Facebook

5 April 2018

The Debate Papers: Can Australia be a cyber power?

5 April 2018

In the latest instalment of our Debate Papers series, Tom Uren and Michelle Price argue whether Australia has what it takes to be a cyber power.

The Debate Papers by

Michelle Price

Chief Executive OfficerAustCyber

Tom Uren

Visiting Fellow - CybersecurityAustralian Strategic Policy Institute

"The Debate Papers" provides a platform for learned voices to argue issues affecting the United States and Australia. These counterpoints traverse topics such as economics, foreign policy and politics. If you’d like to contribute to the series, email brendan.thomas-noone@sydney.edu.au or jared.mondschein@sydney.edu.au.

No, Australia cannot be a cyber power

Tom Uren

Although we do very well in some aspects of being a ‘cyber power’, Australia has some deep-seated cultural and strategic disadvantages that prevent us from being what I would define as a ‘cyber power’.

I define the term cyber as ‘relating to how information and communication technology (ICT) is used to interact and influence the real world’. As the world becomes ever more interconnected the real-world effects of cyber events are becoming ever more apparent. What was once seen as a niche ICT issue is now central to all sorts of discussions from national security to the broader economy.

It seems self-evident that Australia will have some degree of cyber power — we are a relatively well-educated and industrialised economy with an advanced telecommunication sector. We are a regional leader in cyber maturity.¹ To be considered a true ‘cyber power’, however, Australia needs to have:

a vibrant digital economy;²
a strong military cyber capability including cyber espionage; and
a strong cybersecurity industry.

Source: USSC

This is a holistic assessment of cyber power, and reflects the way that cyber issues cut across all aspects of the economy.

‘A vibrant digital economy’ is a key criteria. Firstly, I view it as a necessary but insufficient pre-condition for a strong cybersecurity industry — after all, cybersecurity is required to protect the digital economy and we won’t become a cyber power if there is nothing to protect. Secondly, the strength of our digital economy is also a direct measure of the Australian economy’s ability to take advantage of digital technologies. If we can’t embrace and grow our digital economy we are unlikely to embrace and grow our cybersecurity sector. Based on my assessment of our digital economy, Australia is not and will not be a cyber power. Israel, a country of only 8.5 million people is considered a cyber superpower,³ and arguably beats Australia on every measure. If we can’t compare favourably with a country with just a third our population we cannot truly be considered a power.

On the positive side of the ledger, Australia does well in its offensive cyber and cyber espionage capabilities. Offensive cyber capabilities are used to ‘manipulate, deny, disrupt, degrade or destroy targeted computers, information systems, or networks’⁴ to achieve military objectives; cyber espionage, by contrast, is gathering intelligence in cyberspace ideally without having an effect and ideally without detection. It is difficult to assess these capabilities using open-source material, but it is probably fair to say that Australia benefits from both a close military and intelligence relationship with the United States. In intelligence and military capability, the United States is a cyber superpower with likely more than 30,000 people employed at the National Security Agency (NSA),⁵ their signals intelligence and information security organisation, and a further 5,000 at Cyber Command, the US military command for cyberspace operations including offensive cyber operations.

Australia has deep-seated cultural and strategic disadvantages when it comes to taking advantage of digital technologies and by extension developing its indigenous cybersecurity industry.

Both the United States and Australia have reported using offensive cyber capabilities against ISIS⁶ and this has no doubt helped develop and mature Australia’s capabilities. Additionally, Australia’s involvement in the Five Eyes intelligence relationship — the intelligence alliance between the United States, United Kingdom, Australia, Canada, and New Zealand — has over several decades helped Australia’s cyber espionage capability; in this regard Australia has been described as being within the top 10 in the world and by this narrow measure would definitely qualify as a cyber power.⁷

Military and intelligence applications, however, are only one part of being a cyber power and arguably not a very important one when it comes to overall national economic wellbeing. How is Australia taking advantage of cyber-related economic opportunities in the cybersecurity business and more broadly in the digital economy?

Poorly, I’m afraid. Australia has deep-seated cultural and strategic disadvantages when it comes to taking advantage of digital technologies and by extension developing its indigenous cybersecurity industry.

When it comes to the digital economy, Australia has had mixed success at taking advantage of information and communication technologies, and large sectors of the economy have been relatively slow in technological adoption. While some knowledge intensive sectors compare well to US peers, very large sections of the Australian economy lag behind US counterparts: health, mining, transport and construction to name a few.⁸

Unfortunately for our local cybersecurity industry, it is only the few digitally savvy sectors that truly understand the value of cybersecurity services and are willing to pay for them. Cybersecurity industry stakeholders report in various conversations that a small minority of the Australian economy — defence and national security companies, the federal government, and big banks — are relatively advanced in cybersecurity while the vast majority of Australian industry and business don’t yet understand cybersecurity threats and are not willing to invest in cybersecurity services. This is obviously bad for our indigenous cybersecurity industry and our status as a cyber power.

The broader Australian economy doesn’t, on the whole, understand the need for cybersecurity services – so there isn’t a big local market.

Australia does have some indigenous cybersecurity companies, but Australia does not have a strong start-up culture and the Australian Cyber Security Growth Network — an industry-led body to grow the Australian cybersecurity industry — has identified low research investment, market barriers, and difficulty attracting cybersecurity talent as hurdles for developing a local industry.⁹

Comparison with Israel is illuminating. Cybersecurity Ventures, a cybersecurity market research firm, compiles an annual ‘Cybersecurity 500’, the ‘500 hottest and most innovative companies’ in cybersecurity.¹⁰ Even though this is not a comprehensive assessment the difference is stark: there are 35 Israeli companies in the top 500 and just two from Australia.

But this difference in start-up culture exists well beyond the cybersecurity industry. A graphical example of this difference in culture is illustrated by a Google image search for ‘Israeli unicorns’ vs ‘Australian unicorns’ — in this case unicorns refers to start-up companies worth more than $1 billion. The Google image search for ‘Israeli unicorns’ results in business slides detailing the value of Israeli start-ups such as Viber, Waze, Wix and others.

A Google image search for ‘Australian unicorns’ results in images of horses with horns. And sometimes rainbows.

Israel’s entrepreneurial culture is also supported by a strong cyber pipeline that supports science, technology and cyber development that starts in high school and funnels talent through the Israeli military’s cybersecurity units and equips them with the skills and aptitude to build technology and cybersecurity businesses.

This cyber pipeline starts with selection of students with academic and technical aptitude from high school into Magshimim,¹¹ a three-year cybersecurity development course. Magshimim also aims to bring diversity into the technology workforce and specifically targets populations currently under-represented in technology.¹²

Australia’s intelligence agencies recruit long-term professionals and are rightly solely focused on national intelligence priorities rather than on fostering a talent pipeline.

This pipeline continues through Israeli military intelligence organisations such as Unit 8200, one of Israel’s intelligence and cybersecurity units.¹³ Recruits are selected on aptitude and given practical experience solving important – sometimes life and death – cybersecurity problems, develop team work and a good work ethic, and after three or four years are then thrust into the real world to earn a living.

Australia, by comparison, has a poor entrepreneurial culture and no talent pipeline. Australia’s intelligence agencies recruit long-term professionals and are rightly solely focused on national intelligence priorities rather than on fostering a talent pipeline.

Overall, Australia will do well projecting military power in cyberspace. But this is only a small part of what is required to be a cyber power. Australia’s indigenous cybersecurity industry will struggle to be a world power. The broader Australian economy doesn’t, on the whole, understand the need for cybersecurity services – so there isn’t a big local market. There is no cybersecurity skills pipeline in Australia – so we have relatively few appropriately skilled people. And Australia doesn’t have a strong start-up culture – so it is hard to start and build new businesses.

Michelle and the Australian Cyber Security Growth Network have identified these challenges and are working hard to overcome them. I just think that too much of these challenges are rooted in Australian culture, and culture is hard to change. Fundamentally, however, Michelle and I are both working to improve Australia’s engagement with digital technologies and cyber issues, so I wish her all the best.

Yes, Australia can be a cyber power

Michelle Price

The reasons why, however, may not fit the traditional measures of a successful ‘power’. This is a brave new world of intermingled hard and soft power: signals and human intelligence (and perhaps of the artificial kind), interdependent threat, risk and opportunity, kinetic and virtual effects and disruptive thinking on how things can and ought to function.

The physical world is awakening to the expansive cyber threat landscape and the enormous opportunities that flow from cyber resilient systems — that being the ability of people, processes and technologies to recover from interruption and/or attack. With this comes a far broader and nuanced set of definitions of ‘cyber’.¹⁴ The word ‘security’ is being dropped at strategic levels, recognising the focus required on resilience.¹⁵

It is worth noting that cyberspace is the only domain of human experience that we ourselves created. Its originators are known for reflecting they could have never predicted the significant impacts the internet and connected things are having on mankind, nor that most who interact with its systems barely understand how it all works. The complexity does make for a challenging and rhizomic environment for a country of comparatively small population and economy like Australia to develop, maintain and project power in the digital age.

The complexity of cyberspace makes for a challenging and rhizomic environment for a country of comparatively small population and economy like Australia to develop, maintain and project power in the digital age.

Perhaps this is why we often feel like the opportunities described in global risks and megatrends¹⁶ reporting are not within our grasp — there aren’t many visible, tangible reference points against our cultural norms that make sense to much of Australian society.

But the digital age is enabling Australia to engage and project power in ways not previously available, from the pointiest end of the spectrum in the Australian Signals Directorate through to the sole trader who can export at scale through democratised advance manufacturing¹⁷ and cyber resilient online supply chains.

Our military and intelligence cyber capabilities are considered to be reasonable for a ‘middle power’; there is now more public information to confirm this than ever before.¹⁸ I agree with Tom’s assessment that Australia is not in the same realm as nations such as Israel. What we might lack compared to some others I believe we make up for in our strategic alliances with the Five Eyes and like-minded countries, where capability and intelligence sharing has a complementary and multiplier effect.

Further, Australia is actively investing in the underappreciated side of the defensive equation — capacity and confidence building mechanisms, including the appointment of an Ambassador for Cyber Affairs (note ‘security’ is absent in the title). Through initiatives such as the government’s Joint Cyber Sharing Centres, we are also maturing our thinking around how government can partner with industry and academia in these efforts¹⁹. Unlike the large US market and the small New Zealand market, our economy’s scale makes for a great test bed to rapidly explore how to get this working effectively and as a role model for others.

We are also stepping up with other like-minded countries to improve deterrence in cyberspace. This includes partnering with others in publicly attributing malicious cyber acts to nation state actors²⁰ and providing other means of deterrence, such as sanctions.²¹

Then there is the critical role that law enforcement has as cybercrime continues to inflict its scourge on the economy and society²² —an increasingly visible and relatable aspect of projecting cyber power. The Australian Federal Police and the Australian Criminal Intelligence Commission with state and territory police and international counterparts are proving the value of their efforts to disrupt and prosecute individual and organised cybercriminals²³ (who are sometimes mixing with nation states²⁴).

Australia is stepping up with other like-minded countries to improve deterrence in cyberspace. This includes partnering with others in publicly attributing malicious cyber acts to nation state actors and providing other means of deterrence, such as sanctions.

Plus, things are starting to take shape regarding the direct involvement of industry and academia in cyber defences and digital trade negotiations, including through business forums associated with major intergovernmental meetings such as G20 and ASEAN. For the former, industry is particularly active in terms of sharing threat intelligence and discussing their role in lawful active defence.²⁵

A value judgement on my part: we also have the agility and mission focus online that we are known for in kinetic domains of escalatory behaviour and war. In the ‘death by a trillion cuts’ nature of pre and actual cyberwar,²⁶ these factors count, and I believe work in our favour as a trusted ally and partner (hint: a great topic for a PhD study).

Beyond national security is the economic development side to the story, which is inextricably linked to our success on the defensive side.

Cyber, in the context of security and resilience, is unique in being both a true economic ‘vertical’ (a growing sector in its own right) and ‘horizonal’ (enables all other sectors and supporting infrastructure). It is also one of the few areas of the economy where government is an active stakeholder — all public sectors are consumers and parts are also producers of cyber security in the same ways as industry, academia and society. All can contribute to national resilience.

To delve deeper, I could just point you to Australia’s Cyber Security Sector Competitiveness Plan²⁷ launched by the Australian Cyber Security Growth Network in April 2017 and alert you to its first annual update being released shortly with Australia’s first Cyber Security Industry Roadmap (a partnership between AustCyber and CSIRO). But that removes the fun of the debate.

The plans point to some key factors that give Australia’s cyber toolkit an edge:

Trust: Australia is a trusted economy on and offline, and one of the most resilient,²⁸ which translates in myriad ways including export opportunities and attracting investment (yes trust is fragile, more so in cyberspace, so there’s no standing on our laurels).
Geography: our location within the Indo-Pacific is a strategic pivot point and enables home-grown and multinational organisations alike to ‘follow the sun’ in their cyber operations by maintaining 24-hour coverage.
Workforce: while we suffer the same skills shortages as other countries, we produce high quality, world class talent (the pipeline is improving) and a comparatively highly multilingual society. Both factors fuel decisions of companies like BAE Systems, BT and Google to have global or regional cyber security teams based in here.
Research and innovation: our rates of public research commercialisation are not up there²⁹, as Tom notes, however we have a proven ability to produce world leading research and innovative technological solutions. An incredible amount of the science underpinning cutting edge security solutions globally has been or is being born in Australia (perhaps we need new/additional measures of success?).

The update to the Sector Competitiveness Plan will show that while Australia clearly has more to do, the ecosystem has moved in the past 12 months, with strong incentives to keep at it. This includes leveraging our population size and factors above, plus others, to push the boundaries of what’s possible.

Australia has a proven ability to produce world leading research and innovative technological solutions. An incredible amount of the science underpinning cutting edge security solutions globally has been or is being born in Australia.

Per capita, Australia may not achieve the rates of commercialisation of those currently at the top of the lists. But I believe we have enviable foundations and motivation to make good of our comparative strengths, which will drive a more sustained growth path.

As Australia’s cyber maturity continues to improve, the demand for cyber security solutions, as well as cyber resilient technologies, will rapidly grow, incentivising more Australian-developed cyber capability (technical and non-technical) to remain at home and also be exported to the world. This creates jobs, incentivises more people to seek cyber careers, encourages greater investment in R&D and innovation, and underpins our ability to be a legitimate cyber power, both in national security and economic terms.

Due to the digital age, we can no longer separate the core components of modern power: security, economics and acting in the national interest. Australia has strengths and a compelling story across all these in the intermingled brave new world.

Maybe in a distant, distant future, Australia might be the cyber power (never say never). Right now, we are on the verge of being a cyber power, at the very least in our part of the world, which is also the fastest growing global region and increasingly the most cyber active.

As a concluding note, when seeking views on the debate question with one of the most honest audiences I have access to, my primary school-aged children, the response was: Australia is a cyber power, because we are. We’re a country that’s friendly but we don’t like people pushing us around, we care for people when they need help and we have great ideas and inventions that create new tech and fix things.

Maybe that’s the point. It’s so simplistic, we miss it. We might be a cyber power and our sufferance of tall poppies and perhaps hyper-attachment to traditional reference points prevents us from recognising it.

Tom, come join me and countless others. #gameon

Endnotes

Australian Strategic Policy Institute, Cyber Maturity in the Asia–Pacific Region 2017.
A digital economy is the range of economic and social activities that are enabled by information and communication technologyDepartment of Innovation, Industry and Science Digital Economy siteat March 2018 online at https://industry.gov.au/innovation/Digital-Economy/Pages/default.aspx
World Economic Forum, Who are the cyberwar superpowers, May 2016 online at https://www.weforum.org/agenda/2016/05/who-are-the-cyberwar-superpowers/; Axios, The world’s top cyber powers, August 2013 online at https://www.axios.com/the-worlds-top-cyber-powers-1513304669-4fa53675-b7e6-4276-a2bf-4a84b4986fe9.html
Department of Prime Minister and Cabinet, Cyber Lexicon, draft 2018.
Dana Priest, NSA growth fueled by need to target terrorists,Washington Post, July 2013 online at https://www.washingtonpost.com/world/national-security/nsa-growth-fueled-by-need-to-target-terrorists/2013/07/21/24c93cf4-f0b1-11e2-bed3-b9b6fe264871_story.html
Prime Minister Malcom Turnbull media release online at https://www.pm.gov.au/media/offensive-cyber-capability-fight-cyber-criminals; Admiral Rogers, Commander United States Cyber Command, testimony to the Senate Armed Services Committee, February 2018 online at https://www.armed-services.senate.gov/imo/media/doc/Rogers_02-27-18.pdf
Greg Austin, online at https://theconversation.com/if-australia-wants-to-boost-defence-exports-it-should-start-with-its-natural-strength-cyber-security-90849
Blackburn, Freeland and Gärtner,Digital Australia: Seizing opportunities from the Fourth Industrial Revolution, March 2017 online at https://www.mckinsey.com/~/media/McKinsey/Global%20Themes/Asia%20Pacific/Digital%20Australia%20Seizing%20the%20opportunity%20from%20the%20Fourth%20Industrial%20Revolution/Digital-Australia-Seizing-the-opportunity-from-the-fourth-industrial-revolution-vf.ashx
Australian Cyber Security Growth Network, Cyber Security Sector Competitiveness Plan, April 2017 online at https://www.acsgn.com/wp-content/uploads/2017/04/Cyber-Security-SCP-April2017.pdf
https://cybersecurityventures.com/cybersecurity-500-list/#home/?view_1_per_page=500&view_1_page=1
Magshimim Program https://www.rashi.org.il/magshimim-cyber-program
https://www.rashi.org.il/newsroom-magshimim
https://www.forbes.com/sites/richardbehar/2016/05/11/inside-israels-secret-startup-machine/
A globally respected repository of cyber definitions, including ‘cyber’, is maintained by the NATO Cooperative Cyber Defence Centre of Excellence at https://ccdcoe.org/cyber-definitions.html. Its introduction aptly reflects the nature of the hedging within the debate: “There are no common definitions for Cyber terms – they are understood to mean different things by different nations/organisations, despite prevalence in mainstream media and in national and international organisational statements. Given this ambiguity and regardless of caveats, the glossary aims to provide a picture on how nations/states and different institutions, interpret and approach to ‘cyber’. …this glossary does not represent a nation’s position in a legal context.” Retrieved 16/03/2018.
A clear distinction is made between security and resilience at https://en.wikipedia.org/wiki/Cyber_resilience. Retrieved 16/03/2018.
Three authoritative voices on global risks and megatrends include the World Economic Forum (https://www.weforum.org/reports/the-global-risks-report-2018;https://www.weforum.org/agenda/2017/08/4-mega-trends-that-could-change-the-world-by-2030, both retrieved 16/03/2018), PwC (https://www.pwc.co.uk/issues/megatrends.html, retrieved 16/03/2018) and closer to home, the CSIRO (https://www.csiro.au/en/Do-business/Futures/Reports/Our-Future-World, retrieved 16/03/2018).
https://www.youtube.com/watch?v=Jvv7G7y9Jts. Retrieved 16/03/2018.
Resourcing for additional cyber capability development was announced through the 2016 Defence White Paper, available at http://www.defence.gov.au/WhitePaper/. Retrieved 16/03/2018. Australia’s offensive cyber capability was first publicly disclosed by the Australian Government through Australia’s Cyber Security Strategy, Australian Government, 2016, available at https://cybersecuritystrategy.pmc.gov.au/. Retrieved 16/03/2018.
This is encapsulated in Australia’s International Cyber Engagement Strategy, Australian Government, 2017, available at http://dfat.gov.au/international-relations/themes/cyber-affairs/aices/index.html. Retrieved 16/03/2018. It is worth reiterating the central message of this Strategy: “Cyber affairs play a significant role in Australia’s international relations with other countries. While once a technical, niche issue, Cyber affairs now encompasses a broad range of strategic and international policy issues.”
http://minister.homeaffairs.gov.au/angustaylor/Pages/notpetya-russia.aspx and https://www.theaustralian.com.au/business/technology/notpetya-cyberattack-australia-us-uk-blame-russia/news-story/9c09bc766b0e74a17d0319a9f7342da0, both retrieved 16/03/2018.
Described in Australia’s Cyber Security Strategy, Australian Government, 2016, available at https://cybersecuritystrategy.pmc.gov.au/. Retrieved 16/03/2018.
A recent mainstream description of the real world implications of cybercrime: https://www.thesun.co.uk/news/5815189/dark-web-live-torture-hire-hitmen-hackers/. Retrieved 16/03/2018.
Examples include: https://www.afp.gov.au/news-media/media-releases/joint-international-operation-sees-us-citizen-arrested-denial-service(2017) and https://www.dailytelegraph.com.au/news/nsw/phantom-secure-crims-shut-off-from-impregnable-blackberries/news-story/ef0d7369f47787bafebc47de59ef7f73(2018), both retrieved 16/03/2018.
The almost seamless movement between skilled individual actors, criminal groups and some nation states is now widely discussed (a reasonably recent occurrence); recent examples include: https://www.diplomaticourier.com/2018/03/15/the-dangers-of-using-state-sanctioned-hackers/and https://www.scmagazineuk.com/sophisticated-hacking-tools-now-in-the-hands-of-petty-cyber-criminals/article/750525/, both retrieved 16/03/2018.
An authoritative source on active cyber defence and its application in industry has been developed by The MITRE Corporation: https://www.mitre.org/publications/technical-papers/active-defense-strategy-for-cyber. Retrieved 16/08/2018. Australia’s policy and legal frameworks have not kept pace with the ways in which industry and academia can lawfully engage in the full range of active cyber defence strategies however there is growing intent to address this.
The fact that it took NATO until 2016 to acknowledge and define cyberwar is a demonstration of how intermingled the different issues are – a pebble in the pond can have tsunami-like implications if not carefully considered. Security Affairs provides a succinct summary on the NATO announcement (http://securityaffairs.co/wordpress/48484/cyber-warfare-2/nato-cyberspace-warfare-domain.html, retrieved 16/03/2018) with further discussion in NATO following the July 2017 ‘Petya’ ransomware attack on the Ukraine (reported by various news outlets including The Telegraph in the UK: https://www.telegraph.co.uk/news/2017/06/28/nato-assisting-ukrainian-cyber-defences-ransom-ware-attack-cripples/, retrieved 16/03/2018).
Australia’s Cyber Security Competitiveness Plan, AustCyber – the Australian Cyber Security Growth Network Ltd, 2017, available at https://www.acsgn.com/cyber-security-sector-competitiveness-plan/. Retrieved 16/03/2018.
https://www.oecd.org/sti/outlook/e-outlook/sticountryprofiles/australia.htm. Retrieved 16/03/2018.
http://www.oecd.org/sti/sci-tech/commercialising-public-research.htm. Retrieved 16/03/2018.

AUKUS inflection point: Building the ecosystem for workforce development

What does ‘economic security’ mean to Australia in 2024?

Bolstering the Quad: The case for a collective approach to maritime security

One year from the 2024 US presidential election: The stakes for Australia and the alliance

The Debate Papers: Can Australia be a cyber power?

The Debate Papers by

No, Australia cannot be a cyber power

Yes, Australia can be a cyber power

Endnotes