 Good evening, ladies and gentlemen, fellow alumni members, students, visitors from overseas, ladies and gentlemen. I'll be your moderator for this evening. My name is Joe Franzi for those who don't know me, which is probably less than half of the audience here. I'm currently the Director for Executive and Professional Development here at the National Security College, but for the last five years my life was in cybersecurity. I was the head of cybersecurity at the Australian Signals Directorate, which also involved the transition into the new Australian Cybersecurity Centre. So it didn't take long for the college to stitch me up for a cyber related activity, which I'm very pleased to do. I certainly want to put out a special thanks to our international guests who've travelled from Canada and the United States, although the United States paroled Professor Fred is still in transit, the UK and other places as far as Togrenong. Thank you. It's also great to see so many familiar faces that I've dealt with across the National Security Community on a range of issues in both government and the private sector, so great to see you all here as well and particularly those I've worked with on cybersecurity over the last five years. Firstly, I'd like to acknowledge the Ngunnawal people who are the traditional custodians of this land on which we are meeting and pay respect to the elders of the Ngunnawal nation, both past and present. I also extend this respect to all Aboriginal and Torres Strait Islander peoples who may be in attendance with us today. Now welcome to the National Security College. Many of you of course have undertaken programs here or studies here, so I don't need to give you the burst on what the college does. We do great things. We're a joint initiative of the Australian government and the Australian National University and I feel very privileged to now be part of the National Security College family. Let me quickly introduce our speakers for this evening. You can read their bios in your handouts. Firstly, we have Mr David Irvine, chair of the Australian Cybersecurity Research Institute. It's always great to be in the presence of David, certainly a little personal story. 2013, David and I starred in a Australian financial review article, which I've actually framed because it was one of those rare articles where I was referred to as the younger man. And so if you haven't read the article, David was referred to as someone who could be cast as a cue in the next James Bond film. And as you can tell just by looking at me, I was referred to as someone who comes straight out of a Tom Clancy novel. So it's always great to be with David and to hear him speak. Professor Paul Cornish, who's the research group director for Defence Security and Infrastructure at the Rand Group in Europe. Welcome, Paul. Assistant Professor John Lindsay of Digital Media, John is right there, and Global Affairs at the Munk School of Global Affairs University of Toronto, Canada, in case you didn't know where Toronto was. Mr. Gary Blair, another old friend of mine, Chief Executive Officer of the Australian Cybersecurity Research Institute. Great to have you here, Gary. Professor Terry Bossemeier, Strategic Professor of Computing and Innovation, Charles Sturt University. He's the one with the new Army-style haircut. And lastly, Professor Roger Bradbury, our esteemed coordinator of National Security Research here at the National Security College. An apology from Professor Fred Kate. He's from Indiana University. His flight was cancelled. Some great activity by American Airlines there, so he'll be with us hopefully in the next 24 hours. Fingers crossed. Just some housekeeping. The first couple of portions of tonight's activities. The talk by David and the five-minute intro from each of our esteemed panellists. That will be on the record and recorded. The question and answer and challenging session, which I encourage you to get stuck into. That will be off the record and will operate under Chatham House Rules. I now ask you to join with me in welcoming David Irvine to the podium. Thank you very much. Look, this business of comparing me to Q or M or the Bond things has just gone a bit far. People said to me once, because as you know, Judy Dench was M for quite a while in the last few Bond movies. And people said, are you all the Australian Judy Dench? And I actually took great pleasure in that. That's terrific. Until in the last but one Bond movie, Judy Dench got killed off. And I didn't think that it was necessary for nature to imitate art. So I didn't. And then they replaced her with Ralph Fiennes. And I just don't have the figure for that. So anyway. But look, I just want to start with sort of two themes, which I think are relevant for us today. And the first is just sort of the to talk think a little bit about globalization and to think about the impact that has had in all of its manifestations on the Australian economy. You know, when I grew up and throughout most of my diplomatic career, the Australian economy was what I used to call a dig pump and dump economy. You know, and we well, we there was a bit of clip in there too, because there was still a bit of wall in our in our sort of economy. But we gradually became more and more dependent on the resource sector and the energy sector in a whole variety of ways. And you know, when I was when I was young, a third of the workforce was engaged in manufacturing. And in the 60s, it was 25%. Today, it's less than 10%. So what we've seen is a hollowing out of a traditional elements of the Australian economy. And governments have recognized this for a long time. And you know, I don't think we've ever had a government that hasn't said we got to be a smarter economy, or whatever. Now the Prime Minister's come out with an innovative economy. And that that is all terrific. The thing is, we've actually got to do something about it. And we need to move our economy up the value added chain. That's my first point. The second point is, and this is something in my lifetime that's been really very significant, obviously, is that we now live in an age where the internet and information technology has taken off. And I'm very proud to be able to tell you that before most of you in this room were born, I had an Apple 2 computer. And this thing had a massive 64k of memory. And today, of course, my doorbells got more than that. And so we've seen this this huge revolution in the internet. And my grandchildren, and indeed, my children don't actually know of a world without these things. I'm old enough, Joe. Thank you very much to remember that. So modern, but my point is this, modern life has become just so totally dependent on the IT world and the internet. It manages our infrastructure today. It does our banking for us doesn't actually put money into my account. But you know what I mean. It's our favourite vehicle of correspondence and communication. It estranges us from our children and our grandchildren. It entertains us constantly. Indeed, it trips up our politicians and celebrities in glorious gotcha moments that we're but for the grace of God, go we all. In short, you know, we can't live without it. And we have become in our modern world incredibly dependent on IT technology and what it delivers for us. And it delivers an enormous amount of good. But that dependence, however, has also created a whole series of vulnerabilities for us. And in my previous incarnation, I was constantly watching the exploitation of those vulnerabilities by foreign state actors, for example, conducting cyber espionage, developing the capacity to impact on our national security through sabotage by cyber means. I've seen terrorists use the cyber world and the internet to communicate and to prostitize and to draw out the world. Over 140 young people, Australians, 40 of whom are now dead, into the clutches of ISIL or Daesh or whatever you want to call it in Syria. And so I've seen the cyber capabilities being used for extraordinarily malicious reasons by state, foreign states. And the point is that the same tools that are available to foreign states are available to non-state actors, to terrorists, to malicious cyber anarchists and to serious organized crime. And the protection of our information on the internet, not from organizations like ASIO, of course, which operate with a warrant, but from malicious use against our wishes and sometimes very much against our knowledge, has become an incredibly pressing issue in this world. And we have to work, find ways to prevent that malicious use of the internet, negating the huge advantages and wonderful progress that the internet has brought us. So in a sense today, I want to bring those two themes together. The theme that Australia needs to move up the value-added chain, it needs to be, in my view, a significant player in the technology of the modern world, both in research terms, in manufacturing terms, in commercializing research and so on. And at the same time, one of the areas where that can be achieved, in my view, is in the very, very pressing requirements we have of cyber security. And so what I am very keen to see happen, and it's the reason why I'm very pleased to be associated with the Australian Cyber Security Research Institute, is that I would like to see a lot more effort devoted here in Australia to the research and the development and the commercialization of cyber security technology, and if you like, cyber security practices generally. One of the difficulties, however, is that we in Australia actually do not have a particularly good record in terms of industrial support and support of industry for research and development in our academic universities, institutions. And in fact, you know, in a recent survey I read, an OECD survey I read in terms of industry support for research and development generally, not just in the cyber area, Australia ranked 28th in the OECD. Mexico was above us. And that, I think, ought to give us pause for thought. And it's partly with that in mind that I'm an enthusiastic supporter of the Australian Cyber Security Research Institute, which is a not-for-profit organisation set up to facilitate cooperative research and development partnerships between the private sector, between the academic world and government agencies in the field of cyber security. And our goals are clearly to promote high-quality, multi-disciplinary, multi-institutional research into cyber security that will contribute real practical solutions. At the same time, another goal is to train and mentor the generation of Australians who can carry this forward for us. A third goal is to translate these results into something that is actually commercialisable, if that is a word. It's very hard word to say. To foster dynamic relations between the research, the user and the government in this area. Indeed, to build up a national cyber security capability far beyond what we have now. And the, actually, which was set up about a year ago and has gradually taken off is, was set up with initially the founding support of Cisco from the industrial side and Edith Cowan University in Western Australia. And what we want to do now is to bring in, and we're in the process of bringing in, further academic partners who will assist us in developing this multi-disciplinary approach where we can finance research in the universities into cyber security issues. And, well, of course, the Australian National University, and in particular, the National Security College of the university was one of our, if you like, our target universities. And I'm very pleased that ANU is about to join us. Because ANU and the National Security College bring, I think, quite exceptional strengths in terms of access to policymakers, in terms of research on cyber statecraft, and so on. As well as the additional benefits that come from the schools of computer sciences and the engineering college and others. And it is, I think, very important that one of Australia's premier universities be involved in this project. At the same time, some of Australia's other foremost universities are also becoming involved. Deakin University, a centre of excellence in the cyber security area. We're hopeful that the University of Adelaide, and particularly the University of New South Wales, will join us, and also possibly one of the Queensland universities. We'll know all of that in the next week or so. On the part of government, we have the support of the Australian Signals Directorate, SERT Australia, is one of our founding members, the Australian Federal Police, Ostrac, Australian Crime Commission, and so on. Users of cyber security technology. In terms of where we are taking the research, I think there are three main areas that, if you like, three main themes. And they're pretty obvious, the first two anyway. The first theme is simply research into the next generation, pardon me, of cyber security technologies. The second is a bit more sort of focused on the key issues that anyone who's been associated with this business will recognise the issues of identity, of authorisation, of trust in the use of the cyber world. The fourth one, I think is actually, the third one, I think is actually equally important, and that is what we've just given at the title, legislation and statecraft. But the fact is that we need not only research into the technologies of software and hardware that increase our cyber resilience. We actually also need research into all of the associated issues of privacy, of the legislation associated with that and so on, but equally importantly, the question of educating a modern generation into the practices that will make us more resilient as a cyber-using nation. And that requires education, it requires outreach, it requires sociological research almost in helping us develop our national resilience. So there we are. The last thing I would say is that we have the participating universities and industry and those participants will grow in number, are also very keen to participate in the government's cooperative research centre scheme, which has been announced, and which will enable government, if we're successful, will enable all of our funding to be matched by government. What that means is more PhD students, more opportunities for postgraduate study in the cyber security area, and ultimately, I believe, the development increasingly of a critical mass of cyber security capacity, which will help us in the end balance the huge advantages of the IT world and the internet with an ability to counter the vulnerabilities that it causes. So thank you very much, and thank you again to ANU and the National Security College. And a special thanks, if I may, to Cisco and Telstra, which have our helping us host this evening. Thank you very much. Thanks very much, David. I think that was a great way to kick off the week-long series of events that are part of the College's Cyber Security Week. I now call upon our esteemed panel members, starting with Paul, to come up and just give us a five-minute set of remarks before we kick into the Q&A. Thanks, Paul. Joe, thank you very much indeed. And before I begin, can I just say what a pleasure it is to be back here in Canberra and to thank Roger and everybody here at the NSC and indeed all the sponsors who have made it possible it is, as I say, a pleasure to be back. I work for the Rand Corporation in their Europe office, which is in Cambridge in the UK. But I also have affiliations with a number of other bodies, and these are really what I'm going to be talking about all together. The first is that I'm a fellow of the James Martin School in Oxford, and we do a lot of work on cyber capacity. I'm also, to the alarm, if not derision of my children, I'm involved. I'm a member of the computer science department at University College London, which also takes me into other areas. And finally, I've been very pleased to be involved here at the NSC for the last several years, developing with Roger, especially the strategy and statecraft. Indeed, all of us have been involved in this for the last few years. So I've got six very quick points to make about things I think are interesting. I would say this because these are things I work on at the moment. The first is capacity building. We just heard a brief mention of it. Every government, every international organization that's savvy with cyber is talking about capacity building. This is a very big thing at the James Martin School in Oxford. This is why we were set up. We think that we are doing something slightly different, rather than going into a country and producing, if you like, a league table assessment of where they are and how they're doing. Ours is a self-help approach. We provide a pack, and we go and brief them, and we let them get on with it. So far we've done about 42 countries, including the UK, and my colleagues have been to exotic places such as Bhutan, I did Jamaica, Senegal and Ukraine even. Ukraine was interesting. We helped them rearrange their cyber defence thinking and strategy and so on. And then we wanted to publish the document. They said, would you mind not? Because obviously if they reveal their cyber secrets, then their nearest neighbour might know a bit too much about it. We're very involved with the Organization of American States and the World Bank. And of course, one thing I'll be doing next week is going down to Melbourne, where we also have a very close and building connection with the government of Victoria, the Oceana Centre. If capacity building is a reasonable goal, then it sort of makes sense, this is the second stream of our work at Oxford, to look at the problem as it were. If capacity is the solution, what is the problem? And we're looking at the problem of a cyber harm. How do you calculate or even assess how bad things could be? Not just in cyber crime, but also in cyber terrorism and so on. More generally, we're trying to produce both quantitative and qualitative methodologies to look at economic rather physical, psychological, social and strategic harm from cyberspace. The third is a topic I'm working on at Rand Europe, which is, I've called it here, in inverted commas, I promise you, fighting in cyberspace. Big debate, as you all know, about cyber war, cyber warfare. Well, what does that actually mean in terms of fighting traditional style conflicts? The Tallinn manual, Tallinn in Estonia, they produce the manual on the relevance or the application of international law to conflict in cyberspace and they've said it applies. The law of war applies to cyberspace. Well, so what? How do you actually implement? And what does it mean in real life, I suppose? At the University College London, I'm doing some work on deterrence. And here with my colleagues there, we're trying to come up with a, it's quite an ambitious idea, reconstructing the language of deterrence. Trying to take it away from, if you like, the negative goal of prevention of bad things, in other words war and missiles firing and whatever else, to a positive encouragement of the good. That's to say the general enjoyment of the internet and global communications. At Rand Europe, I'm working on the internet of things, aren't we all? The internet of things and specifically the telemetry from the internet of things. The IoT is huge and it's getting huge. Statistics or guesses vary. By one account I think I read there could be as many as 50 billion things linked up to the internet by the middle of the century. I mean who cares what number is, really it's going to be huge. The question though is what happens to all the data generated on the IoT, where does it go, who owns it, who manages it and for what reason. And then finally, governance. The governance of cyberspace, which is really what I've been working on most with my colleagues here and indeed with the UK government in a track 1.5 discussion that we've been having between the UK and China. So it's not formal diplomacy but neither is it completely irrelevant like as in a sort of an academic discussion, it's trying to be somewhere in between the two. So how can we conceive a cyberspace as a global common good and manage it as such rather than as an area for competition and even tension. Thanks. Great, thanks very much. I'd like to echo Paul's comments with a note of gratitude for being here. It's fantastic for a lot of reasons. Perhaps foremost above them, it's about negative 10 or 15 in Toronto right now. So it's fantastic to enjoy Canberra. I want to title my five minute talk, Two Cheers for Cyber Threats and that's not only because I studied them and it's job security to make sure that we have these things around for a long period of time but the argument that I'd like to make is that as complex as the threats that we as complex as the threats may be as complex as they're going to continue to get, these are not the threats that we used to see and there's actually a very tight relationship between the two of those. We're looking at threats that are very, very complex and they're very, very civilianized. This is not just the military they're worried about. This is every agency of the federal government as well as all of you in this room. Firms are having to worry about cyber security. You all are having to worry about cyber security. Civil society groups are exposed to nation-state threats in a way that was never possible before and it's a real headache for people that work in professional intelligence and law enforcement agencies to have to deal with these things but the reason that we're having to deal with a lot of these things is that some of the big threats of yesteryear are very much attenuated and they're attenuated for two reasons. The first is that deterrence works. Okay. Deterrence worked during the Cold War because both sides were threatening one another with the annihilation of the world and they saw that there was nothing to be gained from that. Well, as all of the nation-states are looking out at the world right now, they have military capabilities. Some of them are using it but those uses tend to be extremely restrained. In fact, large-scale war between nation-states is largely unthinkable. It would be very, very costly. It's hard for states to tell themselves a story about what they would have to gain. But when deterrence works well, there are strong incentives for actors of all types to find alternative ways to work around clear policies, clear deterrence, to find other ways to get what they want. And to the degree that there are means available that provide all kinds of ways to be deceptive, of ways to be creative, of ways to work around understandable norms and understandable deterrent policies, those start to become very, very attractive. And that is, that is cyber means in a nutshell. The second reason, beyond deterrence, is the very thing that creates a lot of these threats, interdependence, also creates strong incentives for actors to be restrained. When you look at some of the major cyber actors out there at the nation-state level talking about the United States, Israel, China, Russia, these states are also heavily invested in the global liberal order. They want to get their way but they also envision a tomorrow where they will continue to be able to make money like they're making it today. That tends to reinforce deterrence by creating restraint. Now, that is a positive story but I'm only going to have two cheers for cyber threats because it tends to generate a great deal of complexity. And that complexity is only going to get worse because the more we patch the problems that we're dealing with today, the more that we make our critical infrastructure more secure, the more that we try to lock out espionage threats that we understand today, we'll be dealing with even more sophisticated ones in the future and this is a natural evolution. And it means we're going to be dealing with a threat landscape which will continually become more complex but not necessarily more dangerous. Thank you. Good afternoon everybody. Those are two excellent talks from both Paul and John. And I guess I'm living, I live in Sydney so I get to visit the college far more frequently than they do. And I always enjoy being down here. It's such a great college, such a great place to be, very inspirational. I want to carry on a little bit of a theme that David Irvin actually started with his opening address. And that's really to look at the Australian cyber security research landscape. You know we stand at the beginning of 2016, this is the year of the monkey but I also like to believe it's the year of cyber security actually reaches maturity in Australia. Because when I look at a number of the things that are actually happening, things that haven't been, the settings that haven't been here in the past but now are coming together. Some of them have taken a couple of, about a year or so to actually gestate but nonetheless you'll see that they are all very relevant. Firstly it was in May last year the government actually published the nine science and research priorities for Australia. That's significant because it actually gave clarity around the things that really counted. Cyber happily was one of those nine. I should say too that cyber is probably in my view a cross-cutting concern across all of the others because the others were food, salt and water, transport, energy, resources, advanced manufacturing, environmental change and health. And you can see how you could make a case that cyber and protection of those industries is quite central to any kind of cyber security research initiative in this country or should be. So that's important. The next was later in the year and this was actually in the December innovation statement. The government also announced a sixth growth centre, industry growth centre to join the other five that were already in operation. I should say not in operation because according to what I understand the situation to be two of the others are in operation, the others are in process of being formed. But nonetheless the others were advanced manufacturing, food and agribusiness, medical technologies and pharmaceuticals, mining equipment, technology and services and then oil and gas and energy resources. So again you can see that cyber could actually have actually supported each and every one of those growth centres. But happily a sixth growth centre was actually announced in that innovation statement in December. And clearly now that cyber security growth centre becomes a key linch pin for research in this country. It has caused some confusion amongst various people because people don't really understand what that growth centre construct is as yet. So they are expecting the growth centre to actually conduct the research. That's not really what a growth centre is intended to do. Instead the growth centre will actually enable the dialogue between government, industry and academia. It will also look at the commercialisation opportunities, create opportunities for start-ups. You think of the UK model where the UK government has initiatives like cyber London which is an incubator and accelerator for small start-ups in cyber. That's the kind of thing I'd see that the growth centre would do. Equally last year Australia signed up to the global forum on cyber security which is initiative that came out of the Hague conference. And again I think that the right place for that kind of initiative to be housed would be within a growth centre here in Australia. So those are two key things. And then of course in late December the resumption of the CRC program was announced and David did talk about that but I just want to also emphasise that when the program was announced the resumption was announced in late December. An emphasis was made on the fact that any CRC bid needs to demonstrate its value and relevance in the context of those science and research priorities and also in the context of the growth centre model. So happily again you can see that all the things are coming together to support cyber and cyber research in Australia in ways that weren't possible previously. And of course we've got the cyber security review about to be released and the strategy about to be released in the next couple of months. We expect it will have some additional guidance on this particular issue and no doubt the Defence White Paper. When you look at it too we're starting to see more formal dialogue between ourselves and our partners such as the dialogue with the US government, the annual cyber security dialogue that was announced by the Prime Minister and the President about a month ago. Those are all very important initiatives in this regard. So that gives me real confidence that we're now starting to have the right settings, policy settings in this country to conduct this kind of research. That means that this looks like it's a late arm is there that will easily get the money and actually do the research. It's not that simple. David did also talk about some of the challenges and I think those challenges do ban considering because typically we don't have a very good track record in this country of collaboration between industry and academia. As David mentioned in that OECD study we really rank around about 28th in the OECD countries. That in itself is caused to pause and actually consider what is it that actually causes this to occur. My sense and I've come from a corporate world I've spent most of my life in banking and I'd like to believe that I can actually bridge the divide between academia and industry but I can tell you it's hard because I can see on both sides people not really understanding what the other side does and not really understanding how to engage. There's a great degree of I wouldn't say suspicion but a reluctance to engage. In fact that so that would be one of the concerns I'd have. The again we've seen in this country a massive reduction in the R&D spend amongst most multinational corporations. There are some standards in this regard who have not done that like Cisco one of our partners in Axry but largely if you look over the last 15 years a lot of the R&D research not just in cyber but more generally in ICT that was done in Australia has now moved offshore been repatriated to other places and so the traditional powerhouses of R&D research in ICT like Silicon Valley and Israel have been joined by the UK and now more recently by Singapore. Singapore to me represents a real threat a real challenge because it's in our geography it's the natural alternative to Australia as an R&D hub in the region and my sense is that they are certainly further advanced than we are in their thinking around this. We are in fact plain catch up to all of these other countries my sense is we are at least five years behind where they are and that's been generous to us. What that does mean however is that we should be able to be fast followers and actually adopt and adapt so we can actually accelerate in our initiatives. We think that we can also bring a special Australian view of cyber security research. There are things about where we are and how we do things that actually are quite relevant to unique settings in terms of research that we think that means that Australia itself as a real advanced economy with strong adoption of technology presents itself as a real opportunity for research. In that regard I would say that we have a lot more that we can do to actually demonstrate to these other countries our abilities in these areas. We are seen as being smart people and using other people's technologies. We now need to demonstrate that we are smart in terms of building our own technologies. When you look at it it looks like then that this is a glass half full side of this thing. So what really compels people like David and myself and others on our board and I should say that we have two other board members here in Gary Hale sitting at the back in Dr. Darrell Williamson as well, from the Actuary Board. What makes it so important to us that we do this kind of work here? It is a strong belief that this is part of the cyber resilience that is required to actually protect Australia. In fact I'm also associated with the Oxford Martin School as Paul outlined and one of the things in that maturity model that they actually describe that we've described in there is the sovereign capability is a very strong indicator of resilience. The extent to which you can displace foreign technologies with homegrown technologies is a strong indicator of resilience and we don't actually have at this point in time a strong record in that regard. I would also just like to emphasize the three programs that David has actually outlined. We think they're the right programs for us to tackle at this point in time and that is the next generation cyber technologies, internet of things will obviously feature and that we think that blockchain technology or distributed ledgers will as well plus deploying at scale, identity and authorization, authentication about people, systems, data. Even the provenance of data is something that we think we need to actually do more research on. And then of course the strategy in statecraft and cyberspace which is largely the work that has been conducted out of the college here. In wrapping up however, I really would like to paraphrase the government's Australia Open for Business to say that Australia is also open for research in cyber security and we need to think of ourselves in that light. I'd also like to thank Roger for inviting me down here on a day when Canberra has turned on some gullies, some weather. Canberra was the place I arrived in when I came to Australia three decades ago and it's still got that same sort of summer allure to it. So my work is associated with complex systems and understanding the dynamics of how complex systems operate. And as Paul said, the internet of things is scaling up the internet by a huge factor probably not just by the middle of the century but probably within the next decade. And one of the consequences of this is the kind of the unpredictable, potentially disastrous things as well as the many good things that can happen as a result of that. So one of the questions which I think is particularly interesting for us which picks up on David Irvine's third point essentially is the social dimension to cyber security. And what we see is that there are very many ways in which the technology may be mature but the social awareness of the users is not as strong as perhaps it needs to be. So there are many, many examples. You see them on the news all the time where somebody has become the victim of ransomware, where the computer hard drive has been encrypted and they're being asked for significant sums of money to decrypt it. Places where people get money stolen from bank accounts, the list goes on and on and on. And the problem is not necessarily that people don't understand the risks or don't know what the risks are or know that they shouldn't use the name of their dog as their password. The problem is essentially to do with realizing that these things can actually happen, that these things are for real. So one of the things that we're interested in is a notion of cultural norms, social norms. And social norms tend to be very resilient. These are practices, ways of behavior, ways of interacting in a group. These norms tend to be very resilient and they don't necessarily change as fast as technology changes. So what we need to do is to look for ways of bringing about what Malcolm Gladwell called tipping points in social norms, change the way people think and the way people approach cybersecurity. Because the big challenges may actually result from everyday people using bank accounts as well as from nationwide attacks on national infrastructure. So the challenge for bringing about these changes in social norms is one that requires social research, it requires marketing and probably the most successful avenue of approach which is the area we're most interested in at the moment is through the use of social networks so that people can link very directly to people who've had experience or know of cybersecurity issues and translate something which seems like a recommendation which they could ignore into something which is of real practical value. Thank you. Well, I'll be brief. Because this is like a family gathering, a gathering of the clown. It's terrific to have the alumni here and I'm really looking forward to the opportunity of getting your challenges and provocations back towards us from some of the things we've said. So I won't go on. I endorse all the things that have been said so far but what I wanna do in wrapping this little group is to try and paint a big picture for you. Now I can see Colette over there and she will have heard me banging on about this in some of my lectures last year and some of you may have been in some of my talks to the EPD courses but I think we really do need to stand back and get perspective on cyber issues and on cyberspace in particular. The big problem, the big problem as I see it with cyber is that it's not settling. Cyber security is not settling because cyberspace itself isn't settling. It's moving at a huge pace and that pace is somewhat faster than we're able to adapt to it. And in order to see and pick up these ideas of that Paul made about the IoT and the size of that and the growing complexity that John referred to in the game, I want to paint a mental picture for you to see whether you can handle this. I want you to go back two and a half billion years to the early days of the Earth, the Earth's about four or five or so billion years old and two and a half billion years ago there was a thing called the Great Oxygenation Event. It lasted for about 500 million years and it changed the world. It changed the world by putting oxygen into the atmosphere. It created the air that we know today. It actually created the domain of the air that we do stuff in today. None of what we see about us today could have occurred unless that Great Oxygenation Event had slowly developed. The planet wouldn't be like it is. I'm sort of talking planetary scales here. But the important thing about the Great Oxygenation Event and you should get down on your knees and think that it actually occurred is that it was built by animals and plants. We built it. There aren't many planets in the world, in the universe, where living things actually change the planet and they change it in significant dramatic and singular ways. And the Great Oxygenation Event was one of those sorts of events. We haven't seen another planet do anything like this. I'm going to put to you that the advent of cyberspace is an event in the history of the planet that is of the same scale and endurance and importance and significance and unpredictability and unknowability for the moment as the Great Oxygenation Event. The slimy things that were living in the world before oxygen was freely available had no inkling what was going to happen afterwards. The evolution beginning of multicellular life and the growing complexity of the world for the next two and a half billion years which led to the planet we see today. Cyberspace is like that. Cyberspace is an authentic new domain. Just because it's been created by living things doesn't mean it's not real. It's a place where interactions can now occur and on into the future. We can't un-invent it. We can't go back and get rid of it. It's now part of the planet and so in that sense, it's part of the anthropocene change that's underway in the world today of which climate change is but one part. There are huge changes occurring. The cyberspace is part of those changes. Cyberspace is now becoming the space through which all the other spaces of the world get modulated, mediated and managed through great... It used to be through great biogeochemical cycles and now we're going to have to be doing it through active human intervention sensors and so forth. So there's big stuff afoot. It's not often that people say that they live at a singular time in history. We all like to think we do. And at every time in history people like to think that the time when they were alive was when big things were happening. But let me tell you that this, the beginning of cyberspace, which is only just beginning, we ain't seen nothing yet. This is a singular event in the history of the planet. Thank you.