Posted on ASPI’s Strategist blog on 8 March 2023
If you work in the federal government in Australia, you know there’ll be occasions when ministers call for ideas—and kudos to Minister for Home Affairs Clare O’Neil for grasping the opportunity presented by the Optus and Medibank hacks.
Savvy bureaucrats know how to exploit such opportunities. Proposals will be close to hand that, with a bit of wordsmithing, will serve the minister’s need. In some cases, those proposals will simply be the latest variation of long-held policy beliefs or bureaucratic positions.
We can see elements of that in the latest cybersecurity initiatives announced by the government.
New agency? Check. That was the Australian Cyber Security Centre, originally established to fuse intelligence and coordinate defence and response.
New coordinator? Check. Alistair MacGibbon occupied that role.
More legislation? Check. Politicians like legislation. But Australia already has so much of it—often ill-suited to needs, as we saw with the Optus hack—that the idea that the problem can be fixed by more legislation is at best questionable.
Greater consolidation of power? Check. Another agency will be located within Home Affairs. That brings operations, policy formulation and ministerial advice together under one roof. Sometimes consolidation is good, but it risks undermining contestability, a cornerstone of democratic governance.
Because of the pace of technological change and social adaptation, what has worked in the past in cybersecurity may not serve us well for the future. And cybersecurity itself represents a difficult challenge.
Eric ‘Astro’ Teller, who heads X, Alphabet Inc.’s ‘moonshot factory’ for big ideas, uses a heuristic to describe how to tackle difficult world-changing problems: such problems, he says, can be like getting a monkey to recite Shakespeare while standing on a pedestal in Hyde Park.
If we hope to make real progress, it’s important to tackle the tough part of the problem—getting the monkey to recite Shakespeare. That’s hard. But most organisations get caught up on the easy part—building the pedestal. Building a pedestal is doable; it gives the illusion of progress and achievement.
And that’s the danger here—that we’ll end up building more pedestals, expending so much of our energy and resources that there will be little left for tackling the hard work of cybersecurity.
So rather than reinventing pedestals, what are the really tough problems of cybersecurity that a government needs to address?
Well, we can agree that cybersecurity represents an existential challenge to democratic societies. At its core lie deep questions about the sort of society we want to live in, the opportunities we want to create and the fairness of our systems of governance—and all in the context of other systems and ideologies.
As we’ve been reminded each day of the Robodebt royal commission, our government systems quickly and unaccountably encode expectations, prejudices and behaviours into digital systems. How we think about and interact with technology—not just the management problem of cybersecurity—matters.
At the heart of those questions lies the balance between security, liberty, privacy and agency. We know that good security protects privacy, and that privacy is critical to good security. We also know that trust in democratic government depends on accountability and transparency—and mechanisms for redress when things go awry.
Keeping cybersecurity under Home Affairs exacerbates the conflation of an intelligence/offensive approach with an enforcement/criminal perspective and the focus on attribution and punishment. Such mindsets generally are not readily open to preferencing individual liberties or civic agency.
When we consider how cyber tools are used against us, it is worth considering the insights emerging from the war in Ukraine.
Ukraine’s resilience is the result of withstanding continuous targeting and assaults for around a decade by Russia. Ukraine has been forced to continually learn and adapt, enabling it to prepare well ahead of time, rather than rely on one-off policy statements.
Ukraine has harnessed civil society effectively, enabling individual agency while supporting community groups and not-for-profits. That, plus the relationships with the commercial sector, is helping Ukraine apply and deploy new technologies, defensive measures and tactics, while retaining the essential characteristics of democracy.
Australia has all the advantages of Five Eyes membership, but those benefits are held deep within the well of the intelligence community. And there’s a ways to go in establishing responsive, collaborative relationships between Australian companies and a government that can at times be tone deaf in its dealings with industry.
All this points to the need for a mindset change. Cybersecurity is, in James P. Carse’s terminology, an infinite game; it is not bound by the finite-game concerns of politics in Canberra.
Infinite games—in contrast to finite games—have no single universal, agreed ‘winning’ condition. Nor are they bounded; indeed, in cybersecurity the available attack surface and opportunities for exploitation are infinite and everchanging.
Under such conditions, cybersecurity is not an endpoint, a single achievement or a guarantee—whether by a government, a company or even an individual.
Some may see the open-ended, unpredictable and unending nature of cybersecurity as a deterrent to attempting good policy outcomes—after all, if claiming a policy ‘win’ is impossible, why bother and expose oneself to political risk?
But that’s a tad misguided. There is an optimistic side to cybersecurity. We engage because cybersecurity is something we work at and in doing so earn the right to keep doing. And by continuously learning and adapting, we get to shape our own destiny and take ‘an unfinished past into the unknown future’. That’s much better than looking back, shutting doors and barring windows—and burnishing pedestals.
Posted on ASPI’s Strategist blog on 8 March 2023