Dr Miah Hammond-Errey sits down with Hamish Hansford, Deputy Secretary of the Cyber and Infrastructure Security Group at the Department of Home Affairs, to discuss the evolution of the Security of Critical Infrastructure Act (SOCI), including Critical Infrastructure Risk Management Programs (CIRMPs), refining the critical asset class definitions and the importance of board accountability. They also cover the International Counter Ransomware Taskforce, working with other countries in cyber security and Australia’s upcoming Cyber Security Strategy for 2023–30, including lessons from the US National Cybersecurity Strategy.

The discussion also touches on lessons from the Optus and Medibank data breaches, Australia’s progress towards the goal of being the world’s most cyber-secure nation by 2030 and the unrealised potential of 5G networks.

Hamish Hansford is the Deputy Secretary of the Cyber and Infrastructure Security Group at the Department of Home Affairs. He has more than 20 years of experience across government, including as the Inaugural Head of the Cyber and Infrastructure Security Centre. He also led the delivery and implementation of Australia's 2020 Cyber Security Strategy and has worked in cybercrime, combating terrorism and child exploitation, as well as on reform of critical and emerging technology, data security and surveillance.

Technology and Security is hosted by Dr Miah Hammond-Errey, the inaugural director of the Emerging Technology program at the United States Studies Centre, based at the University of Sydney. Miah’s Twitter: https://twitter.com/Miah_HE

Resources mentioned in the recording:

Hamish Hansford and Dr Miah Hammond-Errey
Source: USSC

Making great content requires fabulous teams. Thanks to the great talents of the following. 

  • Research support and assistance: Tom Barrett
  • Production: Elliott Brennan
  • Podcast Design: Susan Beale
  • Music: Dr Paul Mac

This podcast was recorded on the lands of the Ngunnawal people, and we pay our respects to their Elders past, present and emerging — here and wherever you are listening. We acknowledge their continuing connection to land, sea and community, and extend that respect to all Aboriginal and Torres Strait Islander people.

Episode transcript

Check against delivery

Miah Hammond-Errey: [00:00:02] Welcome to Technology and Security, TS is a podcast exploring the intersections of emerging technologies and national security. I'm your host, Dr Miah Hammond-Errey. I'm the inaugural director of the Emerging Technology Program at the United States Studies Centre, and we're based in the University of Sydney. My guest today is Hamish Hansford. Thanks for joining me.

Hamish Hansford: [00:00:23] Thank you.

Miah Hammond-Errey: [00:00:24] Hamish is the Deputy Secretary of the Cyber and Infrastructure Security Group at the Department of Home Affairs. He has over 20 years experience across government, including as the inaugural head of the Cyber and Infrastructure Security Centre. He led the delivery and implementation of Australia's 2020 cyber security strategy, and he's worked in cyber crime, combating terrorism and counting child exploitation, as well as on reform of critical and emerging technologies, data security and surveillance. We're thrilled to have you here, Hamish.

Hamish Hansford: [00:00:51] Thrilled to be here.

Miah Hammond-Errey: [00:00:52] We're coming to you today from the lands of the Ngunnawal people. We pay our respects to their elders past, present and emerging, both here and wherever you're listening, we acknowledge their continuing connection to land, sea and community and extend that respect to all Aboriginal and Torres Strait Islander people. So Hamish, the Department of Home Affairs has shifted around to respond to government priorities and you are in a new and expanded role. Can you take us through what this looks like, broadly for home affairs and specifically for your role?

Hamish Hansford: [00:01:20] Sure. So the Cyber and Infrastructure Security Group covers both my previous role, which is the Cyber and Infrastructure Security Centre covering critical infrastructure regulation. Also have an industry partnership division, really looking at critical infrastructure policy, how we do national collaboration. Then we've got our digital policy and digital security policy division, which really looks at what are the cyber security challenges for Australia, what are our critical technology challenges for Australia from a security perspective, and what are the identity and biometric security challenges that Australia needs to face? And then finally we've got a cyber security response division which really looks at how do we harden government IT, but how do we also respond to cyber instances that occur across the Australian economy. So we're trying to bring together that whole mission under one group and we're there in total support of the National Cyber Security Coordinator when they're appointed.

Miah Hammond-Errey: [00:02:16] And on that, you've been responsible for reforms to the Security of Critical Infrastructure Act or SOCI Act, and led the principal regulatory authority for all of the critical infrastructure in Australia. It's it's a really significant reform program. Can you explain briefly why it's important and what it actually covers?

Hamish Hansford: [00:02:34] So from 2018, we legislated quite a narrow definition of what we meant by infrastructure, just covering for different classes of critical infrastructure. So ports, electricity, water, gas and subsequently running alongside telecommunications security. By the time we got to develop the 2020 Cyber Security Strategy, the overwhelming threat environment, the understanding and input by industry was, you've got to expand the definition of what's critical. So you've got to really look at the infrastructure that powers the economy. That really creates us as a prosperous nation and protect it en masse. And so we went about in 2020 legislating for a much more expanded set of critical infrastructure. Now 11 sectors across 22 different asset classes. So covering the full field of what we mean by infrastructure and then putting in place both preventative and responsive obligations and frameworks.

Miah Hammond-Errey: [00:03:32] Can I just jump in and ask you to explain what an asset class is for the listeners?

Hamish Hansford: [00:03:36] If you look at the the energy sector, it's particular electricity, electricity generation, storage and transmission assets. If you look at the telecommunications sector, it's particular telecommunications networks. If you look at health care, health care is a really big sector of the economy. We could we could have gone down and called every GP critical. But what we've said is it's hospitals with functioning intensive care units as the most critical acute area of requiring protection. So we're trying to get pretty granular on what we mean by critical infrastructure right down to the asset level.

Miah Hammond-Errey: [00:04:13] Awesome. We're going to come back and get a little bit deeper in SOCI for the real nerds,

Hamish Hansford: [00:04:17] I could talk for hours if you like.

Miah Hammond-Errey: [00:04:18] I have no doubt, but we'll just cover off on a few other things. First, it seems like what you've outlined there is this new group is is blurring the line between what we think of as cyber and critical infrastructure. What benefits and challenges does that have from a coordination standpoint?

Hamish Hansford: [00:04:33] So I think overwhelmingly cyber challenges really actually challenge infrastructure. And when you kind of look at the cost of some of the risk mitigations we've put in place, cyber overwhelmingly is the most expensive cost for mitigation of of risk. And so if that's what's driving one of the key threats for infrastructure, that's then consequently our focus and I think really why we're calling out cyber and infrastructure. Security because I was so important and we'll be into the future. And then I think supply chain security is kind of the next big challenge that we've got as a country. When we look into securing our own systems, we then think about, well, what else might be able to impact the functioning of businesses, of infrastructure, of of particular individuals and supply chain features pretty heavily. So that's why I think they're they're immersed together both in the title of the group that I run. But I think foundationally, in terms of the day to day work of infrastructure providers.

Miah Hammond-Errey: [00:05:33] Great. That's really good insight. Thank you. And it's really important, I think, for people to to be aware of those interdependencies is something, as you've brought up with the supply chain there, it's coming for second and third order effects that we don't always think about in our everyday life. Can you talk us through government responses to the Optus and Medibank breaches? And I know you've kind of spoken a little bit before about the changes that have happened since then. So how would government work through a similar issue now?

Hamish Hansford: [00:06:00] Well, we work through cyber incidents every day almost of the year, and I think Optus and Medibank were great learnings for how we respond to cyber incidents, both from a technical perspective, which is the key role for the Australian Signals Directorate, Australian Cyber Security Centre. And I know you've had Jess Hunter on one of these podcasts before and she's talked you through the technical response. What we've learnt out of some of the big cyber incident instances that have happened across the economy is, there's consequential harm that could occur for individuals who might have lost some of their identity documentation. And so we've put a lot of thought into how we respond, and that's one of the key areas of my group. We've set up a cyber response coordination unit to enable the coordination of responses. And we at the Commonwealth level, we we often think about response in harm mitigation or a consequence management perspective and have called a national coordination mechanism, for instance, in some of the recent cyber instances. And that's that, that Secretariat function and that national coordination function is run by our National Emergency Management Agency. And then the subject matter experts surge in really when when we're in COVID, in the middle of COVID, there were different events that really caused national coordination arrangements to come together and have quick meetings, really outcomes focused, bringing together a whole range of disparate stakeholders. And we've used that same methodology for cyber instances and cyber incidents.

Miah Hammond-Errey: [00:07:34] Yeah, that's great. Thank you. I know so many people often, often don't see the whole machinations and wonder how it comes together. And you've kind of touched on there some of that stakeholder engagement with industry. How have you seen industry and academic engagement particularly evolve over your time in government?

Hamish Hansford: [00:07:51] I think particularly over the last couple of years, we've been consulting on cybersecurity reforms, on critical reforms, and I just see that the consultation and collaboration is just getting so much better. And so even with the most recent call for views for the cybersecurity strategy, we've seen very high-quality, thoughtful submissions and lots of thoughtful roundtables where people are up for the challenge of thinking about how do we create in the Minister's mind, the most secure country from a cybersecurity perspective by 2030. People are up for that challenge and we're seeing people proactively reach out, particularly on the critical infrastructure side, we see people who are highly mature, who say, 'How can I help nationally?' We've learnt a lot by running exercises, by implementing a change program on risk management. How do I now help others? And, and a great example of that is our we've set up a data sector working group under the Trusted Information Sharing Network and they're, they're thinking about how do we help smaller players in regional Australia. That's one of the challenges that they're up for and it's really great to see that level of collaboration and engagement.

Miah Hammond-Errey: [00:09:03] Yeah, it must be really exciting because often engagement in democratic processes is, is not thought of as, you know, industry strong point. And yet I really see that groundswell of interest in contributing to better policy as well in particularly in the tech policy space. So we're going to dive a little bit deeper into the SOCI Act for all the nerds out there. Firstly, though, can you talk us through the past year of mandatory cyber incident reporting.

Hamish Hansford: [00:09:30] When you think about the figures? So in the first period, which was April to December of 2022, we had 47 cybersecurity incidences reported into report cyber. And they've they've ticked the box that they were a critical infrastructure entity and they've told the regulatory authority, the Cyber infrastructure Security Centre. So what that really means is 47 successful cyber impacts on either the confidentiality, availability or integrity of a critical infrastructure asset. And that that stands in contrast, for example, to one cyber incident reported every seven minutes for all of Australia, which is the latest reporting out of the Australian Cyber Security Centre. So we are looking at that information and saying actually that's a lower level of successful cyber incidents impacting infrastructure than we would have expected. But we did set the threshold pretty high. We really wanted to know what are those successful incidences that actually are causing an impact? Fortunately, we haven't had any significant cyber incidences reported, which is great because if there's a significant incident, then we've got something that's going majorly wrong.

Miah Hammond-Errey: [00:10:40] The legislation covers a broad range of critical infrastructure assets and roles relating to them. Can you describe how recent efforts simplify asset definition and obligations for critical infrastructure, responsible entities as well as the direct interest holders?

Hamish Hansford: [00:10:56] Sure. So we've set the task for ourselves at the passage of the legislation back in April of 2022, the second of two pieces of legislation to try and make the SOCI Act much more user friendly. So we've just finished a significant amount of guidance which tries to break down for people who are wondering, am I a critical infrastructure asset, tries to break down what we mean by a different asset classes so, so different people can look at our website now and say, Actually, I think I meet this definition and it takes you through the journey about whether or not you are. I mean, the easiest thing that we could have done is just use companies and said, Yep, this company is critical infrastructure, but it doesn't get to the philosophy of actually which part of the company there might be a company that does 20 different functions. We might be interested in one which is about electricity generation, or it might be about the running of a telecommunications network or the running of a hospital. So we've tried to break it down and we've tried to also provide in the act the ability to to narrow the definition if we need. And we've done that for particular hospitals. The hospital definition covered a lot of hospitals in Australia and for the application of the risk management program, for example, we've narrowed the definition to really focus on those major hospitals in Australia that might then require risk mitiga[tion].

Miah Hammond-Errey: [00:12:18] The newly released critical infrastructure asset class definition guidance is intended to reduce confusion and complexity for industry, and you've just outlined how that works. And having rules in various instruments does make you more nimble to responding to different situations, obviously, rather than requiring legislative amendments. How will the critical infrastructure risk management plans required under the latest February rules help boards and senior management to take responsibility and manage risk for assets?

Hamish Hansford: [00:12:45] So over the next six months, the critical infrastructure will be developing a risk management program. And so that will be looking at what are the material risks that impact the functioning of my infrastructure asset and how can I, as far as is reasonably practicable, mitigate those and then looking at the kind of three or four areas. One information and cyber security. Two, the personnel security issues that might arise for people having access to the critical parts of infrastructure. Then looking at the critical components of the physical bits of infrastructure and then supply chain issues. So by August, we hope that every critical infrastructure asset will have a risk management program. Then the process that we've put in place is that annually we're asking boards to attest that the companies have a risk management program. It's been kept up to date, it's being adhered to and to receive an annual attestation. The first one is required between the 1st of July 2024 and the 28th of September 2024. And so that's the point at which boards will be saying, Do I have a risk management program? Is it adequate? So what what we're really trying to do when you boil it down is help the security managers, the chief risk officers, the CISOs actually have that conversation with their CEOs and boards and get the board to take board-level responsibility for their risk management. We thought that was a better approach than saying submit it to the government, get them to sign off on it, Actually getting boards involved and getting boards to attest we thought was a change in the culture of the way in which some companies operate. For others, it's routine business.

Miah Hammond-Errey: [00:14:25] Government has set a goal to be the world's most cyber secure nation by 2030, and it is a hugely aspirational goal. How far off that are we now and what do we need to do? I mean, obviously, you know, consultation and drafting of a new cyber security strategy, but kind of where are we now and and in such an aspirational goal in seven years, you know, where do we need to be?

Hamish Hansford: [00:14:47] Well, I think the second part of your question is easy to answer, because if you have to be a leader in every single part of cybersecurity, whether that's international critical infrastructure, general economy, small to medium enterprises, education, skills, whatever you kind of think of in terms of cybersecurity, that's a big requirement for Australia. But I think it's not coming off a zero base. We've got different elements of our cybersecurity maturity that have really great parts of the economy and areas where there's work to do. We've got, we've talked about a world class leading set of critical infrastructure laws. The challenge now is about implementation of those laws. Building capability. So I think we've got really good elements and we've got areas for improvement.

Miah Hammond-Errey: [00:15:35] We talked a little bit about the risk management plans for critical infrastructure and engaging boards and senior management more. Do you think something like that will be reflected in the cybersecurity strategy?

Hamish Hansford: [00:15:45] Well, I think the the work that's been done to date on critical infrastructure will be foundational. It kind of has to be, because that's an area of work that we've worked on to try and lift infrastructure. The big question then is what about the rest of the economy? What are the types of things that might help improve Australia's cybersecurity outcomes? And the discussion paper really points to a whole range of possible initiatives that the government might consider, including what's the responsibilities of different companies? What role should boards play? Does Australia need a cybersecurity act? All of those types of issues are things that the government is looking at.

Miah Hammond-Errey: [00:16:27] How have the states and territories responded to this challenge?

Hamish Hansford: [00:16:31] Yeah, so I work with states and territories through the National Cyber Security Committee. So effectively the state and territory chief information security officers, it's a highly engaged, collaborative group. Every state and territory is looking at cyber security as a really key priority. Many of the states and territories have that function vested in their premiers or chief minister's departments, so taking it very seriously. States and territories are engaging very significantly in the policy agenda and really thinking about how do we collectively as a set of governments across Australia, improve cyber security? How do we look at government security as part of that? How do we think about cyber security response and then how do we think about the uplift that's required across every part of the economy. So a strong part, strong partnership and strong collaborators.

Miah Hammond-Errey: [00:17:23] The US has also released their own cyber security strategy in March of this year. And and we know that one of the drafters was seconded briefly to Home Affairs. Has there been a lot of alignment between the two processes? What can you share about that? And you know, in terms of that US strategy, there was a significant component about the international reach as one of the pillars. They had five pillars in their strategy. Can you talk a little bit about the Australian version? The alignment between them and our role in the region?

Hamish Hansford: [00:17:52] Sure. So we're learning a lot from the US strategy, particularly about their narrative, their engagement with industry, and we're talking to the the US Government about lessons learned and as you mentioned, have had one of the key writers out here in Australia talking to us about the process that America went through. More generally then I think we we have really put the international and domestic elements together in the consultation for the cyber security strategy under Assistant Minister Watt and Minister O'Neill. We're bringing together both the domestic and international elements of cyber security into one strategy. So that's the big change that you'll see in 2023, comparative to other years where there's been a effectively a domestic cyber security strategy that points to international activities and then a subsequent a separate international engagement strategy that sits alongside that that's being built together as one cyber security strategy. And I think it does really demonstrate then that domestic and international really go to a cyber security environment where things don't are not bound by laws. Actually leadership in the region, leadership internationally and domestic leadership are both equally important.

Miah Hammond-Errey: [00:19:07] It's really exciting to hear because you do hear this kind of glib response of domestic and international so often, but then end up being separated. So it's really nice to hear there being developed in conjunction with each other. I'm going to go to a segment now where we talk about alliances and you've kind of touched on it, but if you could elaborate a bit, what countries are leaders in elements of critical infrastructure and cyber policy?

Hamish Hansford: [00:19:33] Well, I think there are a range of countries across the world that have really good elements. So France's critical infrastructure regime that we thought about, we looked at we consulted with the French government in the design of our critical infrastructure regime. We think about Japan, India, the United States as key thinkers on cyber security and critical and emerging tech. European countries, some of them are doing some really interesting work. NATO is looking at critical infrastructure as well. Some of the Nordic countries are really forward leading on cybersecurity and infrastructure security issues. The UK have really good elements on telecommunications security, so we're looking at the whole range of different areas. Singapore looking at government security. So I think when you look at different countries, the really great thing about working with international partners and we're partnering with. Australia's the lead on the Counter Ransomware Initiative Task Force, really partnering with a whole range of countries. And the thing that really strikes me is that no, no individual country has all of the answers, but actually together we probably do. And there are really good elements from a whole range of different countries that we can learn from, emulate, partner with and, and seek to build on.

Miah Hammond-Errey: [00:20:52] It's remiss of me not to ask have asked a direct question. So can you take me through the counter Ransomware Task force? It was set up late last year, I think. And where is it at now?

Hamish Hansford: [00:21:02] So it's a group of countries really thinking about under the leadership of the US who convened us all thinking about how do we best counter ransomware as a really big challenge to our respective societies. Australia has taken on the lead of the Counter Ransomware Initiative Task Force, so we're thinking about what are the individual response initiatives that can make us a much more secure set of countries, much more prepared to respond to ransomware. There was a recent meeting in Belfast of that grouping and we're starting to build out a whole range of projects that go from everything from information sharing to sharing of capability to thinking about capacity building. So a whole whole range of initiatives that really go to no one part of a society and no one society has all the answers on countering ransomware, but actually we're stronger together with different countries. And this is a bit of a different sort of grouping, but bringing us all together for a singular purpose.

Miah Hammond-Errey: [00:22:06] Yeah, absolutely. And this ability of, the idea of being able to collaborate with other nations to mitigate individual harm as well as protect national security is is a really difficult challenge. How do you approach that collaboration then, especially when you're talking with nations that have really different ideas and values?

Hamish Hansford: [00:22:24] So I think there are always conversations between different countries that you can have, and I think that's really important to have dialogue. When we when it comes to collaboration and engagement, there are obviously different areas where we have deep expertise that we share with different partners, and we do that on a really trusted basis. But I think having those international conversations and actually having debates and discussions is really healthy for the globe and actually building different relationships on different issues. I think we've talked about the Countering Ransomware Initiative Task Force, that's a whole range of different countries and, and really partnering and understanding where people are coming from, actually builds out a whole set of new ideas, some of which we've never thought of before.

Miah Hammond-Errey: [00:23:16] Given the, you know, the discussion that we had a little earlier about just how wide-reaching technology is in every part of our life, it seems like there's going to be a lot of issues like this coming forward. You know, you've got TikTok, but you've also got, you know, foreign-made cameras in government buildings. This is a huge amount of ground to cover. And how do you start to look at these issues from a national security and personal harm perspective?

Hamish Hansford: [00:23:42] So I think Australia has set out in all of those different issues you've mentioned and way back as far as 2018 where the government of the day set out a framework for high-risk vendors in our telecommunications network. I think Australia's got a pretty good track record of looking at technology risks, technology security risks and putting in commensurate responses to to look at well, what are the areas about where education might be a good response? What are the areas where there is a direction required? And that's obviously one of the areas the government has made a decision on in relation to one element. But but I think we're up for the general discussion about how to best secure technology. Our perspective is there are some technologies which are fundamental to society which can be used for security, against Australia's security. So so we're focused on those particular areas.

Miah Hammond-Errey: [00:24:45] We're seeing tech decoupling in some areas between the United States and China. What are some of the tensions from your your perspective and how far could it and should it go?

Hamish Hansford: [00:24:54] So I think one of the big areas is transparency. We've put out, for example, some critical technology principles about what what do we as a government look at in terms of the requirements from technology providers? And so I think that really looks at what are the things that Australia expects from society generally and from technology in particular. And so transparency rates really highly on there. And so I think that the more we start to think about technology, well think about the balance between regulation, market intervention, what that looks like. We're looking at things like supply chains, we're looking at things like how do we we secure technology, how do we look at telecommunication systems? I think they're all going to be live discussions as technology continues to impact on our society. And it's always in the frame of what a liberal democracy would expect.

Miah Hammond-Errey: [00:25:53] So you've mentioned supply chain security a couple of times. Now, interestingly, you know, on the podcast, I've had really diverse views and some of them, you know, Jess, for example, highlighted the role of being able to secure devices, no matter where components have come from. There is a real discussion, particularly in the US, about kind of a bigger decoupling or a stronger decoupling. Where do you think we sit in terms of supply chain security? And you know, you've highlighted there the principles and particularly of transparency. What does that look like?

Hamish Hansford: [00:26:25] So I think supply chain security, we learnt during the pandemic that it is really important because we kind of used to rely on a just-in-time methodology and that was blown out of the water as we saw so many different materials from across the world, no matter what it is, technology related or building supplies, food. So I think supply chains just generally have been stressed and people are looking deeply into them. One of the prudential standards is looking at third- and fourth-party supply chains, which is is interesting in a regulatory sense. So I think Australians, Australian businesses, the government is just looking at supply chains generally as a result of our environment over the last couple of years. And I think that that will continue no matter what part of the supply chain there is. And I kind of look at it, critical infrastructure. And when we couldn't get people over to Australia for repairing of our infrastructure assets, we thought about different ways to respond. So I think we're looking at supply chains generally. I think that's based on our history and the disruption that occurred with COVID. But I think whether it's technology or otherwise, they'll just become increasingly important.

Miah Hammond-Errey: [00:27:35] We've seen various efforts to regulate AI, including Europe's AI Act and the Biden administration's AI Bill of Rights. We've also seen on the other end of the spectrum, Italy temporarily ban ChatGPT and China's draft regulations on generative AI. You know, you mentioned it before, but but why do you think AI is so difficult to regulate?

Hamish Hansford: [00:27:56] I think any new technology, any new element of an economy, regulation and legislation almost comes as a secondary nature. So we kind of think about 5G and then the regulatory responses that that occurred in, for example, 2018. As I've mentioned, I think AI is no different from other technology except to say that the sophistication, the ability to use AI in a whole range of different scenarios. I think we're grappling with what what might be the scenarios in the future and then we'll see legislation and regulation potentially catch up to mitigate some of those consequences that might arise from a security or safety perspective. But I think AI is, has infinite possibility. And so if you think about that, we're always going to be looking at new technologies and new areas of society and what's the legitimate right of the government to intervene to protect the population versus the right of the market to operate. That's always, I think, going to be a perennial question.

Miah Hammond-Errey: [00:29:01] Absolutely. And do you see that there are any tensions between democracies and regulation of such fast-moving and impactful technologies?

Hamish Hansford: [00:29:10] Well, I think that's what we've got parliaments for. I think that's why they're there to have that debate between what's what's legitimate and what what might be the guardrails that we put in place. And having supported governments to introduce a whole range of legislation over the last, well, 22 years, I think that that's a live discussion and it's something that we've always got to balance as a democracy and we've always got to continue to look at different frameworks. And it's not too, too long before legislation needs to be reviewed and updated in a whole range of different situations. I've worked, for example, on very technology related reforms, and there's always that balance between technology agnostic regulation and legislation versus being really prescriptive. And I think that's a challenge of a democracy to continue to look at how do you best legislate and how do you balance personal liberty and freedom versus the protection of the greater populace?

Miah Hammond-Errey: [00:30:08] Yeah, absolutely. And it seems like I, you know, in some ways we've regulated every kind of historical harm to date, so we will manage to regulate AI in some capacity. But it does seem as though our approach to regulation of AI might set us up for future for future technologies. And, you know, one of the things you just alluded to there about not being too prescriptive is really significant because when we look back at legislation that was passed only 20 years ago, you know, the digital society we're in now isn't reflected. And so we need to be able to have nimble legislation and regulatory frameworks that actually allow us to respond to new technologies as they emerge. I'm going to go to a segment here, Emerging Tech for Emerging Leaders. You've held some leadership roles during really big tech developments. Can you give insight into how you've led others to navigate major tech changes or regulation in your career?

Hamish Hansford: [00:31:05] Sure. It's like a job interview, isn't it?

Miah Hammond-Errey: [00:31:07] So hopefully not as difficult. Hamish.

Hamish Hansford: [00:31:11] That's true. That's true. Hopefully not. And there's no job at the end. I've already got one. But but I think one of the big challenges to lead people is how do you describe what can often be really complex technical legislation or technical technology issues and try and get a deep understanding of those, but then at the same time be able to explain it in a really simple way that members of the public can understand that people who are legislating on and have an expertise, for example, in law or parliamentary issues, you can you can start to shape a narrative. So one of the the big areas that I've focused on in my career is how do you build a compelling narrative? How do you then use your expertise to put that in a frame where people can clearly understand? Well, I certainly hopefully get better over time. And I know my staff are looking at the last couple of years, what we've done, what we can do better, and how we can start to to actually involve our own staff, but but also others in a national conversation about every change that we'd like to make in in society from a security perspective.

Miah Hammond-Errey: [00:32:21] Thank you. I just realised I haven't set the bar high enough because you didn't say it was like Senate estimates. So I feel I've failed. Can you share some emerging technologies you think up and coming leaders of today and tomorrow need to know about?

Hamish Hansford: [00:32:34] Sure. I think I think you've mentioned AI as really the foundational change. But when you look at what we're worried about in the future, synthetic biology, a whole range of different technologies I think have the ability to fundamentally transform society. But I'm going to be a little bit simpler and say 5G, rolled out across the world, foundational change in network technology. I think we've got a huge opportunity both in Australia and across the world to think about what's the functionality that can be developed on those networks. And we're certainly not using the full functionality of 5G networks, and there's a whole lot of opportunity ahead and that's really what I'm thinking about on a day to day basis.

Miah Hammond-Errey: [00:33:22] For the non telco nerds out there. Can you explain what you mean?

Hamish Hansford: [00:33:25] Well, 5G foundational speed technology and actually starts to change telecommunication networks from having a central core to a much more disaggregated network, which means that there's software that can be developed on top of 5G networks, which could do everything from changing the way we work to the way that we do medicine, to the way that we look at our housing. It could be much more energy efficient, have great impacts on our environment. So a whole range of possible applications and devices and software that we could run on 5G that we don't necessarily today. Starting to emerge, obviously, when you look at your phone and when you look at different devices, but so much more opportunity.

Miah Hammond-Errey: [00:34:12] Thank you. Just a final question on the emerging tech for emerging leaders. What are some of the key transferable skills between regulation, technology and security?

Hamish Hansford: [00:34:21] Well, I think that there are so many life skills which can apply to everything. And people often ask me, what does it take to work in a security environment or or what do I need to understand from a technology point of view? And I come back to two kind of really key skills. One is the ability to solve problems and legislation, regulation, security issues, technology are all just different problems waiting to be solved from my perspective. And the second thing is what makes people stand out from others, I think is the level of curiosity, the level of engagement and the level of buy in that individuals have to any particular problem. And I think they go hand in glove with each other. Not a popular answer, but but one I think is has great utility.

Miah Hammond-Errey: [00:35:07] It's actually really interesting. The more that you are engaged in emerging technologies, I think the more that you start to value the very essential human components. And particularly as we move forward with human and machine interaction, the role of leaders is really going to be bringing that human element. I think it's really important not to lose sight of that. So I completely agree. Coming up is Eyes and Ears. What have you been reading, listening to or watching lately that might be of interest to our audience?

Hamish Hansford: [00:35:35] Well, I read a lot of fiction. So Where the Crawdads Sing was my most recent book, which I thought was fantastic. Not technology related, but more generally turned into a movie. So it's good. About an individual in a forest growing up in the mangroves. So recommend that highly.

Hamish Hansford: [00:35:52] But I've been reading a lot about Ukraine at the moment. Blog posts, different articles, different books. The most recent one was by one of the media representatives to really outline how was media used, particularly in the initial stages of the Ukraine invasion and war, that actually fundamentally changed the way that people responded to the way in which they received information, what was trusted, what wasn't trusted. So I thought that was a particularly interesting perspective. But I think every everything that's coming out of Ukraine at the moment just gives such great insight into what's happened, what's to come potentially. And technology has been foundational to that whole environment.

Miah Hammond-Errey: [00:36:42] It's really interesting. I'm going to ask another question. As you know, I've done a fair bit of work on Russian disinformation. Talking about the role of technology in conflict and specifically around social media use of telecommunications. I guess as an observer, can you talk to what has piqued your interest in that area?

Hamish Hansford: [00:37:04] I think we looked at the issue and the way that Ukraine responded. And you kind of think about, what are the types of responses that work in any situation? And with Ukraine, I think there's been really great innovation and I think that's really what sparks interest in. How does a society who's effectively facing an existential risk actually respond? And I just look at the innovation, particularly from a technology perspective, the ability of the international community then to support the Ukraine government in responses, including deployment of satellites and other multinational companies helping out with moving data to the cloud, the general population and their use of social media. I think it's been a really interesting insight with lots of innovation and unexpected areas of development over the course of the last year.

Miah Hammond-Errey: [00:37:59] Hamish, what do you do in your downtime to keep sane?

Hamish Hansford: [00:38:02] Well, I've got two children, which. Well, I was going to say keep me sane, but keep me grounded if I could put it like that and try and get out most mornings on my road bike to try and make sure that I start the day in a really healthy way. And I think that really keeps me grounded. It keeps me much more focused and really a core, essential part of my life. Without it, I kind of suffer a little bit.

Miah Hammond-Errey: [00:38:27] Is there anything I didn't ask you that would have been great to cover so much?

Hamish Hansford: [00:38:32] We could be here for hours, but. But nothing in particular.

Miah Hammond-Errey: [00:38:35] Okay. All right, Hamish, thank you so much for joining me today. It's been a real pleasure.

Hamish Hansford: [00:38:39] It's been a pleasure for me as well.

Miah Hammond-Errey: [00:38:43] Thanks for listening to Technology and Security. I've been your host, Dr. Miah Hammond-Errey. If there was a moment you enjoyed today or a question you have about the show, feel free to tweet me @miah_HE or send an email to the address in the show notes. You can find out more about the work we do on our website, also linked in the show notes. We hope you enjoyed this episode and we'll see you soon.