Rory Medcalf, Head of the National Security College at the Australian National University, talks about a report that exposes serious gaps in Australia’s cyber defences
Introduction: Serious gaps in Australian’s cyber defences
Ross Greenwood: Welcome back to Money News right around Australia. I’ll tell you what, think about the future. It is always really worth dreaming about. Just in the last little while, in a very automated future, as no doubt we will have, think driverless cars. There’s even a report today about pilotless planes. It could save airlines billions of dollars. The question is would you trust that technology?
The second part of it, having had a taste a little while ago with that WannaCry ransomware that went around the world, and in Europe, held up utilities effectively to ransom. This is government utilities. It really makes you question how safe, how sound we’d be here in Australia if say, for example, all the automation, for whatever reason, had to be turned off. Would we be able to quickly go back to the old days?
When you sit there and think about this, you go to driverless cars as one classic example. Automation in so many factories now relies on the internet connection. If you then go to medical devices in the future, that will also be a part of the things that need to be controlled. That there is no question that they can continue to operate as they should, that they cannot be compromised.
Then think about the national security threat because that’s exactly what’s been done in what otherwise is called a game playing exercise, a stress testing exercise. This has been done between the national security college at the Australian National University. Also, RAND Corporation. RAND Corporation, of course, is the American nonprofit global policy think tank that’s been going around for years and years, has obtained dozen Nobel Prizes, and so forth.
They’ve sought to trying stress test Australia. For the very first time, a simulation of major cyber attacks and how to deal with them. The professor and the head of the National Security College is Rory Medcalf. He’s on the line right now. Many thanks to your time, Rory.
Interview: Rory Medcalf, National Security College
Rory Medcalf: Pleasure, Ross.
Ross Greenwood: This idea of stress testing Australia for its systems and how it would cope. First up, where was it created, this concept?
Rory Medcalf: You’re right. It is a game, but it’s a very serious kind of game. The idea of conducting simulations and scenarios like this has been around for a long time. It’s still quite popular in the American strategic community. We don’t tend to do it a lot here in Australia. It’s fair to say that this is something that both RAND and the National Security College wanted to do. I guess a trusted place where we could play a very serious game in ways where real decision-makers were put into a hypothetical situation and had to make some very hard decisions without, I guess, too much awkwardness or embarrassment.
Ross Greenwood: Okay. First dumb question, why did you base this scenario in 2022? Why was that year particularly relevant in your mind?
Rory Medcalf: We’re thinking simple terms of 5 or 10 years. Five years is far enough ahead that it’s plausible, it’s realistic, it’s believable, but it’s not today. It’s actually useful for decision-makers. We had corporate leaders, we had CEOs, we had government officials, we had ex-intelligence people in the room. If you put it in the near future, I think they can almost admit to the fact that we have great policy paralysis on a lot of these issues, that there are no good solutions. They can admit to that a little bit more easily than if you said this is all about the here and now.
The other reason we went five years into the future, Ross, is that the internet have seen that you’re talking about all of these connected devices. This revolution is happening right now but we’re going to feel the full effects of it within a few years. Certainly, within five years. Even within two years from now, we estimate that every Australian household will probably have about 24 internet connected devices. Most people won’t even realize that some of those devices, it could be your fridge, for example, are going to be connected to the internet. The risk environment is coming very soon. We thought five years was about the right timeframe.
Ross Greenwood: Okay. I’ll put some of the terrible scenarios that you contemplated as a part of this stress testing. One was a criminal enterprise, evolves around extorting business, government agencies, and community organizations. You had things such as factory machinery, restaurant refrigerators, holding them to ransom. Then ultimately, implanted medical devices, the deaths of 12 elderly Australian patients.
In the meantime, a hack against driverless automobile goes awry, causing it to veer into a crowded sidewalk and killing three pedestrians. The issue is, what do you do? You can’t go backwards in many of these cases once that genie is out of the bottle. It’s very difficult and you’ve got to make certain control is maintained at all times. How did Australia cope?
Rory Medcalf: Not well is the short answer. I think of this as one of those games where pretty soon all of the players realize there is no good answer. If you simply take a reactive approach, if you don’t prepare for those problems once these issues strike, we had questions like, for example, “Do you suddenly take all driverless cars off the road? Are some people allowed to keep their cars on the road because they paid some kind of new cyber insurance?” Which, of course, generally doesn’t exist yet but which we think will be a thing within a few years.
Do you have to suddenly withdraw all sorts of products from the market because we simply don’t have certification? It became very clear in the game that the only way to deal with this was through prevention. I guess the wake up call for this was that these scenario’s plausible. Scenarios five years from now showed that the government needs to be intervening pretty heavily now on things like safety standards, certification, and so forth. If we leave it to industry alone, if we leave it to, I guess, profit margin’s alone, that is not going to be the solution.
Ross Greenwood: You say that we should intervene now, but even from a regulatory point of view, surely, because the world is moving so quickly. Then even now we have borderless transactions with cryptocurrencies like Bitcoin, we’ve got the darknet where nefarious transactions are undertaken outside of the gates. We’ve got communication devices such as WhatsApp where people can suddenly disappear off the grid when they’re communicating with each other. These are issues that confront governments right now, aren’t they?
Rory Medcalf: Absolutely. I think that the approach that was developed in the game where we had corporates and government people talking very frankly with each other, and obviously I’m not naming names, trusted environment where the corporates acknowledge that they were looking to government to take the lead. Government was looking to the corporate saying, “We want you to be socially responsible.”
I guess one of the solutions that came out of this was that maybe we don’t take it in terms of hard regulation. Instead, we develop a certification system where Australia can actually become world’s best practice because Australia is an early adopter of technology. This often makes us at risk of things going wrong quite early. Australia can make better a virtue by developing something like a cyber kangaroo stamp of approval on products that have been certified in Australia even if they weren’t produced here so that people know to trust the stuff that Australia learns to trust.
Perhaps, this could in time lead to export industries, could lead to Australian Intellectual Property making a bit of income for this country. There were some creative solutions that came through this, but the clear message all the way through was we’ve got to get started on this right away.
Ross Greenwood: I tell you what, it also hikes back to an interview I did last week with the former Deputy Director of the National Security Agency from the United States, Chris Inglis. One of his great warnings about all of these was the threat of foreign governments trying to interfere in elections he believes is real. Has been real in the past and is likely to be real in the future as well.
Of course, the scenario is going to be tested. The systems have got to be tested and the safety of the community, hopefully, is also ensured. Rory Medcalf, the Professor and the Head of the National Security College at the Australian National University that conducted those trials with the RAND corporation. Rory, really appreciate your time here on the program.
Rory Medcalf: That’s a pleasure Ross. Anytime.
Other articles relating to Cyber defences: