern. That’s even more so as those same technologies become increasingly embedded in in our daily lives.

Second, the line that ‘people are the problem’ usually applies to the faceless masses. It tends to overlook that systems designers, engineers, managers, vendors and government ministers are also people and no less prone to the same messiness, incomplete decision-making, changeability and biases as anyone else. They make mistakes, too. They respond to their own set of incentives, not necessarily others’, or society’s for that matter. And they tend to build systems that favour their own position and point of view.

Third, the systems themselves that people design, approve and administer are no less flawed. Moreover, there’s a case that the consequential misunderstandings, misinterpretations and misconfigurations are so deep in both practice and theory that everything is broken.

The result is that the whole, inevitably, is deeply complex. Complex systems have a variety of properties that make them unpredictable and less tractable to top-down, centralised control.

In such systems, cause and effect are rarely linear. Simple actions may have extraordinary effect, while massive effort may yield little change. Failures may cascade across systems, which may have networks, dependencies and behaviours previously unsurfaced and so unrecognised by managers, administrators and technical staff.

Systems and stakeholders—and their expectations—co-evolve, so that what worked once or in the last funding cycle, may not do so again. And preventive action may easily create increased rigidity and tension in the system. It may be better to allow small failures—analogous to backburning, for example—if they dilute the prospects for major conflagration or collapse.

In such circumstances, attacking officials for a failure—‘heads will roll’—or blaming the victim does little to encourage staff to learn and to build resilience. Instead, it may well increase the chances of greater systemic failure later. The slow work of building human capability and a systems-level understanding is likely to yield better results than firing staff or micromanaging.

Last, we live in a liberal, Western, free-market democracy. Democracies give preference to individuals and their rights, freedoms and opportunities.

Democracies are being challenged by authoritarian regimes and illiberal thinking, including within the democracies themselves. To many—disillusioned by the failure of democratic government to cope with the turmoil caused by digital disruptions, by inequality, by discrimination and biases, and by failures in corporate governance—a populist, or even an authoritarian or strongman approach, looks attractive. It offers simple and direct action and solutions. The lack of consultation, and of transparency, is seen not as an impediment but as an enabler. And authoritarian systems are often able, at least initially, to generate more immediate and focused outcomes.

But a fundamental strength of democracies is that, by investing in individuals and giving them the freedom, and the ability, to create, build, prosper and take a large measure of responsibility for their own wellbeing, they build both legitimacy and resilience that authoritarian societies lack.

Increasingly, that’ll include their online activities as well. In a complex system, government has little hope of ensuring safety and security for all. Technological fixes will be quickly overtaken; social fixes, including legislation, risk impairing people’s ability to look after themselves; and both, imposed with little understanding or consultation, will erode trust, legitimacy, resilience and the government’s own ability to enact change.

The discussion paper released by the Department of Home Affairs on a new cybersecurity strategy raised a multitude of questions—literally. That reflects the sheer complexity of the problem at hand. And if everything is indeed broken, reaching for quick technological or even legislative fixes is likely to add further complexity, increase fragility, increase insecurity and impair resilience.

And so, rather than assuming that ‘fixing’ cybersecurity and improving safety are matters for the central government—which has stretched resources and fewer levers than it once had to enact change—decision-makers would do well to place citizens at the centre of the challenge, and to ask themselves, ‘How can we best help our people to help themselves?’

Now more than ever is the time to double down on our democratic impulses, rather than seeking false shelter in an omnipotent government.

In Australia, the federal, state and territory governments have defined critical infrastructure as: ‘Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.’

Critical infrastructure is an area where the cyber and physical worlds are converging—the operation of digital systems affects our physical world, and so a cyber incident can have direct and serious physical impacts on property and people.

The security risks are far from just theoretical and have been known for many years. In 2001, a disgruntled ex-employee hacked the systems at a sewage treatment works run by the Maroochy Shire Council in Queensland causing the release of raw sewage into freshwater systems. In recent years the Stuxnet attack on Iranian nuclear facilities and numerous attacks on communications networks in Ukraine, attributed to Russia, have shown countries are active in this area. Few people would contest that ensuring the cyber safety of operational systems in our critical national infrastructure should be a key priority.

However, research carried out for my recent ASPI paper shows that more can and should be done.  While there is a recognition of the risk at a conceptual level there is a strong feeling that it is not getting the attention it needs from senior decision-makers. Why is this, and what should we be doing about it?

Firstly, we need to ensure awareness of the differences around securing ‘operational technology’ (OT) systems. In recent years we have made great strides forward in understanding and mitigating information security risks, but often these lessons don’t translate well into the OT world. OT equipment has a long lifetime (10–20 years, compared to five years for typical IT equipment), making it difficult to keep it supported and up-to-date. Even if updates are available, it’s often not feasible to take systems offline to apply them. All the latest artificial intelligence solutions trained to detect IT attacks may completely miss an cyberattack on OT.

The next step is to encourage and empower boards to explicitly understand and define their cyber risk appetite. Critical infrastructure in Australia consists of a whole range of sizes and types of organisations—from small regional councils operating water and sewerage systems to large multinational companies. Varied approaches will be needed, including defining standards and getting the right corporate governance and regulation.

Organisations need to have a clear understanding of the consequences and potential risks of their actions. The risk calculus may be different where the potential impact is catastrophic failure of key infrastructure and this may drive better decision-making on how digital transformation is applied, as well as how mitigation plans are put in place to enable successful change.

Finally, we need to ensure that the right resources and solutions are available to help mitigate risks. This should include programs to educate and develop the workforce, but also ensure better sharing of threat intelligence between government and industry, as well as between businesses. In his address to the ASPI National Security Dinner earlier this year, former NSA chief Mike Rogers made a convincing call for a stronger real-time partnership between critical infrastructure players and the government.

We are at an inflection point in the convergence of physical and cyber systems—the people we spoke to for our research said there had been little change in the last two years, but they expect this convergence to accelerate in the next two years. The arrival of 5G and the internet of things are just two of the factors driving this.

The history of the internet shows that too often we have been playing catch-up and trying to apply security as an afterthought. In this field we have an opportunity to change that narrative. However, none of the suggestions above are quick fixes, so we need to prioritise resources and get moving quickly before technology overtakes us.

Imagine this. You wake up in 2022 to discover that the Australian financial system is in crisis. Digital land titles have been irreversibly altered, and it’s impossible for people and companies to prove that they own their assets. The essential underpinning of Australia’s multitrillion-dollar housing market—ownership—is thrown into question. The stock market goes into freefall as confidence in the financial sector evaporates. Banks cease all property lending and stop any business lending that has property as collateral. The real estate market, insurance market and ancillary industries come to a halt. The economy begins to lurch.

At the same time, a judge’s clerk notices an error in an online reference version of an act of parliament. It quickly emerges that a foreign actor has cleverly tampered with the text, but it’s unclear what other parts of the legislation have been changed or whether other laws have been altered. The whole court system is shut down as the entire legal code is checked against hardcopy and other records and digital forensics continue.

Meanwhile, a ransomware attack has locked up the digital archives of Australia’s major media organisations and parallel archival institutions. Over 200 years of stories about the nation are suddenly inaccessible and potentially lost.

As the Australian public and media are demanding answers, the government is struggling to deal with the crisis. Paper copies of many key documents simply don’t exist.

National identity assets are the evidence of who we are as a nation—from our electronic land titles and biometric immigration data, to the outcomes of our courts and electoral processes and the digital images, stories and national conversations we’re having right now.

Increasingly, our national footprint and interactions are digital only, including both digitally born and digitalised material. The electronic repository is quickly becoming the primary source of truth—the legal and historical evidence we rely on now and into the future.

Keeping national identity assets safe and accessible is vital not only for chronicling Australia’s past, but for supporting government transparency and accountability, the rights and entitlements of all Australians, and our engagement with the rest of the world.

In my report for ASPI’s International Cyber Policy Centre, Identity of a nation: protecting the digital evidence of who we are, released today, I argue that our national identity assets are a prime and obvious target for adversaries looking to destabilise and corrode public trust in Australia.

According to the Australian Cyber Security Centre, 47,000 cyber incidents occurred in Australia in 2016–17, a 15% increase on the previous year. Both state and non-state adversaries have the capability to disrupt, distort and expropriate national identity data. So far, they haven’t targeted our national identity assets—but that could change, at any time.

Many national data assets are held electronically by government agencies, archives, records agencies, libraries and other recordkeeping institutions. Because we haven’t anticipated sophisticated cyberattacks against the organisations holding these assets, and because the data is generally undervalued, the protections in place are inadequate.

In addition to the risk of data loss, there’s also a risk of a loss of trust in the organisations and governments that hold national identity assets.

National and state government archives and other record-holding institutions play the role of ‘impartial witnesses’, identifying and storing this information and holding the government to account under the rule of law and in the ‘court’ of history. We need to trust that these impartial witnesses can identify, keep and preserve this evidence.

If we aren’t vigilant, we run the risk that adversaries could destroy or manipulate our national identity assets, compromising the digital pillars of our society and culture.

States such as Russia have demonstrated their intention to disrupt and undermine Western democracies, and obvious future targets for such attacks are national identity assets that are poorly protected and offer high-impact results if disrupted, corrupted or destroyed.

With more than 30 countries known to possess offensive cyber capabilities, and cyber capabilities being in reach of non-state actors from individuals to cybercrime organisations, the number of potential adversaries able to target our national identity assets is significant and increasing.

The Australian government’s Critical Infrastructure Centre and Australian Cyber Security Centre should address gaps in our national infrastructure and information security by including national identity assets in our critical infrastructure framework and closely aligning digital preservation and information security.

We also need to develop ways of better identifying and valuing national identity digital assets and to give more attention to information governance. Australian governments—state and federal—need to ensure that our critical government-held national identity assets are protected and institutions charged with their care are adequately funded to do so.

Until these issues are addressed, the increasing vulnerability, invisibility and potential loss of the digital evidence of who we are as a nation remains a sleeping, but urgent, national security issue.