 Let's get underway. It's a very good gathering we've got here today. It's very impressive that at the end of, I think, a very, very full week of discussion and dialogue on cyber security that we're still able to master, I think an even larger group than at some of the earlier sessions. So this speaks to the importance and the dynamism of this topic. Look, I'll start by acknowledging and celebrating the first Australians on whose traditional lands we meet and pay our respects to the elders of the none of all people past and present. Look, I know many of you. I don't know all of you. My name is Rory Medcamp. I'm the head of the National Security College here at ANU and it's a real pleasure to welcome you to this final session of our Cyber Week, Securing Our Future in Cyberspace. This is a public event. We're on the record. Please turn off your, put your phones on silent at least and we look forward to you joining the discussion a little bit later on. This is your last chance really to interrogate our esteemed panel of international experts who've joined us this week at the National Security College here at ANU. This is going to be quite a wide-ranging discussion. We've specified that it's about next steps in cyber security. We've had a lot of discussion during the week on some very specific issues around sovereignty, around research agendas, around law, around China, surprise, surprise, and around really inside the crime this morning. So we've had I think a pretty rich and wide-ranging series of discussions. Here's a chance to bring some of it together with our international experts and also some of our Australian specialists as well to try and identify what I would like to see as some next steps in the research agenda, some next steps in the policy agenda, and with an emphasis as we stressed earlier in the week in our session with the Vice-Chancellor of ANU on partnership, on partnership across industry, across government, across society, and indeed across academia, partnership in trying to secure our future in cyberspace. I'm not going to go to great length to introduce our panelists today. They've already been introduced amply to many of you, but I'll get to them one by one. Before I do, I want to acknowledge the generous support we've had for this conference from two significant corporate partners of the National Security College from Cisco and from Telstra. I also want to once again thank my colleague Roger Bradbury for his leadership and vision in putting this conference together and for the team that have really done a lot of the hard work in doing that, particularly Chris Farnham and others. Also my colleague George Brennan who has been with the college for some years and has really envisaged a conference like this and tried to drive it for some time. So applause is welcome for my colleagues and that is they've done all the work. Thank you. So with that, I'll go to our speakers, our presenters now. This is not about formal set-piece remarks. I'm going to ask our international visitors each and turn for some impressions that they can really choose from the smorgasbord discussions we've had this week. Have they developed any new insights? Has this week done anything to alter or enrich their insights on cyber security and do they have any particular thoughts about the Australian context and indeed next steps in policy in action for Australia or indeed internationally. I might go first to Professor Paul Cornish, Research Group Director, Defence Security and Infrastructure from Rand, Europe. I'll go to you first Paul and please take about five minutes or so to give us some of your thoughts and then we'll work through the list of our international visitors as well as Mike Burgess, Chief Information Security Officer from Kilstra. Paul, over to you. Rory. Rory, thanks very much indeed. I'll give you my overall first impression. I mean it's been an incredibly good week I think. We've certainly, I was about to say enjoyed. That's probably not quite the word I choose, Rog. But it's not being enjoyed either. No, it's been a really, really good week. We've done an awful lot, spoken a lot and talked a lot and discussed a lot and it's been really splendid. Thank you again everybody involved. This is probably going to sound horribly patronising. I don't mean it to sound that way at all. I remember when I first came here for our first meeting, I was at two and a half years ago or so, we all assembled in a government office and had an extremely good conversation around the table and it struck me then that what was distinctive about Australia and cyber was that you can essentially get everybody in one room. Everybody that really mattered and was going to go away and make decisions and so on. I was really impressed by that and this has been reinforced this week. It does seem to me that Australia, maybe it's because a function of its population is just about the right size to get this just about right. I'm from the UK and I'm very closely involved with the UK's cyber effort and of course it's fantastic. But it can get quite unwieldy and that's a population of about 70 million with all of its government ministries and so on. If you go across the US, which I know much less of, my colleagues here know much better, I think unwieldy would be a probably generous description of what goes on there. So if I could look at the other end though and I know Estonia very well. Estonia is a population of 1.3 million. They do some really fantastic stuff in cyber but they're a niche. They've got a really interesting niche, not least in terms of civilian or non-governmental action in cyberspace. I can't remember exactly the expression they have but there's a kind of civilian guard force of some sort. There was an expiry final on the web anyway. So they're doing really excellent things in Estonia, not least as a result of course of the Russian or whoever it was, attack some years ago. Then step up a tiny bit to the Netherlands. The Netherlands after the Hague conference last year decided that they were going to make cyber a really big thing and they've done marvelous work. All sorts of good things going on there but they're beginning to feel as if they might not have the capacity they need to do as much as they want. They feel a little bit overdone by this. So again here we come to Australia, a bigger country and I think it just seems to me to be extremely exciting. It's the same feeling we had I think a couple of years ago, a very exciting moment here to really get on top of this and forgive me if that sounds patronizing, I really don't mean it. I mean it genuinely. My version of next steps, well I've mentioned several of these points so far in various different formats. So forgive me if you've heard all this before but I suppose by the time we all finished it should be a different arrangement of some sort anyway. I think I mean what strikes me about cyber or research in cyberspace and cyber security from a policy angle which is my line, I'm not a technologist, is that the research agenda is just getting bigger and bigger the more you look at it. And it's more and more exciting and at the same time through meetings like this, through the efforts of governments like the Australian government, it seems to me to be I'm getting more and more optimistic that we're going to get our arms around this thing and actually begin to have what I call the other day a more settled sense of what is normal in cyberspace, what is proper, what's improper and so on and so forth. So it excites me as well as dawns me if you like. Here's my very short list. I think we need to stop doing what I did the other day and we all tend to do when we talk about the Internet of Things just to just spout out the numbers, they're going to be 50 billion refrigerators linked up to the web by whenever it is. I'd heard some time ago that the first refrigerator, I don't know where it was, had been infected by a virus and it wasn't some pauling thing on a bit of cheese, it was a bit of software and I'd heard from Herbie the other day that actually that fridge had been used in a DDoS attack, maybe it was the same fridge. But this is quite this is what's remarkable about the IoT, it's not the take up and we are all familiar with that now. What does it actually mean? And I think it means things like that and it means things like it's questions to do with the telemetry. This is a network of machines and apparatus that are generating data all the time. Well where does it go? What is the use of that data? Is it all metadata? Can any of it be tracked back? And all these sorts of questions manifestly about the balance between privacy and security, which is the kind of underlying issue I guess in much of what we're talking about. My second issue is cyber harm, again which I touched on once or twice, it came up earlier this morning. I think this is a again an underlying issue. We do need to begin or to put more effort into trying to work out what we mean when we're talking about threats from, challenges from or in cyberspace. We all kind of have an intuitive instinctive sense that there's some bad things that could happen. What on earth do we mean by that? We've got to put we've got to get more granular about this, not least because we presumably are all talking about spending vast amounts of public money on doing something about this. Well what is it? What is the problem? What is the challenge? What is the threat? So I think there's more to be done on cyber harm. And this isn't an advertisement but I'm going to we're going to flood you all with copies of the Oxford University cyber cyber cyber harm model which will be coming out in the next month. And what we're saying with this is that you can combine rigorous qualitative analysis about cyber harm even if it's only a matter of listing the sorts of harm that you could conceivably expect, psychological, societal, strategic, economic, whatever else. You can do a very good rigorous qualitative number on this cyber harm problem and begin to understand it more closely even if you can't get the number. If you can't go in how much is this going to cost? So do the qualitative bit and then where you can find and where you can use quantitative analysis then fine do that too. So this is our approach in Oxford and as I say this will be should be out fairly fairly soon. Another thought from this morning when we talked a bit about the relationship between cyber and crime and terrorism and this is sparked by my colleague Nathan Ryan telling me that reminding me rather that we're about in around Europe in Cambridge to do or begin a project on the relationship not so much with cyber and terrorism which is it's a it's an interesting discussion but it's a bit of a circular discussion we go around and around and around talking about whether whether we're talking about terrorism as a means or whatever else. Well what Nathan reminded me is that we're we're looking at the relationship between cyber and countering violent extremism so let's take the terrorism word out of this and look at look at it slightly differently and I think there's much more scope there and my final point is to return to something I I referred to earlier in the week again which is the whole capacity building exercise. I think there's plenty more work to be done on this around the world and an interesting angle development from it is not so much the the capacity building exercise but the implementation of a capacity building plan and I think that's going to be the next step once we can all agree let's assume naively everybody agrees around the world that you have to go through the following processes to become a cyber mature state or that's fine well how do you actually do it there's a massive training and education program that is going to be involved. Thanks very much for that Paul and we'll I think we'll come back to you on a few of these issues as we go along certainly after the initial remarks from the panel we're looking forward to a conversation among them and then to bring members of the group into the conversation. I'll go next to Dr. Herd Lynn a senior research scholar for cyber policy and security at the Center for International Security and the cooperation and research fellow at the Hoover Institution at Stanford University. Thanks I want to echo Paul's comment about Australia being the right size it's I was gonna I was gonna say that first but the what I take away from the conversations is that you're big enough to have almost all the problems that we have in the states you know we and small enough to actually have a chance I think of getting some of the being able to solve some of them and in a more reasonable way than we can so I mean there were several times when I said oh you know you can do this you know there and when I would not have said that in in the United States there's this particular you can do this you can go down this path we can and you have an advantage the fact that you're an island nation makes a big big difference in that context two other points when I was asked to to come to this conference I was billed as something that would talk about game-changing research and I'm afraid I've heard that phrase a lot both in the United States in here and everywhere else that I go there is a desire to get ahead of it and solve the problem once and for all decisively no that isn't going to happen there isn't anything that's going to change the game permanently maybe you can get a little bit ahead of it for a little while but there's nothing that's going to change it permanently and I think that it will all be better off when we realize that and the the last point in all of this is that that that I take away from many of the conversations here is that the point when I look at the future the future is we're going to have to get used to a lot more low-level bad cyber badness and that's just an already that's just a different way of saying we're going to have to learn to operate well have our systems operate in a kind of resilient way so that when we're not be in those rare occasions when we're not being hacked we have the opportunity to take advantage full advantage of the technology but under most conditions when we are being hacked and we are compromised we'll have to just basically get used to it and be willing to take the compensating measures to recover and so on I don't like that answer I wish somebody would persuade me that I'm wrong about that but I don't I don't see that thanks very much Herb and we'll again come back to a few of those a few of those questions I'll now go to Professor Fred Cate Vice President for Research at Indiana University and I think Fred you've contributed a lot to our discussions this week so please over to you thank you very much thank you for the opportunity to be here thank you Roger and others who organized this and for your really exceptional hospitality I was a little afraid Rory you're going to say you've you've said a lot this week so why don't we just pass you by and let somebody else talk instead which would be perfectly reasonable and I'm sure some people in the audience might feel that way. Let me just offer a few very quick observations none of which will differ from anything that I've said publicly but it's been a very stimulating week and I've been struck by the many levels of overlap where people coming at these issues from very different points of view very different settings have had common issues as well as places where we still see we still see disagreements so let me just let me just highlight maybe four or five maybe principles for thinking about next steps what is I think it's absolutely critical to be thinking forward I think it's a waste of time to try to solve yesterday's problems and with the speed at which cyber technologies evolve we always run the risk if we're not really at the edge if we're not working with researchers and industry and people who are confronting the edge that we are always solving yesterday's problem and that has frankly been a classic us approach our approach to national security and cyber security generally has been one of solving yesterday's threat second of all I would think incredibly hard about thinking of the broad set of challenges in which cyber experiences but of which cyber security is just one so for example cyber reliability may be much more important you know if I can't get to my data in the cloud I don't care if it's because of a hack or because the network's down I can't get to my data and so thinking of security in a vacuum is is operationally maybe useful but from a planning point of view a complete waste of time right it needs to be seen in that broader you how do you deal with natural disasters how do you deal with undifferentiated attacks as opposed to targeted attacks and then this fundamental question of reliability linked with things like technological bandwidth you know how how much can we put in these pipes without making the pipe suddenly no longer useful for what we're trying to accomplish third I would really encourage that we think broadly about cyber challenges and not just think of them in terms of defending them or detecting them or prosecuting them after they occur but also the broad way in which we may deal with a world in which they just occur all the time as as Herb and others have suggested so what would it mean in some instances that might mean good backups of data and others that might mean redundant systems and others that might mean something completely different I use the example when I spoke publicly on Wednesday about the amount of time and energy we in the United States have used trying to protect social security numbers when we could have just given up on that save that time and energy if we had simply stopped the misuse of social security numbers as default passwords so sometimes we protect things that aren't worth protecting and they're easier cheaper and more effective ways out third fourth I would also just really stress the importance of thinking practically and I want to be clear by what I mean about practical I don't mean that it means you can instantly implement it I mean we know from experience again and again and again that the big gap right now we have in cyber defense is between creation and deployment it's not creation we have loads of tools being created fabulous innovative creative tools generally being created by people much younger than most of us in this room and the problem is we don't deploy them we can't get them used widely we can't get networks to use and we can't get individual users or employers or other large equipment operators to use them and so thinking about how do we build on the fact that the supply of tools is fabulous and we should applaud that but we're not doing a good job getting them used and you know we know this from the fact that the that such a large significant of successful exploits take advantage of of defects for which they're known patches and the patches are usually widely and freely available but we can't get people to use them and then finally I would just say and again echoing what I and others have said earlier I would think a lot about the way in which government can work with industry and academia to move forward in these areas governments have sort of taken a hands-off approach or have looked at this more at a strategic sort of international relations issue very important approaches but this is not going to be solved by any one set of the economy working on it it's going to require that type of collaboration we all get nervous by that collaboration industry doesn't want to be regulated government but wants to be careful about being too close with industry academics are you know always asking for money it's what we do for a living you know there are all sorts of impediments to that collaboration but that even more than your size as my sizes colleagues keep saying is the great advantage here is you have both interdisciplinarity in terms of disciplines but you have interdisciplinarity in terms of settings at the table so that industry and government and academics and others can talk and work together and thank you again thank you very much for that Fred and we'll look Mike Olskeva over you for a moment and go to our other international visitor go to assistant professor John Lindsay John is assistant professor of digital media and global affairs at the Monk School of Global Affairs University of Toronto and of course John you go but I think a very very bracing presentation yesterday on the US-China cyber dynamic particularly the way I guess the challenge of working or managing China in the cyber domain so be very interested in your in your reflections on the week John great well thanks very much so this project started a couple of years ago actually in conversations with Terry and Raj about the political ecology of cyberspace and was drawing on their deep backgrounds and thinking about biological complex systems and how they evolve and grow and so while here in Australia for my second time now I've been learning a little bit about Australian biology and especially all the invasive species that have come and gone actually they don't go so cane toads and rabbits and whatnot and the rabbits I thought were particularly interesting because you know 25 or so they were introduced by some fellow for the sake of convenience he wanted something to to shoot but they had no natural predators and so they increased exponentially and here they are today so here we are in the 21st century and these foreign things designed by Google and Microsoft have been introduced largely for convenience without a lot of insight and they have also increased exponentially across the entire continent but it does seem that there are some natural predators here in Australia that it's been really interesting to learn about in our interactions with the law enforcement community folks from the intelligence community but I think what's been really interesting to me is hearing about efforts in the private sector and in civil society that are providing a degree of defense and resilience that I don't think we often appreciate the degree to which ostensible competitors in the banking industry or network operators across different ostensibly competing networks actually work together to understand faults as they occur to patch them as they occur all of them have a great interest in maintaining the viability of the playing field even though they may have competing teams on that playing field and I think that is something that is really important but for policy and for research we don't often have a good understanding of how the ecology is already sustained and often sustained in a bottom-up way so if we believe in multi-stakeholder governance as a good way to manage the internet I think we really need to take that seriously and ask questions about how is it working right now and try and research these often invisible networks of specialists in industry and civil society and in the government that are working together so that we don't risk overcompensating with too much government action there's a vital role for government but I think we need to understand those trade-offs so that we don't inadvertently slide towards you know more of a cyber sovereignty mode so so I think that's that's one thing that I will definitely take away the second thing you mentioned China I think I've come away with a new appreciation of the vital role that Australia can play in really helping to manage and mediate the relationship between European and North American countries and China clearly with the Five Eyes relationship there's just you know utterly strong and enduring partnership here but this is the Asia Pacific China is very interested in courting Australia and that presents a very interesting ground I think to start some conversations that need to be had to make sure that China is included at every opportunity in these existing systems of governance and technology management so that China understands how much it benefits from the system that it is already involved in. The last thing I'd like to say and I think this is this is policy dimension but but a big research dimension as well a lot of our conversations have focused on the role of intelligence the blurring of boundary between public and private peace and war when we look at cyberspace and that's a real fascinating I think promising challenge for strategic theory which is you know which is focused in the past on you know managing nuclear threats or large-scale conventional war and here we are talking about managing state-sponsored deception we're talking about counterintelligence which is about letting threats into the gate so that you can understand them and manage them and see what they're going to do understand that we can't block them like like Fred mentioned but we can learn about them and channel them we actually don't have good theory for understanding what those games look like so I think developing some of that theory and starting to model some of that has tremendous potential both for informing policy but really pushing the frontiers of how we understand strategic interaction. Thanks very much John and I think we'll before I come to you Mike I just want to pick up on a few of those themes and also mention I guess a little bit more about the kinds of partnerships we're trying to build here at the college through conferences like this I think many of you know the work with the National Security College and know that we are we were found that as a partnership between the Australian government and the Australian National University but increasingly we're looking to extend that I guess that philosophy of partnership not only internationally with collaborators such as the experts you see assembled here but also with with the private sector so I think the themes that you've all emphasised about partnership really resonate with what we're trying to achieve here and then speaking of the private sector I want to introduce Mike Burgess. So Mike is here as Chief Information Security Officer for Telstra. Mike also has a very substantial career really at the cold face of cyber security in the Australian defence community so Mike over to you please. Thank you and good afternoon everyone what I thought I would do is just I will talk about one of the sessions I attended this morning and actually by doing that comment on what I've just heard from my colleagues on the panel here and the one thing so this morning we were talking about the nexus between cyber crime and national security. The one thing that I got from this morning I got many but the one major thing and what I've just heard here is this subject is really easy it's really easy to get paralyzed by this it's really complicated people love to go to the high end of the Armageddon aspect of this problem there's a lot of hype industry perpetrates that hype academia actually has governments certainly have and so it paralyzes us and when you think about it and the real optimism that came out of the presentation this morning in the conversation we had and actually the optimism I just hear from my colleagues here that's good news from for people like me and it should be good news for you because actually I think we're starting to see a turn into some serious thinking about actually you know what as Clapper said this is a threat that can't be eliminated but the risks can be managed and that's actually what we're hearing now and we realise this is not something governments can do alone academia can do alone the private sector can do alone or citizens or consumers can do alone this is something that needs all of us to understand the problem and move forward so that's that real sense of optimism that actually I find incredibly pleasing what I will also do though is tell you why for me cyber security is a significant issue and for those of you have heard this they're probably getting sick of me just repeating this but it works and then I want to if I'm allowed to actually then throw it to a fundamental question that actually will be a good to hear from my panel members here and the floor so there is no doubt that technology use of technology and connectivity is bringing great benefit to society these days we see that you can you can all experience that we can joke around you know everyone sits at a restaurant and playing with their mobile phones and how that's really impacting social interaction but that aside it's got great benefit already and actually the full potential benefit of that is yet to be fully realised I think we can all agree on that cybercrime in the end and I'll put everything into the bucket of crime and forgive me for doing that simplistically espionage it's a matter of perspective but espionage and crime cybercrime cyber espionage is just espionage and crime it's nothing new we have a habit of putting the word cyber in front of everything the one thing that makes this a significant issue though is it's actually this technology and connectivity means that bad things whether they are really bad things or just low level constant attacks or hacks actually today can happen at a pace scale and reach which is unprecedented that's a consequence of this wonderful benefits of connectivity and technology and just whizz all benefit from it it means the criminals can benefit from and it means that harm can happen at a pace scale and reach which is unprecedented that's why is a significant issue and I'm very much in the camp that because of that this is a turning point for nations and private sectors and citizens that live in countries and I'll draw to a topical point right now so just this week the notice put out by Tim Cook to Apple users challenging that US court decision that Apple are facing um I'm to be to clear I'm on Tim's side this is such a significant issue you cannot now expect people to build unsecure versions of operating systems unsecure applications unsecure devices and you cannot ask for backdoors in encryption now and that's because it's such a significant issue we do need a secure infrastructure which all this goodness can happen from happen on top of of course I am very much a supporter of our law enforcement community you need that I hope if you have the same democratic values as I do that you understand it's important that we have law enforcement and actually they have the capabilities and the means to do their jobs effectively so they can help deal with bad things but given it's a fundamental problem in terms of the significance of cybersecurity you can't ask the private sector or technology companies to do this anymore what we have to do is find other ways of giving law enforcement what they need to do their job and that I put out there for a conversation I think that's a very useful one given the significant nature of this issue can I invite the panel to respond to begin with perhaps or others okay so the if you haven't been following the issue the issue is that the FBI has in its possession an encrypted iPhone used by one of the San Bernardino terrorists shooters and there are contents of it that the FBI would like to get at it doesn't have access to that the problem is what the FBI would like to do is try a brute force method of going into it by sticking in you know every possible pin combination the phone is designed to erase itself after 10 tries and what the court has ordered Apple to do and Apple's refusing to do is to figure out a way to bypass that and to put a to develop essentially a modified version of the operating system that will bypass that so that they can so that the FBI can now try brute forcing its way into the into the phone Tim Cook has said no we're going to challenge this decision did I capture that accurately okay so that so that's the issue and I think it's fair to say that almost every technical person that I know will come down in favor of Apple on this and I it's understandable okay the the what is what the FBI is doing here is basically is asking for access to this particular phone now the question is whether Apple will do it and Apple has to comply and if it complies it will do some technological things okay and that will give the access to the phone to the FBI then the question is does having done that it now has some software for example on the shelf is now this software a backdoor to everybody that's really the question Tim Cook says yes okay now it's it's everybody I say no um and because I say no because they could take whatever that's on that device and erase it okay they could just like you know get get rid of it okay and it would no longer exist so the the question of getting of whether or not you have access to whether you're actually creating another back a backdoor to this no it's not you don't have to do that now on the on the other hand Tim Cook is absolutely right when he says that if we comply we're weakening the security of everybody how can that be given what I just said the answer is you're setting a precedent you're now sitting you're now giving the court of the authority and at least in the US context you're giving the court the authority to say you Apple must expend resources and money and time and engineering talent and so on to do something that we need okay well I mean and it's using a law that was created in in in the 18th century to do this now just because it's an old law doesn't mean it's not valid but that's an interesting question can they force me to do if they think it's useful did they force me to build a jail for them or something I mean I don't know okay so there there's lots of ambiguities here that you're setting the precedent and you're set you're setting the president one that you can do it and to your setting the league the technical president setting the legal precedent so in all of those ways you're weakening security in in in that sense of in that sense of the term now I wanted to to to make one more point in in in uh response to to what Mike is talking about he talked about secure systems and the the fundamental problem in all of this is that there's a there may there is let me can invite you to consider the difference between maximal so what I'm going to call maximal security and adequate security what every technical person wants to do is to develop a system that is maximally secure as good as you can possibly do it everything that the FBI wants for exceptional access backdoors whatever you want to call it requires a level lower something less than maximum security the question is whether or not that lower level is adequate and that's a policy decision if you get a system that is less good than as maximally possible is it still good enough for your users the FBI will say yes a lot of technical guys will say no there's no difference between those two and that's the policy argument and that will go however it goes and you know I have an opinion on that a private opinion on that which is as good as anybody else's opinion on that um and of course I could I probably tell you but the the the point is is that you know I'm just one person in in that but that's the technical issue that's the technical policy nexus that you need to think to think about great just just two quick comments to add to that one is I think this is a wonderful a metaphor for the whole conversation we've been having because in this case remember the iPhone has wanted not to prosecute because the person who committed the crime is dead it's not the only data in other words it was backed up to the iCloud and apple has given the FBI access to the backups the phone company can tell it every place the device has been the phone company can tell it every communication that's come into or out of the device the FBI is all of that but it's that desire for that last little bit you know we have 85 but let's not worry about that let's focus on the 15 we don't have and that's been the challenge I think in cybersecurity as well we often know the 85 percent we could make things 85 percent better we could do substantial things but we are so preoccupied by the final five or 10 or 15 the other thing I would say is the challenge in this situation it's an inevitable challenge there's no criticism implied here is you have a single federal judge with no staff with no research arm with no benefit of a conversation like this making decisions that will although ultimately be reviewed by other courts set policy a regarding security and anonymity on the internet and that's again very problematic and again is a is it if government doesn't act in its if you will administrative capacity it's going to act in its enforcement and judicial capacity it's not a question of whether government's going to act it's when and through what process and you know I think there are good reasons I think we might benefit through a more deliberative policy making process rather than always resolving these issues as if we've never thought of them before in a judicial single focus process I'm going to pull and then yeah if you don't mind you have either a response just a quick comment about that last 15 percent Fred is right we don't know what's in that 15 percent and it might be really really important or it might not be I'm guessing my personal guess it's probably not that important but I can't tell you that with any assurance and no nobody else can tell you that either well I'd respond to Mike's challenge in a slightly different way I think I think Herb and Fred are absolutely right but in another sense they're also absolutely wrong because it seems to me that this entire discussion why everyone loves the British so much the discussion about the apple case whether they like it or not whether we like it or not is at least in the public domain is running on very very broad points of principle and I think I'm very disquieted by this because it seems to me that it matters where you begin and I would begin with the fact that a very monstrous mass murder took place and it does seem to me that in any of our societies I don't know what the exact legal case but I think you have an obligation if not to provide evidence and certainly not to withhold evidence and so I think in the public debate that's where we're going to find a lot of problem I think this in my mind as I said at the beginning I'm not a technical person this does actually boil down to a very basic question of public ethics and ethics we need to remind ourselves are not a choice between the good and the bad that's what children can do the good being privacy let's say and the bad being intrusion by government public ethics are a choice between a choice of the lesser evil in other words it's a choice between the bad and the bad so I'd throw the question back to Mike and indeed to everybody which is the lesser evil in this case and I think it could actually be the withholding of evidence Mike yeah I have to respond to that thank you Paul Apple are not withholding evidence they designed a system that was secure they haven't designed a system that's not secure they're being asked to design a system that's not secure they're not withholding evidence and I so I'll obviously challenge you on that point I grew with you that crime was absolutely horrific it doesn't stop the fact that this crime occurred and yes there may well be some really juicy piece of intelligence that can prevent bad things like this happening again and that's why my point is twofold absolutely fundamentally believe that you need to build security in with no known weaknesses or deliberate weaknesses even to enable law enforcement but it absolutely at the same time I do want my law enforcement agencies to have the right capabilities to do what they need to when they have lawful reasons to do so and that's the challenge I actually think there is a way around this but actually people have to invest in that and not ask companies to build a lesser level of security in the name of law maintenance because I I don't think that's actually going to work given the significant nature of this problem but that's the debate that actually rightly needs to be had and not just by the technical companies that's by societies as a whole let's open this discussion to the group if that's all right with the panel I first want to go to to Roger Bradbury Roger not only is the the mastermind of this conference but also Roger for a few of your overall impressions on how the week has gone lessons learned dare I say next steps in policy and if you want to weigh into this debate please do and then I'll open it to the wider group so please thanks thanks Rory look I think I might pivot on the apple on the apple the iPhone debate I tend to lean to to Mike's point of view very strongly and but but it's an ethical issue and you've got to choose the least bad and I think the least bad lies with Mike in this case but what I wanted to say in terms of general things about the conference the thing the thing that struck me about the about the discussions we had amongst ourselves and and and with our really generous audiences is that we've compared to two to two three years ago we we're talking much more about the internet of things and and what what struck me about that is it is if we're talking about it because the internet of things has come along faster than we were thinking about two years ago it's actually here now we've we've and and that's starting to have that's starting to have effects in how we do our cyber policy settings how we do our cyber technical settings how we build our infrastructures in ways that we're not quite prepared for because I think it's arrived early and it's and we've got to deal with we've now got to deal with it but what I'd say beyond that is that what what we should be talking about now not and not obsessing too much about the when will the internet of things arrive is the is the thing that at Davos they call the fourth in industrial revolution which is really the third they just can't count it's it's and and it's to do with the technology convergence that's being that that's that's being catalyzed by cyberspace the fact that advanced materials technologies the fact that bio biotechnologies advances in biotechnology are getting married up through cyberspace with advanced information technologies and creating a whole class of new opportunities of new ways of doing of of living of new opportunities in business but also huge new problems in in the way cyberspace is managed so we're going to have we're going to have a cyberspace that we've already got a cyberspace that's connecting more of machine to machine and object and sensors that it was in the past than it would be and we're also going to have one that's that's talking across the the whole machinery of the planet of how things work and how things get made distributed and manufactured in and and the things that are getting made and distributed and manufactured will be wholly new classes of things and we haven't we haven't even started that conversation yet thanks we'll open it up further I think I saw one arm raised in the middle of the my right so if you could please introduce yourself wait for the microphone introduce yourself and make your comment and question and just bear in mind that we are very much very much on the record that'd be wonderful and it can be a comment or a question my name I'm sorry Kay Henderson I want to go back to the issue of the court decision in California and the comment was made that the public would look at it as something that is perfectly acceptable and looking at the internet a lot of comment is that this would not be any different to the demand of the court any different to a subpoena and that you know the court can order to unlock your desk to unlock your safe when you have to retrieve the information seems to me there are two precedents one is a technical precedent and the other one is perhaps a legal precedent and also with the iphone I understand the version of iphone that folk used is an older version and that there are already two newer versions and that the newer ones wouldn't even make possible what the court demands do you want to comment on this so yeah I just in terms of the first point obviously I'm not a lawyer so forgive me for saying this there's a difference when you order someone to unlock a cabinet because you've got a key apple don't have the key now I take your point in terms of it's no different to there's a lawful request and obviously companies have to be respectful because they have to operate under the rule of law but they actually also have a right to challenge and that's actually what's happening here um that's the I don't know if I can answer the second question because I'm not sure of the version obviously my view on iOS would be it gets more secure as you get to a later version um I think you take apple at its word someone's telling me a version number but actually you just take apple at its word right this will be worked out in the great US court system it's democracy in action I'll point out that the FBI will say in response to what what Mike said it's not asking for a key okay it's only what it's doing is it's asking for them for apple to disable the feature that erases the phone after you try 10 bad keys okay so they're not asking for a key okay so I mean on the face of it that's true now whether that's significant or not I mean Mike and I would agree with that that's it we might disagree or agree on the significance of of of that fact but it's not asking for a key it's asking for apple to disable a security feature thanks everyone here uh Douglas Robertson from the ANU um what I'm hearing is quite an interesting kind of confusion between or not confusion but dichotomy between total security and I think you've used the term adequacy and we're talking about a world where we just have to expect that we're going to get act more than not um and therefore I'm just keen to try and figure out how do you figure out what is adequate and in legal terms how do you figure out what is adequate because if apple makes its phones not secure then it owns itself to class action um against it because people can get into apple phones easier um so I'm I'm trying to figure out how we actually track to the point of what is adequate and then how do you put that into a policy and regulatory context yes this is a fred question yeah so I just just uh quickly respond to that in terms of I wanted to be clear there is no such thing as total security so I'm not arguing for total security because that would be ridiculous all I'm suggesting is because of the significant nature of this issue you can't build weaknesses in you can't allow backdoors for lawful access because that actually is a weakness the criminals will exploit right um so let me see I don't think it's a meaningful distinction between total and adequate security but because I don't think there's I don't think there's even maximal and in other words I think the question here is very focused and we might still disagree about it but I think it's and that is can a government mandate weakness it doesn't matter whether we're here and they mandate weakness or whether we're here and they mandate weakness the question the point is the technology and the market is capable of delivering this in this case has delivered it and the government saying we'd like this and we've had this debate over a hundred different permutations uh exporting encryption mandatory deposit of encryption keys uh we have this all the time end to end encryption the government imposes it it doesn't want phone companies to let individuals encrypt their own devices it's got lots of ways for very good reasons by the way I'm not for a moment doubting the the validity of these reasons to say we want to be able at least in certain circumstances to compel you to weaken your security now I think that's very problematic but I think it's even more problematic international world because once we say the US government can do it or the Australian government can do it it's going to be very hard not to say the Chinese government can do it or the Iranian government can do it and we've looked at all sorts of ways to try to draw those lines you know do you follow legal process do you have appeal do you have a neutral detached magistrate look at it but at the end of the day almost any country can manufacture those and if we give way on the precedent that the government can mandate weaker security I think that's where the risk is now it may be a risk worth taking that's reasonable people will disagree how do you determine what is adequate as a commercial target if we accept that total security is not possible and therefore and I think it might have been you that said there's there's a whole number of things where we just have to accept that we can't protect that the social security numbers for example so how do we do that in a prospective way rather than a reflective way learning that actually we've chased a lot of hairs and actually caught not as many as we were hoping to catch okay so thank you very much for clarifying that and now I'm going to hand it to Paul because he's going to want to talk about something else but I'm hoping along the way you will also talk about the work in trying to think about harms in causes a result of cyber incursions because my answer would be one of the ways we think about adequacy or what sort of level of security should be the minimum the floor what what we might use regulation to require is thinking about where our harms most likely to occur and how do we effectively and cost effectively mitigate those thanks for that pass Fred I don't know I don't know where how or where you you could establish this this threshold but something that came up earlier in the week I was reminded in one of our discussions of an expression that the UK government used I think in the 1970s and onward in the context of Northern Ireland related terrorism and this was an expression that was used within government because it was so sensitive and nobody wanted it out of government because it would have been very controversial publicly but the expression was an acceptable level of violence in other words you can never completely crush or whatever you want to do or cease Northern Ireland related violence bomb but whatever side so there must be some level of it that we've got to learn to tolerate now I don't know what that level was I don't know how many bombs a week or whether it was only Birmingham not London whatever else you know but there was that sense that there must be a threshold but can I just can I just go back before I mention harm again just to be absolutely clear what I'm trying to say I'm not I said I'm disquieted about this apple case my knowledge of it is basically gleaned from that column in the Australian this morning so this is thin stuff okay but my worry is and I this is meant as an unfriendly challenge might by any sense but what is it about the ICT world or the cyber world that that where they think that they can in some sense absolve themselves and the responsibilities that all of us have always had every single industrial sector has always had this responsibility to to society we've we've got these what is it about ICT that makes us even have this discussion that somehow there can be a limit or a boundary that enables companies or individuals to say well you can't do that because it would be a breach of of the information system well so what and harm cyber harm the the our approach in Oxford as I said is simply to say all that what what we've got to do with cyber is to is to try and get a a sort of synoptic sense of it what you know we keep talking and talking about cyber harm there are all categories loads of categories harm psychological societal strategic economic industrial and so on you can go through a whole long list of them and we've done it in this marvelous paper which will be produced very soon and in not all cases can you crunch out a number you can't necessarily be an insurance company that want and and look at this and find the number that you can attach to this or that risk but what we're arguing is that you need somehow to get a settled sense of what we mean by cyber harm and if you can do that then you begin to position yourself to have these sorts of discussions about where the threshold might be I've got two more comments or questions from the floor is there any further response from the panel at this point on on this particular tension which is just fantastic but we'll go to you sir and then George Brennan. Tom Worthington from the research school of computer science here at the ANU to answer your question I teach professional ethics to the IT students in a lot of cases they get no no ethical legal training and they think they're the masters of the universe and can do whatever they want and we have to remind them that they have to work in a legal and an ethical framework although that does mean the under the codes of ethics for these professions the public interest may override the law and I tell them on occasions they'll have to say no to policemen and judges they may well go to jail as a result but that's what you get for earning the big bucks the question I wanted to ask you was these sessions supposed to be about the next steps apart from harm at Oxford what are the next steps you see coming down the road what is it we should be researching implementing what should we be doing that we're not doing well thank you that's a fabulous question so let me just take a quick swing and then let my colleagues so one is I would take advantage of your extraordinary ability to bring together people from different parts of the society in the economy to actually target those 80 or 85 percent of things that can be done and it may be they're already being done in which case you can celebrate you can congratulate yourselves and be done with it it could be there some where there are market reasons why they're not being done you could figure out if impediments need to be eliminated or incentives need to be created but to be honest that would be the single greatest gift you could give the world in cyber security would be to show how to move from the zero to 85 rather than to spend a lot more energy on the 85 to 90 or the 90 to 95 and then the second point I would make which again my colleagues either have made in this setting or have made in other settings Australia seems to occupy a truly unique place in relation between the western world and Asia and the very first time that I engaged with someone from A and U which was five years ago I guess in the United States when Michael Estrange was was visiting there was thinking about talking about trying to sell him on the idea of Australia's unique capability to help build relationships to help address the the huge distrust problem between China and the United States and Europe and I don't mean to suggest it's that linear of an equation I know there are lots of other efforts underway I don't mean in any way to ignore those but you have a location advantage you have a a desirability advantage nobody ever says no I don't want to go to Australia you have a long history of working in the region and also working with other western democracies and you have great technical expertise in this area and so if we thought about strategic places in the relationship where there are real opportunities to build through repeated contacts the level of trust one of them being that close connection between academic advisors in the government that exists here exists in China I think that would be a tremendous step forward thanks that's a very useful insight I think any others well just underscore both of what Fred said emphasizing particularly the first point about working on getting stuff that we already know how to do out into the field the the way I I would phrase it is is that there's an average level of performance and they're sort of the best possible level of performance with what you have now and there are certainly institutions in Australia that are the best of the best question is how you get everybody else up to that level and that's a question of deploying what you what obviously somebody already knows if you can work on that stuff that that may really be game changing John so when I first started looking at cybersecurity with some colleagues we were kind of really interested in a lot of these big cyber apocalypse stories that were being told and we look specifically only at cyber things and there were lots of reasons to argue against them and it was easy to dismiss those and for a lot of kind of old school security scholars it was very gratifying because it meant that they didn't have to look at cyber security but in the process it became pretty obvious that what makes cybersecurity interesting is not cyberspace but the way in which those networks connect to everything else and it is the connections and the networks that I think are fundamentally fascinating this is a fundamentally interdisciplinary problem and it needs to be studied in an interdisciplinary way and again I think that that really provides unique opportunities for Australia because you know you have so many pockets of excellence and it is small enough that you can start to bring those together both as a collaborative research endeavor and also as an important case to understand how the social the economic the political the military the business cases are fundamentally interleaving and you know it is a research project you know I think we really need to come up with ways to try and deal with the ontologies of these different disciplines that are necessarily going to be inconsistent and overlapping and fragmented and they're going to have new emerging pieces that are coming up within them and we need to come up with ways of integrating those together not to have one master view of the world that's never going to happen because part of what makes cyber fascinating and frustrating is that it's always kind of new things emerging at the seams between concepts which suddenly present both the threats and the opportunities but I think we need to kind of really make make progress in thinking about systems as a whole and integrating these different disciplines together Thanks Paul and we'll move on to the next question My suggestion well prefaced it by saying what worries me about about this whole week Roger as the week has gone on and we're coming to the end of it now I'm terrified that my learned colleagues and I realize I've actually only got one idea and this is it and it is public ethics it has to be public ethics I think we've got to be we've got to stop being stunned by the numbers by the by the whiz bangs by the technology it's fascinating stuff but we must stop being stunned by it you know if we think about ICT in general if we think about the use of unmanned aerial vehicles drones if you like we think about the internet of things and all these sort of sectors of of innovation and gadgetry to put it crudely if we think of things like the something we mentioned earlier in the week the the talent manual on the application of international law to what is the type cyber conflict anyway and the talent too as it's going to come out fairly soon how does that actually get applied what does it actually mean in practice these are all big questions we've got to get to grips with rather than being stunned by the stuff or taken by surprise by it these are all human inventions we invented these things we own them so we've really got to start applying our ethical brain power to working out where we stand on it it's all human and the final thing I'd say is that none of us not even those of us on this panel have a monopoly of wisdom in this this is why this does become as I said earlier a big ethical question and it's a question about the least bad politically striking that you you concluded there on that ethical ethical note because before I come to the next question I might just mention that one of the peculiarities I should say about the national security colleges we have a resident ethicist on our academic staff and it's good to see Adam Enchke there at the back of the room so in fact Adam's very involved in our our cyber program and other areas about work it seems to be we're on to under the right thing there and I think I think this is still a relatively new domain in many in many disciplines and I'll give Adam the plug for his book that has just been just been launched the only manifest error in it is that I get a tiny mention but it's someone who disagrees with me so it's that's what we call it the oxygen of publicity George Brennan here well this is this is going back to the last discussion really but I know you've you've lost Herb you suggested he didn't have have all wisdom and he was I don't think he's going to talk to you again now the interesting thing about that last discussion really was I thought how little this is really more common than a question about how little reference there was to to markets I mean it was all about it was it was all about governments and regulations as if consumer behavior wasn't really going to be the driver when you think of what we're really talking there about consumer electronics and market effects and the financial impacts of what people are going to do is going to swamp what government does people will just vote with their feet in this space and unless every country actually regulated identically and was regarded by consumers identically you know what happens in a particular jurisdiction and where companies move their jurisdictions for the purposes of their software development will be the driver and I thought it was remarkable there was so little discussion of market impacts in that discussion so people may or may not want to comment on that but that was my observation on any responses thanks George sure the use of governments have long had an influence on markets right we don't say that the the days where the government just stays away from the market and doesn't say anything to it about what it must do or must not do or what it's incentivized to do or not incentivized to do and so on those are long gone so the so the question for when when at least for me when I talk about government action in in in this space tweaking the market to to incentivize or disincentivize certain kinds of behavior for example security standards or or what have you those are that's certainly within scope but I don't think I certainly I didn't mean to exclude the role of of private choice but it's never going to be completely unconstrained or or uninfluenced public and private choice well and just to add to that I mean I think the whole discussion is against the background of 20 years of almost unlimited commitment to letting markets address these problems and so markets I think we take as given markets all the successes we have are due to markets they're not you couldn't point to a single area in which a government is regulated on cyber security that has resulted in a success that didn't come from the market but I think what we're all talking about perhaps to varying degrees is the role that the government can place in either can play in either setting a floor so that we don't worry about the companies that are doing great but we do worry about the companies that aren't doing anything about security or providing standards you know a way of saying you know you must comply with one of the standards set by one of the professional bodies but something so that the consumer is not left totally on their own there's no example you can think of about something we care about that we've left it entirely to markets you can't buy a car you can't fly a plane you can't you can't buy an extension cord you can't buy a three-prong adapter in australia to plug in the wall that doesn't have an underwriter laboratory seal on it so that somebody certifying it because they're incentives to do so in fact in this case they're import incentives if you have a laboratory seal we're talking about a floor there's no standard right now we're talking about lowering the floor or lazing the floor and you don't think this is an area that's going to be prone for civil disobedience i would just say right now there is no floor on the vast majority of cyber activities so for example i could sell you a modem that is insecure i can sell you a modem that has no encryption i can turn the encryption off i can even incompromise the encryption and sell it to you and it doesn't violate the law that's not much of a floor and i think we might all agree even those of us who are very concerned about too much regulation a little regulation would go a long way so that very responsible companies aren't tarnished by the very irresponsible companies that are taking advantage of the currently say fair attitude any more thoughts on this from the panel or we'll move on and this is a debate unto itself and i think it's a very very valid one there's a gentleman at the back of the room i think who had his hand raised and then i think Greg Austin please hi i'm Duncan Koenig student at the ANU it's sort of interesting this discussion and i sort of noted this this sort of divide between the national security cyberspace and cyber security and then the personal security level which sort of goes to the apple case and you you talked about the sort of the maximal security level and then sort of the want to sort of lower that level so that the government could access it and it sort of strikes me as one of the few areas where the national security apparatus hasn't been able to necessarily keep up with the developments that the private sector is creating for levels of personal security in terms of access so could you not then say that obviously that line rather than being a static function is constantly moving therefore that lower level of access doesn't necessarily impinge on the security that one is going to have in the future because you would assume that i guess even if you lower the level it's still going to be moving upwards at the same sort of level sorry i didn't explain that very well but yeah i i just sort of noted that divide between sort of the national security and the personal security and this is one of the few areas where it hasn't necessarily been able to keep up can we take one more minute so i go that is that is a very valuable question we'll take Greg yours as well that is we're running close to time now so we might give the panel a chance to answer these together thank you rory and thank you gentlemen i'd like to weave together about seven sentences from the panel and then end up in a slightly different place so we all fit in one room for the moment that's probably sorry it's a bigger room that's probably not a desirable state of affairs we'll probably need many rooms because that's how Herb pointed out in one of his presentations he's a specialist in cybersecurity and policy and so and as as john is saying it's really the impact of cyber and cyber security on all these other fields of activity that are important as my colleague from urn sw and nicta and data 61 gerno hyzer was alluding to the other day he really is interested in working on the top 15 percent and and there is a case in australia for us to have many different rooms some to work on the top 15 percent we certainly have a national security need and just to pick up on john's last point because we discussed it in the russian armed forces did introduce cyber defense troops into their strategic missile forces in the last two years this is not an insignificant event the united states does have a military strategy premised on use of decapitation of adversary cyber command and control to achieve ballistic missile disarmament of small countries that's their declared strategy in unclassified so i think as we move forward we see that the australian research community is somewhat paralyzed if we can take the arc as a representative and as brett beddington said he's been trying to get up a cyber corp research center for several years and every time this has tried it comes up against the sort of the problem that it's everybody's different version of cyber security that's sort of preventing us from getting up so we need a mature mature concept of many different rooms and how i'm trying to fund those in different directions rather than all on one room thank you thank you so two questions one on the the national personal security divide and the other i think partly about the top the top 15 percent whether in fact we we should be worrying about the the remainder of of security so over to the i just have a quick go above for those so to the first question you're absolutely right i'm convinced someone like apple could come up with a operating system that had a sophisticated backdoor in it that actually would actually would be an improved level of security than perhaps what other versions of other vines have today the there's a decision of choice for that country and every other country then to say because someone else will find that and use it and it's simple that matters there's no doubt you could get good security and then that's a matter for societies to decide on the second point that the 15 percent well good research will cover all things including blue sky so yes that needs to be done might might take on that though is you know 85 percent the things that should be done are actually really there's really simple advice out today to tell you how to do this the world isn't doing it yet we wonder why every day we pick up the the paper or the ipad and we read stories and when it happens to you you're horrified when actually the answers to fix that there's a known problem of a known remedy and you know your the ASD friends will tell you 85 percent of that could be sold as you did four basic things that's the crying shame that's why we say focus on that before you worry about the 15 percent on the national security personal security issue the reason you have governments in the first place is that their job is to way trade make trade-offs um and and they can you know you choose a government and they make the trade-off however they think best reflects the quote the national interest on quote um the i don't know of any person any individual who would say i want a low level of security that's lower than what is technologically possible every individual would say that of course they would um but that has consequence that statement has consequences and the government's job to try to make the trade-off i might you know and if i were a policymaker i might make it in one way differently than i might make it if i were the same individual acting as an individual um yeah these are both great points and i would just on the first one i think it's the precedent that's the issue and i don't mean precedent in a legal sense i mean precedent as a do we not believe i mean it's just a question it's a maybe it is really an ethics question that a company um you know the first question was a company could not use encryption stronger than a certain amount and then we got rid of that law and then we said a company if it used encryption couldn't export it and we've in some cases dealt with that in the case of a portable device and then we've said well but we really want the company to have a way to break into it and now apple's actually engaged in litigation with the fbi over that issue that's pre and now we're saying well even if you don't have a way to break into it we want you to write software for us to suspend the security so that we can try to break into it and this is just a question is this a good thing but if we go down this road in other words we say yes that's reasonable then it won't matter that the overall level of security is rising which i completely agree with you because the precedent will continue to apply the government will continue to then be able to say to industry and by the way we want you to spend billions of dollars piercing a hole in the security that you've just developed so that we get access to this to this cell phone so it really requires a kind of rash i think the public ethics is exactly the right you know what would be the seven criteria we should look at how would you balance them why in this case and not in that case could we use a trusted third party you know what are the tools rather than the kind of hamfisted approach of a a court orders the apple to go spend money to do something and apples is no we're going to appeal to another court on the 8515 i i probably have spoken in articulately although i think i got the number from you paul so i'm going to blame you i don't think it's that we should stop worrying about the 15 i think we should before worrying more about the 15 we should start implementing the 80 or 85 we know about so of course the government and defense contractors and others are going to be worried at that cutting edge frankly it's going to be you know 19-year-old graduate students who are doing this fabulous work at the cutting edge of the 15 percent but i think the rest of us as we think about this as a community endeavor ought to be saying what do we do to get implemented the things we know need to be done and aren't being done if i can respond to greg your quest your comment rather about the um the state of the cyber research community in our service i mean i don't know much about and you clearly know infinitely more than i do i don't know whether it's really paralyzed all i'd say is from my perspective on the basis of this week it looks as if it's just starting to move which i think is actually pretty exciting from viewed from the outside i'm completely with you absolutely with you on the on the need for a broadly pluralistic approach to this you know absolutely no doubt about it and it must be genuinely so i mean the west we're very we're very fond of talking about you know rather proudly about our multi-stakeholder approach to these sorts of things and all i'd say is that we need to take that expression very seriously it's not just about you know taking a rather condescending attitude to civil society and a few NGOs and letting them into the discussion it is about admitting that there are different needs ideas and arguments and admitting of those things is actually i would argue is the is the basis of public ethics to come back to that argument yet again add to tedium but my final point is selection of what do you say you need we did selection of rooms again agree with that that sounds pluralistic to me but don't forget you also need the international room so that we can all come back again too yeah yeah i want to answer both of those questions just by emphasizing that i think we make a real mistake if we think of cyber as one thing i mean it's cyber-enabled entertainment or transportation or intelligence or warfighting so on that question about you know whether uh you know the government is lagging behind what the private sector is doing for security it really depends what you're looking at right i mean we've learned a lot of things from mr snowden and kaspersky that you know the nsa is at the absolute top of its game in places you know flashing firmware and persisting in places that nobody thought was possible so there is real innovation but who really needs that except for that really niche application now that might you know might be other applications now that's known that that will go ahead and and they'll be uses for and that really blends into greg's question about this 15 percent and there are things in that 15 percent that are real niche applications but are vital to look at you know i spent a lot of time trying to like deflight cyber threats and point that hey most of the activity is in the crime in the espionage realm but i'm also very aware that at the utter high end there are some interactions with cyber and other warfighting technologies that we don't quite understand and are quite frightening frankly the more we have sophisticated cyber-enabled nuclear command and control for example we have one set of technologies which is optimized for stabilizing great power relationships through clear signaling about what the consequences of action are going to be and now we have a technology that is founded on deception penetration disabling and you can have a situation where i know that your systems don't work you are believe your systems do work we might be willing to take risks that we never would and you can then export the instability of the cyber domain into the stability of the nuclear domain there are interactions there that are very important for us to understand and so i think cyber is strange in that we've got this very separating effect effects at the high end most of the effects at the low end because information matters everywhere so i think we desperately need to look at all of these things public policy should do the low hanging fruit first of all but we also want to make sure that we're not walking into these really dangerous situations at the high end john thanks i think it's pretty sobering i wanted one of the presentations this week began with the slide of a nuclear mushroom cloud and i think you know for a lot of us in the room it was a little bit difficult to imagine a journey from cyber to that but you've you've charted it a bit disturbingly for us so you know thanks for focusing focusing our minds we've only got a few minutes to go i can probably take one more question or comment from the room so if anyone has a burning question please raise their hand i think we have one in the middle of the room so far away g'day i'm Rich Muter i'm studying a master's at the ANU my question was for you associate professor lindsay following on from your lecture yesterday which was very informative thank you very much i just had the question what role do universities play going forward in cyber security and what are some of the eminent institutions in your opinion we didn't plan him that's a right answer it's a key no it's not but i think the first half of the question is key yeah thank you well i i guess it depends where your university is located and who your university is being funded by we have lots of questions about some universities in china which are providing all kinds of very interesting technologies and reservoirs of manpower and just trying to understand where those go and how those fit into the system are very important you know if you want to talk offline about what some of those in China might be we can certainly do that Changsha is a good place to start looking gosh was your question which universities in kind of the world who's doing the best cyber work but john i think the key point inside also is what is the role of universities what is the role of universities clearly vital i really liked the comment about teaching ethics to computer scientists i think that the more computer scientists can learn at an early stage that what they're doing is not a purely technical endeavor that it already involves ethical choices economic dis choices political choices the more that they can understand that they're already shaping the playing field by the things they do we're going to be better off likewise you know i think social scientists need to understand the role of technology in a lot of classic questions that we've always been asking and actually that this helps to tie together a couple of these questions that have come up about the role of complexity and ethics and i think one of the things that have classically divided the social scientists and humanities from the engineering and scientific disciplines are engineering and science kind of looks at causes right how nature pushes things along but if you look at the language of social science and humanities it's all about what ought to happen what is happening what are our preferences our strategies it's all based on this concept that that philosophers call intentionality the directedness towards the future things that pull us along and yet now we have this technology cyberspace information technologies that are building intentionalities into actual causal systems and so we have to have universities that are helping us to work across those that those divides so that each of these different disciplines i think understand what's going on and in the larger question what's the role of the universities i think we have the opportunity to hear a lot of these difficult questions and challenges that we've heard this week policymakers with their heads spinning with the complexity and our comparative advantage is really time and context to try and sit back and understand okay can we take some of that complexity put it in a broader historical and social context to maybe bring some metaphors to bear that will help us make these fundamentally ethical and philosophical decisions any other last words from the panel i think i think we're moving close to time but pretty few got a last word far away look i want to wrap up here a couple of comments from me i guess having had the privilege of really observing this conference this week and not having to organize and thanks again to my colleagues who had that privilege this conference has been a really important milestone for the national security college as i explained we were established as partnership between the Commonwealth of Australia and the Australian national university some years ago initially with i think a mission that was very focused on executive training for the Australian national security community we've developed on top of that a very strong academic program and cyber is one of the areas of research and teaching that is becoming a strength in that and increasingly we're working as a partner on policy engagement whether it's with government whether it's with industry whether it's with others so this conference has really for me crystallized a lot of that work with a strong international overlays or i want to thank our speakers in particular for the work they've done in taking forward our international partnerships this week as well as my my colleagues the organizers and our sponsors i also wanted to i guess touch on just one or two of the themes before i close it's been a conversation that not only has taken us to some of the next steps in cyber security which with emphasis i think on partnership and this convening power that is going to be absolutely necessary to achieve that partnership i've been very struck by the emphasis on ethics and i think that's going to be i think important work for us going forward the i was certainly struck by the the reference to a fridge as a weapon i think that's that it's a whole new meaning to Cold War Paul if i can if i can go there but but quite seriously the and the metaphor of of invasiveness there are a lot of rabbits around the ANU so now you know why they're there they're there to remind us of of the importance of our of our work look in closing i want to thank you all for for being here we're looking forward to holding several more conferences this year on some other themes maritime security terrorism and indeed the meaning of national security and i know that a few of the the students in the room will be especially active in that one but this again has been a milestone for us and i want to i want to ask you all to join me in thanking our speakers