When the philosophy of western liberalisation and open marketplaces intersect with the China’s preference for state control, it is diplomacy that will provide the way forward. The primary problem? Keeping cyberspace secure while free and open. As a key strategic partner with the US, Australia is leading the way on approach to cyber and cyber security for APAC on the international stage. Co-CEO Alexandra Mayhew explains.
There were over 47,000 reports of cyber crime in Australia In the 2016-17 financial year.
According to the Australian Government 7,283 cyber security incidents affected major Australian businesses; 284 of these incidents involved systems of national interest and critical infrastructure.
So what are the threats?
While they are numerous, from basic fraud to major data breaches and disruptions (for example, the huge cyber-attack that took the British Health System offline in May 2017), former US State Department Coordinator for Cyber Issues and White House Senior Director for Cybersecurity Policy, Chris Painter, says they can largely be broken down into two categories: technical and policy.
Examples of technical threats include: the rapid growth of information now available thanks to the internet of things (IoT); attacks on supply chains and infrastructure, such as power grids; theft of IP and trade secrets; availability of data, more so, the integrity of data (imagine your blood type being changed in the e-records system and what would happen next time you needed a blood transfusion); the increased efforts of cyber criminals mining cryptocurrencies; and artificial intelligence (AI) and machine learning (ML) capabilities being used to conduct attacks.
Threats that will have a particular impact on APAC will extend beyond these. As the majority of people (55 per cent) in APAC are not currently connected to the internet, it is likely there will be large-scale early user vulnerability as this population comes online. Additionally, South East Asia is poised to be a leader in mobile internet usage in 2018, and it is therefore predicted that mobile malware will rear its ugly head to meet this growth.
The second type of threats are driven by policy (often ideology) and offer very different challenges.
The threats nation states pose are very real, and the two of the top three aggravators all reside within APAC: China, Russia, and North Korea.
The vast cultural differences between east and west is demonstrated acutely when you examine the term used to describe cyber: while those in the west refer to cyber security, China uses the term “information security”. These East Asian neighbours seek cyber management through government control or UN-type bodies. In regards to the latter point, the problem with an international governing body is its inability to manoeuvre quickly, if at all. In March last year, China released a white paper that argued for a new international agreement to increase state control over the internet, extending the existing idea of sovereignty over land and sea to cyberspace. Russia backed the concept, with both countries arguing the change would boost national security.
The problem with this approach is obvious to the west – a government controlled internet poses a host of problems, most notably restriction of information and the impact it has on the democratic process, and with it, human rights.
A clear example how nation states have used cyber to impact democracy is no clearer than the 2016 US Presidential Election. The US was caught off guard when Moscow allegedly covertly influenced the outcome of the US presidential election. In January this year, Australian Prime Minister Malcolm Turnbull said cyberattacks such as Russia’s represented “the new frontier of warfare,” and that Australia’s government, citizens and businesses “need to be aware of the threats and how to mitigate and protect against them (read the statement at ABC News).
Disappointingly, China’s white paper followed earlier efforts by Australia to build more positive cyber policy between the two nations. In 2016 the Commonwealth released the Australia’s Cyber Security Strategy that stated Australia had engaged in “cyber policy dialogues” to strengthen alliances and share information, including with China. Just prior to the report’s publication, allegations surfaced of a Chinese state-sponsored cyberattack on the Australian Bureau of Meteorology, which compromised sensitive systems across the Federal Government. The ABC reported “the motivation for the attack on the bureau could be commercial, strategic or both”. China denied any involvement.
That same year, the Australian Prudential Regulation Authority (APRA) conducted a cybersecurity survey and found more than half of all local financial companies said they had experienced at least one cyber breach in the past 12 months that was sufficiently serious to warrant internal escalation. Top bank executives revealed their institutions were under constant threat from hacking by state-based actors, such as Russia and North Korea.
North Korea continues to be accused of a litany of crimes, including launching an online heist on the Bangladesh Central Bank and the WannaCry ransomware incident that infected over 200,000 computers in more than 150 countries. As sanctions bite North Korea will retaliate.
Threats driven by policy extend beyond China, Russia and North Korea, and are as varied as technical threats. There are currently over 100 countries developing cyber “defence capabilities” – that’s weapons - and there is little to no legislative or meaningful control around development of cyber weapons. It’s more of a matter of when, rather than if, terrorists will utilise cyber to carry out their attacks; there’s the unknown quantity that is artificial intelligence (AI) and machine learning (ML); and then there’s just the unknown. All real and significant threats to the real world, driven by the cyber world.
So now we’re sufficiently terrified, how on earth do we combat such serious threats?
The east and the west have two very different approaches to how to ‘fix the problem’ of cyber security, and naturally, they are at odds, reflecting the governing mind-set of both cultures. The west’s solution: build international cooperation. Putting aside China’s continued clandestine sanction of cyber-attacks on the west, progress has been made, at least at face value. In 2015 Chinese president Xi Jinping visited the US and agreed with President Obama to strengthen cybersecurity between the two countries, signing an agreement that stated “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” In late 2016, Australia and China unveiled a similar joint statement on cybersecurity. In April 2018, Australia and China further agreed to enhance cyber security cooperation following discussions between Prime Minister Turnbull, Foreign Minister Julie Bishop and Meng Jianzhu, Secretary of the Chinese Communist Party’s Central Commission for Political and Legal Affairs.
Australia and the US are training their diplomats to seek a collaborative approach with other nations and are working to build a collective response to cyber threats.
The Australian Strategic Policy Institute (ASPI) Cyber Maturity in the Asia–Pacific Region Report assesses the national approach of Asia–Pacific countries to the challenges and opportunities of cyberspace. Australia has moved up to equal second on the back of continued investment in governance reform and implementation of the 2016 Cyber Security Strategy. Japan (equal second with Australia), Singapore, and South Korea round out a very close top five countries.
These results are not dissimilar to the 2018 BSA Global cloud computing scorecard, which ranked Japan first, followed by Australia and Singapore. Countries that did well were generally those with strong regulatory frameworks, as well as high broadband penetration. China, Indonesia, and Vietnam were at the bottom of the scorecard, largely due to poor IP protection, deficient data privacy, and lack of policies that promote free trade and cross-border data flows.
Mr Painter argues the best option available to the US and Australia is a diplomatic one; he stated that when the US was under cyber-attack from Iran, they reached out to their regional neighbours and other allies and asked for help. The US offered a quid pro quo. It worked.
Also linked with diplomacy, Mr Painter also identifies developing states’ capabilities to cope with cyber as an effective way to manage it. Countries in APAC that fall into this category include Pakistan and Bangladesh. This confidence and trust-building work needed to be a core part of the diplomatic work. An example Mr Painter relayed was mobile payments in Kenya. The payments, which were not even available in the US at the time, demonstrated to the Kenyan government the benefits of accessible internet and the power of freedom of data flows. So a government that may have ideologically leaned towards a system of control, saw the benefits of an open approach firsthand.
The UN changed international law, extending it to cyberspace, however it’s clear based on what we’ve seen, some of which is mentioned in this article, that it wasn’t enough.
Diplomatic efforts must push the ‘norms’ such as: critical infrastructure and computer emergency response should not be attacked (outside of war time); and do not steal IP to benefit yourself.
A big push needs to be made by other countries to update and enforce their laws. Originating in the Philippines, the “I love you” virus, or “Love Bug”, attacked tens of millions of Windows computers from 2000. Although the hackers were found, the country did not have a law to punish the activity.
Additionally, laws must be consistent across counties. Australia is working in this through the Australian Cyber Security Centre (ACSC), “a hub for greater collaboration and information sharing with the private sector, state and territory governments, academia and international partners to combat the full range of cyber threats”.
Just like hitting the ‘hip pocket’ to engage the public, those promoting cyber policy must bring economics into the discussion. A successful example of this is when the Department of Foreign Affairs and Trade (DFAT) successfully brought development and trade into its cyber policy (DFAT’s international cyber engagement strategy, which ‘champions an open, free and secure cyberspace’, targets the entire Indo-Pacific region).
AI also offers hope. In 2018, those at the forefront of using AI for cyber defence will take the next significant step, according to Sanjay Aurora, managing director at Darktrace Asia-Pacific (the world leader in cyber AI: “we will see the accelerated adoption of proven autonomous response technology, which is uniquely capable of taking precise, targeted action to neutralise novel cyber-attacks as they emerge”.
Despite the policy threats, most online criminal activity continues to be perpetrated by non-state actors. In 2016–17, cyber maturity across the Asia–Pacific improved and the region again avoided a major incident. Looking at the big picture the overall trajectory, for now, remains positive.
Alexandra Mayhew attended the United States Study Centre at the University of Sydney on 8 March 2018 to hear from Chris Painter, the former US State Department Coordinator for Cyber Issues and White House Senior Director for Cybersecurity Policy.
The Shell Issue 11
1. Chairman address, John Wells
2. The confluence of influence: where social media and business meet, Stav Pisk
3. Mind the gap in your crisis planning - how Sydney Trains used social listening to avert a PR disaster, Tracey Jarvis
4. Cyberspace in APAC - keeping it secure, free and open, Alexandra Mayhew
5. Won't somebody please think of the children?! Aussie e-cig regulators dragging the chain on public health reform, Isabelle Walker
6. The man from Wagga, Tim Mantiri
7. A new day for Zimbabwe under Mnangagwa or a false dawn?, Kerry Sibraa AO
8. Don't be a rebel without a cause, Karen Bells
9. Quirky headlines, Benjamin Haslem
10. New planning panels for Sydney for projects valued between $5 and $30 million, Kathy Lindsay
11. Putting the practical into tertiary studies - now there's a theory, Tom Scambler
12. IPREX highlights