5 April 2018
In the latest instalment of our Debate Papers series, Tom Uren and Michelle Price argue whether Australia has what it takes to be a cyber power.
"The Debate Papers" provides a platform for learned voices to argue issues affecting the United States and Australia. These counterpoints traverse topics such as economics, foreign policy and politics. If you’d like to contribute to the series, email firstname.lastname@example.org or email@example.com.
Although we do very well in some aspects of being a ‘cyber power’, Australia has some deep-seated cultural and strategic disadvantages that prevent us from being what I would define as a ‘cyber power’.
I define the term cyber as ‘relating to how information and communication technology (ICT) is used to interact and influence the real world’. As the world becomes ever more interconnected the real-world effects of cyber events are becoming ever more apparent. What was once seen as a niche ICT issue is now central to all sorts of discussions from national security to the broader economy.
It seems self-evident that Australia will have some degree of cyber power — we are a relatively well-educated and industrialised economy with an advanced telecommunication sector. We are a regional leader in cyber maturity.[^1] To be considered a true ‘cyber power’, however, Australia needs to have:
This is a holistic assessment of cyber power, and reflects the way that cyber issues cut across all aspects of the economy.
‘A vibrant digital economy’ is a key criteria. Firstly, I view it as a necessary but insufficient pre-condition for a strong cybersecurity industry — after all, cybersecurity is required to protect the digital economy and we won’t become a cyber power if there is nothing to protect. Secondly, the strength of our digital economy is also a direct measure of the Australian economy’s ability to take advantage of digital technologies. If we can’t embrace and grow our digital economy we are unlikely to embrace and grow our cybersecurity sector. Based on my assessment of our digital economy, Australia is not and will not be a cyber power. Israel, a country of only 8.5 million people is considered a cyber superpower,[^3] and arguably beats Australia on every measure. If we can’t compare favourably with a country with just a third our population we cannot truly be considered a power.
On the positive side of the ledger, Australia does well in its offensive cyber and cyber espionage capabilities. Offensive cyber capabilities are used to ‘manipulate, deny, disrupt, degrade or destroy targeted computers, information systems, or networks’[^4] to achieve military objectives; cyber espionage, by contrast, is gathering intelligence in cyberspace ideally without having an effect and ideally without detection. It is difficult to assess these capabilities using open-source material, but it is probably fair to say that Australia benefits from both a close military and intelligence relationship with the United States. In intelligence and military capability, the United States is a cyber superpower with likely more than 30,000 people employed at the National Security Agency (NSA),[^5] their signals intelligence and information security organisation, and a further 5,000 at Cyber Command, the US military command for cyberspace operations including offensive cyber operations.
Both the United States and Australia have reported using offensive cyber capabilities against ISIS[^6] and this has no doubt helped develop and mature Australia’s capabilities. Additionally, Australia’s involvement in the Five Eyes intelligence relationship — the intelligence alliance between the United States, United Kingdom, Australia, Canada, and New Zealand — has over several decades helped Australia’s cyber espionage capability; in this regard Australia has been described as being within the top 10 in the world and by this narrow measure would definitely qualify as a cyber power.[^7]
Military and intelligence applications, however, are only one part of being a cyber power and arguably not a very important one when it comes to overall national economic wellbeing. How is Australia taking advantage of cyber-related economic opportunities in the cybersecurity business and more broadly in the digital economy?
Poorly, I’m afraid. Australia has deep-seated cultural and strategic disadvantages when it comes to taking advantage of digital technologies and by extension developing its indigenous cybersecurity industry.
When it comes to the digital economy, Australia has had mixed success at taking advantage of information and communication technologies, and large sectors of the economy have been relatively slow in technological adoption. While some knowledge intensive sectors compare well to US peers, very large sections of the Australian economy lag behind US counterparts: health, mining, transport and construction to name a few.[^8]
Unfortunately for our local cybersecurity industry, it is only the few digitally savvy sectors that truly understand the value of cybersecurity services and are willing to pay for them. Cybersecurity industry stakeholders report in various conversations that a small minority of the Australian economy — defence and national security companies, the federal government, and big banks — are relatively advanced in cybersecurity while the vast majority of Australian industry and business don’t yet understand cybersecurity threats and are not willing to invest in cybersecurity services. This is obviously bad for our indigenous cybersecurity industry and our status as a cyber power.
Australia does have some indigenous cybersecurity companies, but Australia does not have a strong start-up culture and the Australian Cyber Security Growth Network — an industry-led body to grow the Australian cybersecurity industry — has identified low research investment, market barriers, and difficulty attracting cybersecurity talent as hurdles for developing a local industry.[^9]
Comparison with Israel is illuminating. Cybersecurity Ventures, a cybersecurity market research firm, compiles an annual ‘Cybersecurity 500’, the ‘500 hottest and most innovative companies’ in cybersecurity.[^10] Even though this is not a comprehensive assessment the difference is stark: there are 35 Israeli companies in the top 500 and just two from Australia.
But this difference in start-up culture exists well beyond the cybersecurity industry. A graphical example of this difference in culture is illustrated by a Google image search for ‘Israeli unicorns’ vs ‘Australian unicorns’ — in this case unicorns refers to start-up companies worth more than $1 billion. The Google image search for ‘Israeli unicorns’ results in business slides detailing the value of Israeli start-ups such as Viber, Waze, Wix and others.
A Google image search for ‘Australian unicorns’ results in images of horses with horns. And sometimes rainbows.
Israel’s entrepreneurial culture is also supported by a strong cyber pipeline that supports science, technology and cyber development that starts in high school and funnels talent through the Israeli military’s cybersecurity units and equips them with the skills and aptitude to build technology and cybersecurity businesses.
This cyber pipeline starts with selection of students with academic and technical aptitude from high school into Magshimim,[^11] a three-year cybersecurity development course. Magshimim also aims to bring diversity into the technology workforce and specifically targets populations currently under-represented in technology.[^12]
This pipeline continues through Israeli military intelligence organisations such as Unit 8200, one of Israel’s intelligence and cybersecurity units.[^13] Recruits are selected on aptitude and given practical experience solving important – sometimes life and death – cybersecurity problems, develop team work and a good work ethic, and after three or four years are then thrust into the real world to earn a living.
Australia, by comparison, has a poor entrepreneurial culture and no talent pipeline. Australia’s intelligence agencies recruit long-term professionals and are rightly solely focused on national intelligence priorities rather than on fostering a talent pipeline.
Overall, Australia will do well projecting military power in cyberspace. But this is only a small part of what is required to be a cyber power. Australia’s indigenous cybersecurity industry will struggle to be a world power. The broader Australian economy doesn’t, on the whole, understand the need for cybersecurity services – so there isn’t a big local market. There is no cybersecurity skills pipeline in Australia – so we have relatively few appropriately skilled people. And Australia doesn’t have a strong start-up culture – so it is hard to start and build new businesses.
Michelle and the Australian Cyber Security Growth Network have identified these challenges and are working hard to overcome them. I just think that too much of these challenges are rooted in Australian culture, and culture is hard to change. Fundamentally, however, Michelle and I are both working to improve Australia’s engagement with digital technologies and cyber issues, so I wish her all the best.
The reasons why, however, may not fit the traditional measures of a successful ‘power’. This is a brave new world of intermingled hard and soft power: signals and human intelligence (and perhaps of the artificial kind), interdependent threat, risk and opportunity, kinetic and virtual effects and disruptive thinking on how things can and ought to function.
The physical world is awakening to the expansive cyber threat landscape and the enormous opportunities that flow from cyber resilient systems — that being the ability of people, processes and technologies to recover from interruption and/or attack. With this comes a far broader and nuanced set of definitions of ‘cyber’.[^14] The word ‘security’ is being dropped at strategic levels, recognising the focus required on resilience.[^15]
It is worth noting that cyberspace is the only domain of human experience that we ourselves created. Its originators are known for reflecting they could have never predicted the significant impacts the internet and connected things are having on mankind, nor that most who interact with its systems barely understand how it all works. The complexity does make for a challenging and rhizomic environment for a country of comparatively small population and economy like Australia to develop, maintain and project power in the digital age.
Perhaps this is why we often feel like the opportunities described in global risks and megatrends[^16] reporting are not within our grasp — there aren’t many visible, tangible reference points against our cultural norms that make sense to much of Australian society.
But the digital age is enabling Australia to engage and project power in ways not previously available, from the pointiest end of the spectrum in the Australian Signals Directorate through to the sole trader who can export at scale through democratised advance manufacturing[^17] and cyber resilient online supply chains.
Our military and intelligence cyber capabilities are considered to be reasonable for a ‘middle power’; there is now more public information to confirm this than ever before.[^18] I agree with Tom’s assessment that Australia is not in the same realm as nations such as Israel. What we might lack compared to some others I believe we make up for in our strategic alliances with the Five Eyes and like-minded countries, where capability and intelligence sharing has a complementary and multiplier effect.
Further, Australia is actively investing in the underappreciated side of the defensive equation — capacity and confidence building mechanisms, including the appointment of an Ambassador for Cyber Affairs (note ‘security’ is absent in the title). Through initiatives such as the government’s Joint Cyber Sharing Centres, we are also maturing our thinking around how government can partner with industry and academia in these efforts[^19]. Unlike the large US market and the small New Zealand market, our economy’s scale makes for a great test bed to rapidly explore how to get this working effectively and as a role model for others.
We are also stepping up with other like-minded countries to improve deterrence in cyberspace. This includes partnering with others in publicly attributing malicious cyber acts to nation state actors[^20] and providing other means of deterrence, such as sanctions.[^21]
Then there is the critical role that law enforcement has as cybercrime continues to inflict its scourge on the economy and society[^22] —an increasingly visible and relatable aspect of projecting cyber power. The Australian Federal Police and the Australian Criminal Intelligence Commission with state and territory police and international counterparts are proving the value of their efforts to disrupt and prosecute individual and organised cybercriminals[^23] (who are sometimes mixing with nation states[^24]).
Plus, things are starting to take shape regarding the direct involvement of industry and academia in cyber defences and digital trade negotiations, including through business forums associated with major intergovernmental meetings such as G20 and ASEAN. For the former, industry is particularly active in terms of sharing threat intelligence and discussing their role in lawful active defence.[^25]
A value judgement on my part: we also have the agility and mission focus online that we are known for in kinetic domains of escalatory behaviour and war. In the ‘death by a trillion cuts’ nature of pre and actual cyberwar,[^26] these factors count, and I believe work in our favour as a trusted ally and partner (hint: a great topic for a PhD study).
Beyond national security is the economic development side to the story, which is inextricably linked to our success on the defensive side.
Cyber, in the context of security and resilience, is unique in being both a true economic ‘vertical’ (a growing sector in its own right) and ‘horizonal’ (enables all other sectors and supporting infrastructure). It is also one of the few areas of the economy where government is an active stakeholder — all public sectors are consumers and parts are also producers of cyber security in the same ways as industry, academia and society. All can contribute to national resilience.
To delve deeper, I could just point you to Australia’s Cyber Security Sector Competitiveness Plan[^27] launched by the Australian Cyber Security Growth Network in April 2017 and alert you to its first annual update being released shortly with Australia’s first Cyber Security Industry Roadmap (a partnership between AustCyber and CSIRO). But that removes the fun of the debate.
The plans point to some key factors that give Australia’s cyber toolkit an edge:
The update to the Sector Competitiveness Plan will show that while Australia clearly has more to do, the ecosystem has moved in the past 12 months, with strong incentives to keep at it. This includes leveraging our population size and factors above, plus others, to push the boundaries of what’s possible.
Per capita, Australia may not achieve the rates of commercialisation of those currently at the top of the lists. But I believe we have enviable foundations and motivation to make good of our comparative strengths, which will drive a more sustained growth path.
As Australia’s cyber maturity continues to improve, the demand for cyber security solutions, as well as cyber resilient technologies, will rapidly grow, incentivising more Australian-developed cyber capability (technical and non-technical) to remain at home and also be exported to the world. This creates jobs, incentivises more people to seek cyber careers, encourages greater investment in R&D and innovation, and underpins our ability to be a legitimate cyber power, both in national security and economic terms.
Due to the digital age, we can no longer separate the core components of modern power: security, economics and acting in the national interest. Australia has strengths and a compelling story across all these in the intermingled brave new world.
Maybe in a distant, distant future, Australia might be the cyber power (never say never). Right now, we are on the verge of being a cyber power, at the very least in our part of the world, which is also the fastest growing global region and increasingly the most cyber active.
As a concluding note, when seeking views on the debate question with one of the most honest audiences I have access to, my primary school-aged children, the response was: Australia is a cyber power, because we are. We’re a country that’s friendly but we don’t like people pushing us around, we care for people when they need help and we have great ideas and inventions that create new tech and fix things.
Maybe that’s the point. It’s so simplistic, we miss it. We might be a cyber power and our sufferance of tall poppies and perhaps hyper-attachment to traditional reference points prevents us from recognising it.
Tom, come join me and countless others. #gameon