 So, for those of you that haven't met yet, I'm Peter Singer, strategist at New America, and I very much appreciate you hardy-few joining us for this session on cybersecurity in the Asia Pacific. You can follow it along or actually help push it along on social media at hashtag Asia Cyber. And why we're excited about this is there are two important trends that are powerful shaping forces, not just for regional but global politics and business today. The first is the continued growth in the importance of Asia by any measure. Asia is more and more the center of gravity in everything from politics to economics, whether it be a raw number of people, 60% of the world's population, to business and trade with several of the world's largest as well as fastest growing economies, to classic security issues where we have growing tensions, arms races, renewed rivalries. The second trend is the deepening of cybersecurity issues in the region. Asia has seen growing cybersecurity concerns at the state level where we have the buildup of offensive capability in nearly every nation. It's happening at the what you might think of as the gray space level where we have multiple hubs of intellectual property theft campaigns. It's happening at the private sector level. Asian companies are roughly 80% more likely to be breached with the median time between breach and discovery at 520 days, which is three times the global average. The result is widespread policy activity in the region, but also growing concern. And indeed a poll just out a couple of weeks back in the region found that security has become the number one internet concern in the region, passing by access. And so you can see this combination of trends leads to an important discussion to have and today we're joined by three fantastic experts to walk us through where these issues stand now, what's next and what can be done. First we're going to hear from Tobias Beacon, he's director of the National Security Programs and head of the International Cyber Policy Center at the Australian Strategic Policy Institute. Toby was previously director of the National Security Resilience Department at the Royal United Services Institute, as well as been appointed by the Australian Prime Minister to serve on the independent panel of experts for the Australian Cyber Security Review. Today he's going to present the findings of ASPY's recently released report here. I urge you to get it and also check it out online when it goes up. On 2016 Asia Pacific Cyber Security Maturity Metrics, which examines how each nation in the region stands in cybersecurity based on indicators that range from business engagement to military use. Then we'll hear from Denise Singh, who is senior fellow and deputy director of the Strategic Technologies Program at CSIS, where her work is focused on technology, innovation, cyber security and internet policy. Previously she served as chief of staff and lead science and engineering technical advisor for DARPA's foundational cyber warfare program, Plan X, as well as in the private sector at CA Technology, a $5 billion enterprise software security company. And finally as professional staff member for the Senate Homeland Security and Governmental Affairs Committee. And then finally we'll be joined by Ryan Gillis, who's vice president of government affairs and policy at Palo Alto. Ryan previously served as director of legislative affairs and cybersecurity policy for the National Security Council. And prior to that with the Department of Homeland Security, culminating with a position as senior advisor and legislative director of managing issues on cybersecurity and critical infrastructure protection. So thank you for all of you for joining us from various distances and for all of you joining. Turn over to you, Toby. Thanks very much, Peter. And thank you all for coming this morning, early in the morning on a fairly rainy and dull day in DC, probably better to be in here than outside. Maybe just to give a little bit of background to why we're here, why we're talking about the Asia-Pacific, what is this report that we came out with? We're quite a small think tank based down in the wilds of Canberra, down in Australia. And what we found was that we were having quite a number of private sector entities and different governments coming to us, trying to get a better understanding of what was going on across the Asia-Pacific in relation to cybersecurity developments. And clearly as a think tank, we thought, well, this presents us with a sweet spot. If that many people want to understand about the cyber, which I've been educated about now, it's going to be huge. Exactly. We felt that we needed to help explain that to those, perhaps we could do some time in front of Trump. And now we're into the third iteration of it. And we've matured the methodology and expanded the number of countries that we actually reach out to. And I think we've now got the best side maturity metric of the Asia-Pacific ever, and it will be huge. I've got to stop with these impressions. It's terribly beautiful, exactly. I'm absorbing that last night was just a phenomenal discussion to watch and try and get my head around the lack of content. It was incredible. So what do we do? At least repeat that. So what do we do? What are we talking about? Cyber maturity, what does it mean? Well, so we've assessed over 20 countries across the region and tried to understand how well are they developing in terms of their governance structures. So what are governments doing in terms of policy? How are they trying to govern cyberspace, both themselves and for their populations? What are their militaries doing in cyberspace? As far as you can tell in the open source, what are the developments there? How well are they harnessing the digital economies that exist? What are their startup communities like? Are they making the most of this fantastic opportunity that you outlined, Peter? And then we also try and understand also conversely how well are they responding to financial cybercrime without robust cybercrime mechanisms? You are not gonna be able to ferment those digital economies that are looking so promising in the region. And then finally, and an important part of it, as far as we're concerned, is what kind of public discussion is taking place? Are all these different countries talking about what cybersecurity means for them in terms of content control and the kinds of discussions we're having here? And to be frank, it's patchy at best. But as you mentioned, the biggest single thing that we see in the region is this fundamentally huge opportunity. You look at GDP growth rates in the region. This year is expected to have a regional growth rate of 6.3%, which is enormous. And it's the envy of the world still. And if you combine that with the size of population, the fact that maybe only a third of that population of about four billion are actually online, the connectivity possibilities are absolutely enormous. And that means that there is this fundamental opportunity, but there's a sense that it could be missed. Now what you do is you put that against the backdrop of a vast amount of strategic change that's going on and the fact that clearly, and we'll get onto it later, countries such as China are challenging the international order that's existed for so long. What we're seeing is that everything that's going on in the physical space is being replicated in cyberspace as well in the region. And that's quite a dangerous position to be in. The other, perhaps obvious thing to say, but it's important to state is the variability of development that we have in the region. We have some of the most connected countries anywhere in the world. Connectivity rates of 85% plus in countries like Singapore, Japan, South Korea, Australia, and the list goes on. But conversely, the opposite end of that, you've got countries like Cambodia, Myanmar, Laos, whose connectivity rates are in the single digits. So there are vast disparities in countries, economic wellbeing, their connectivity, and their ability to harness what's going on. So that, again, presents an enormous opportunity for governments, the private sector, but there are different ways that governments are translating that in terms of the way that they're applying assistance and capacity building against something maybe we could get onto. Mobile connectivity going through the roof. Countries like Cambodia, or any 0.5% of the population, has actually got a fixed broadband connection, but about 42% of the nation have mobile phone connectivity. So again, it might be that disruptive business models and traditional infrastructure models might be actually eradicated in terms of the way these countries develop. So again, both an opportunity, but also a hindrance. There is also an issue with some of the nascent developments of certain countries that in terms of the policies that they're making, they could really hinder some of the economic growth patterns. There's a tendency now to see overzealous regulation within certain societies, China being a clear example of that, but we're also seeing that in Cambodia and Laos and also Myanmar. And that could seriously stifle the opportunities also. I think there's clearly a big discussion to be had around China and some of the policies that it's taking in terms of nationalization of technology base and some of the policies and how they might disadvantage international businesses trying to do work there. That is a very live discussion in the region and deeply concerning for American companies as much as any of those that exist within the region. Maybe I'll just say a couple of things before we move into the discussion just about the military side and a little bit about what's going on in terms of government discussion and then that maybe sets us up for a bit more of a discussion. So for the military side of what's going on in the region, as you stated in your opening comments, clearly strategic change, military buildups in most conventional areas. What we certainly see in all the countries that we assess is that there's at very least a very basic understanding or attempt to understand how cyber capabilities could be intertwined into their conventional capability sets. If you like, there's this flirtation with doctrine and strategy and where these capabilities might fit. But every country that we assess is at very least looking at it if not beginning to develop those kinds of capabilities. Again, mirroring what we're seeing in other more traditional spheres, it's certainly happening in cyberspace. We're seeing new policies developed in countries like Indonesia and Malaysia in relation to the military application of cyber capabilities. But we're also seeing the more developed countries becoming increasingly confident in their approach to the utilization of cyber. And you've seen that especially through my own country in Australia and also New Zealand having admitted that they actually have offensive capability. And for Australia, that was an incredibly important breakthrough. It didn't happen in the defence-wide paper, it happened in the context of the cyber strategy release. But the Prime Minister announced that Australia does have offensive capability. And this leads us neatly on to the next section. But the second sentence was the most important, which is it's used within the confines and restrictions that international law and norms would place upon the use of cyber capabilities. And that's very important because it's about setting a certain standard saying, yes, we have an offensive capability, but we would only ever use it in certain circumstances. And it's really, again, trying to set the discussion in the region, which is one which is varied at best. And so in terms of that discussion, there's a huge amount of work going on through the ASEAN Regional Forum in terms of trying to draw up a work plan which ties countries to capacity building, transparency measures, all of these good things which are important to stop miscalculation, misinterpretation. But you can see certain countries trying to stifle that. One country in particular, which always seems to rear its head, Russia is being very clearly active around the region in terms of trying to set up certain mechanisms which would stifle that entire work plan, which is a very practical-based work plan. What do you mean, what type of mechanisms? By putting in a working group, which is essentially a study group, which means that it has to then control anything that flows on from that. So within that study group, essentially it's an attempt to slow everything down to a snail's pace, and therefore the great practical initiatives that are outlined within the work plan would then struggle to take place. It's a very common diplomatic way of slowing down useful diplomatic processes. So we see that happening. Cert-to-cert communications are fantastic, but we're also seeing a lowering investment in various cert mechanisms around the region. Not Australia, we've just doubled the size of our cert. We clearly see huge value in that, but regionally the investments are starting to drop. And when so much pressure is put on cert teams to carry not only the practical coordination efforts around the region, but also increasingly a lot of diplomatic efforts, that's not a healthy situation to be in. So, I mean, overall, what do I see? I saw this incredible region of amazing opportunity, but it seems to be at that juncture where there are so many decisions that could be made and take people in entirely the wrong direction. And right now is the moment for conversations like this to be shaping the discussion, to make sure that those decisions aren't bad ones and we don't lose the opportunity that the region offers. Thank you and thanks for including me in this discussion today. I do have to say that Toby's report is probably the most comprehensive report out there on cyber capacity maturity in the region and it's also one of the most beautifully designed. So that statement is true. I highly encourage you to take a look at it. There was one thing that I think I was really struck by in studying cyber in the region and also in looking at some of the work that Toby's group has done on this is that the Asia-Pacific region is such a diverse region. It's culturally diverse, it's economically diverse, politically, linguistically and the maturity level is so far-ranging. And that makes cyber governance incredibly difficult to a degree that I think in the United States it's really hard for us to appreciate. At CSIS, we frequently talk with foreign government agencies and it seems that in recent years, governments from the Asia-Pacific have come to us more frequently than any other region because they are very much concerned about this. And in part, it's because cyber is such a technical issue. It's not just a national security issue that's complex with many different stakeholders but it is so technical. It's a new issue that a lot of governments in the region simply just don't know how to grapple with. So I think that since the United States past three to five years or so, there's been a major sort of wake-up moment in the region. The 2013 cyber attacks against South Korean news and media outlets was a big wake-up moment for South Korea, allegedly that those attacks originated from North Korea. More recently, the attacks on the Vietnamese airport networks as well as the swift communication system, financial communication system that ended up in about $81 million being stolen from the Bangladesh Central Bank as well as the cyber espionage activity allegedly originating from China, targeting government agencies in Hong Kong. These events have been a major wake-up moment in the region. And I think that cyber is no longer just a theoretical problem. It's not just a cyber criminal problem, run-of-the-mill cyber crime type of issue that we often hear about. It's an issue that they're dealing with where nation states are their adversaries. When you look at all this activity in the region, there are some common features. So China and North Korea are often the source of malicious cyber activity. And in particular, China has taken somewhat of a, what people call a salami slicing approach to cyber operations in the same way that they've approached maritime operations in the South China Sea. So these are incremental actions taken to put China in a strategically more advantageous position but are not so damaging that single action is really enough to justify a national response. And you see that North Korea is following suit to some degree. These are really concerning developments. And I think that countries in the region really need to get together and figure out how to respond to these forces. At the end of the day, we see a lot of dialogue, a lot of discussion about strategies to improve cyber, national level strategies, dialogue in these regional forums, bilateral, multilateral dialogues. And at this stage, I think we're at a point where we need to see governments and companies put resources behind these activities. Implementation, operationalizing plans, strategies that we've been talking about for years. And I think that a lot of the recent activity, the dialogues that are going on, particularly between military to military exercises, information sharing, those are all great developments but I wanna see more of that. And I think companies also play a really big role here. The cybersecurity industry in the region is tiny. When you look at the size of the industry, China obviously has the largest industry but there's a trust issue there. There's also a capability issue. I think the Chinese are actually much better at offense than they are defense when it comes to cyber. So there is a big role for industry as well. And I think Ryan probably has a lot to share on that. So I'll just pass it on to him. Thanks very much. I'd start by agreeing with Denise's overarching statements on both the content and the aesthetics of Toby's report. I had the opportunity to meet Toby last year when I was in Australia and was really impressed with the work that they were doing and it's great to see this newest addition of the cyber maturity look across the region. It's a fantastic work and I think gives a great overview of country by country and an overarching snapshot. By way of background, my role within Palo Alto Networks is to ensure that we are tracking and informed about policies around the world, things that are relevant to us and or our customer set and ensure that we are engaged in those type of dialogues. So a resource like this is fantastic. And I'll tell you candidly, we spend a lot of time focused on the Asia Pacific region. It's an area of tremendous opportunity and there's a great amount of activity going on right now. If you just look at both legislation as well as a national strategy within Japan, national strategy that Toby helped formulate in Australia, Singapore is doing a tremendous amount of work there. The track 1.5 dialogue that the three of us were just involved in last week between the US and Australia. I think right now people are on planes, headed over to India from the US for track two dialogues, diplomatic dialogues right now. Coming up over the course of this year, you look at Singapore is doing a tremendous investment in bringing together ASEAN thought leaders and ministerial meetings. I think October around their Govware conference, they're now bringing in ministers from around the world for a cybersecurity dialogue that is intended to really bring up the regional presence there. Japan hosted the G7 meeting just this year. It was the first time ever cybersecurity had its own section in a G7 declaration. And in Australia it was just a show of force last week in from the prime minister to the secretarial levels and across government as well as industry with what they brought to the table for the dialogue. And so as a company, we see tremendous opportunities here. There are regulations and we can get into that a little bit Toby as well as legislation that are moving. I think as a starting point, as a reaction to the operational realities of cyber. Denise and I actually worked on the legislative debate in the U.S. dating back to 2011 where the U.S. considered and then ultimately Congress rejected the idea of a single cyber regulatory force within the United States. So what you've seen develop is on one hand, a voluntary approach to cybersecurity standards through the NIST cybersecurity framework and regulators on a sector by sector basis within industries. So six to eight independent financial regulators, for example, taking on cybersecurity in their own way. And so what you've seen in the U.S. is this collaborative approach between the private sector and government in establishing voluntary best practices and then a sector by sector and sometimes sub-sector approach to regulation. Regulation as Toby mentioned in some countries in the Pacific region, particularly aggressive. In other places, I think there's a collaborative approach to ensure that we're not creating a moral hazard with the regulations that are being implemented. And so Japan, for example, is taking on everything from IoT to data protection and doing so in a way that takes in input from the private sector and ensures that they aren't creating unintended consequences. So again, from a corporate perspective, we see a tremendous amount of activity and energy going on in the Asia-Pacific region. A lot of opportunity for dialogue and a lot of opportunity to engage in the process because this truly is a present creation moment for the cybersecurity environment, regulation, bilateral. We haven't even gotten to the China piece yet. So I'm gonna ask each of you a question, but I want the others to please weigh in in response to it. So actually, you hit it at the end. And it's the fact that one of the changes that we've seen in the last couple of years has been the implementation of national level strategies. We have it in Australia, Japan, Singapore. And so Toby, I wanna turn to you, but the others please be on call here. Where do you see the differences? Comparing contrast for us, these national strategies, and then because we have a mostly American audience here, do you see certain lessons learned for the US as we continue to evolve our own strategy? And we'd love to hear from the two of you as well on that. I like the way you flip that because usually it's everyone trying to learn from the US and you'll be all relieved to know that we place US at number one. And to be frank, it has been for every year that we've done this assessment, but there could be lessons. Let's just pick through a few of the strategies that have been developed. There's been a general trend across the region for this increasing centralization of governance structures. I'd differentiate between two things, one of which is the policy development and then the actual other side, which is the implementation. And you have to split the two because then there are some other examples where it's gone wrong. So Singapore, great policy document, centralization of structures and they have lit the afterburners and implemented it. Within 12 months had created a new cyber agency, stood up and they're up and running and away they go. And some of their plans on IoT and smart cities at 100% demand it. So you can see that the business requirement forces the government into a position where it must deliver, otherwise it's gonna just have so much risk involved in all the developments that it's gonna take. So Singapore, brilliant. Japan, to be frank, some of the structural changes that they managed to make in very short-thrift is incredible. Institutionally, there are often huge barriers between the different departments in Japan, but to create the cyber agency that they did, they managed to negotiate those different departments joining together, again, incredibly quickly. What's the requirement that's pushing them? Well, one of which is the hacks they had on pension schemes there. It lit the public's imagination and anger was very, very high from the public that they felt enough wasn't being done. But the second element is the fact that they're gonna be hosting the 2020 Olympics. So again, you can see how the policy was created, but then, if you like, the impetus was running alongside that to push the delivery of the strategy. Then you have the not-quite-so-good, which is, let's look at a country like India or the Philippines, which come out with documentation, which is pretty good, but the implementation just severely lacks. And India has struggled to really implement many of the centralization of government structures, the new cyber command that it was talking about off the back of a policy that was released 12 months ago. And I'm sitting here, I was part of the advisory panel for the Australian strategy, and a great document full of really good, sensible ideas, trying to break down those inherent barriers that sometimes exist between departments. But now we have already had a time lag more since April, so we're talking six months plus. Have we seen all the implementation begin? No, we've had an election, we've had this time lapse. So there's a danger that suddenly 12 months has disappeared, and when it comes to time, that fortunately in the Australian sense, there's a requirement to report back every 12 months to parliament on where you've got to with the implementation side of things. So you can foreseeably see a point where there's a sudden panic. Panic sets in, my God, we've got to suddenly deliver that within 12 months. So what I'd say is there's been this centralization of governance structures, policy development has been rapid across the region, but the implementation just not there. I mean, one other case study I'll talk about and then maybe we can broaden it out is Indonesia, who again have made a lot of policy development very rapidly. They had legislation that been existing within their system since 2004 to even get to the point of trying to create a cyber agency. So over 10 years of waiting for the legislation to filter through the system. Finally that arrived, a cyber authority created, and then suddenly we had announcements only a month after that when apparently the cyber agency was being disbanded. And then the minister who had taken over that particular agency was seen as a right-hand man of Jakaoi and great hopes there. We actually met them in Indonesia and we were doing some work there. And then all of a sudden he's taken out of the equation and we've gotten rid of. So sometimes you see within certain countries in the region that there's some great progress being made and then suddenly the system just falls down and the impetus is lost and you can then foreseeably see another five year time lag. And you look at a country like Indonesia which is seriously expected to be one of the economic powerhouses within 10 years in that region. That is a country that operates on well over 80% of all its software is off the black market. And that includes government systems. So think about the vulnerabilities being carried there and if you can't get the policy in place and you can't deliver it then that economic development cycle is in danger. Ryan, Denise, do you want to weigh in? Yeah, I think this is a really interesting point because the desire of a lot, a lot of these countries in the region realize that they're on this sort of brink of massive economic growth. They want to grow their technology industry in particular. So what you see is not only in China but in certain Southeast Asian countries as well as perhaps in Japan to some degree South Korea is a sort of conflicting industrial policy and security concerns in the sense that these countries sincerely, they legitimately care about cybersecurity. They care about trust in the equipment and the services that they procure but at the same time, they want to grow their industrial base and they're seeking to leverage security standards, regulations to some degree to bolster their domestic economy. And that has actually sort of a counterintuitive effect which is that the effect is that they are actually less secure, they may not be buying the best, the most secure technology. We see this happening across the board. I think it's a worrisome trend, not only for American companies that want to do business in the region, I actually think that there are legitimate concerns there. I mean, we have China in particular ramping up a lot of their cyber espionage activity, targeting Korean companies, Japanese companies. I think it's safe to assume that a lot of the intellectual property is stolen. Most of the news that we hear about Chinese cyber espionage is focused on American companies and European firms. I think some of that is shifting. So I think China is a big force to deal with in the region. I know, I'm glad to hear that Toby is very optimistic about all the strategy development and the governance models, the centralization of authorities across a lot of the countries in the region. But I think that this is a bigger problem and will continue to grow as a major problem for the region. Perhaps if I could just chime in on that. Yeah, I have huge optimism, but like you, I also share some deep concerns about the direction of travel and especially the influencing role that China now plays within this. There is a growing capacity building discussion around what can countries do to help those that are the beginning of that digital journey. China is very cognizant of this and wants to legitimately play into that. As far as China is concerned, it's the regional powerhouse that should be playing in all of these countries. So having been party to a number of discussions with Chinese government and private sector about how they view that change, I remember writing a piece after a trip to Beijing about 18 months ago, which there's a sense of wanting to deliver capacity building on steroids and it's going in hand in hand, government and state-owned enterprises to assist countries develop not only their physical backbone infrastructure, but also develop their policies and develop their policies very much along a Chinese line, which is very much around content control, about government ownership of the networks and the information that flows on them. There's a great case study of Laos, who were provided with an entire network and the computers that created that network by the Chinese government and which department was that offered to. The Laos Foreign Ministry and it was accepted, thank you very much, all for free, was there a true understanding of what that meant? Probably not, but it was accepted anyway. And my concern is when you look further down the line, what kind of strategic change can you begin to affect because that's clearly what people are thinking about here and the US are doing it too, don't get me wrong, and not in the same way, but it is about what kind of strategic change can you affect by cyber means and I think that's one of the big fundamental questions that Peter, people like you and I and all of us on this panel need to be thinking about because I'm not quite sure we all quite understand that yet but we're all heading down a path where we're trying to affect something and I'll answer a question. Ryan, I wanna, you come at this with an interesting double perspective from having been both on the governmental side but also now in the private sector. So I don't wanna lose the opportunity to continue this line of questioning on China but also arguably from the American policy world as well as business world perspective when it comes to the big news in Asia Pacific Cyber Security over the last year it was the US China bilateral that supposedly was supposed to do something about IP theft that Denise brought up. Where do you see that from the private sector side are you seeing the impact of that and then can you also speak to what Toby brought up here of the strategic programs of the two and where private sector views this? Sure, so as we look at our priorities where I'm gonna spend my time and resources I look at from a market perspective what makes the most sense for us where we have the biggest presence and where are we growing and also are there perhaps smaller markets that have an outsized influence in regional policy and so my time is primarily spent right now and in the region on the mature areas that Toby talked about Singapore, Japan, Australia, South Korea, places where also as I said as a company there are structural inputs into the policy making process to ensure that there is a voice within there. China is a different place and so we as a company have not invested in the same way in that market as a lot of others have I think one we don't sell direct to a consumer and so that just broad population market that may appeal from a consumer facing company doesn't have the same sort of attraction to us and if you're selling to enterprises what are the primary targets? Well they'd be government agencies and or heavily regulated industries and in both of those cases there's a different sort of business calculus that you have to make in investing in China. We similarly don't manufacture in China either so to the question about the bilateral agreement the first thing there I would focus you on is what's included and what is excluded in the US-China agreement and so the agreement reached in the Obama Xi discussions of last year was that state intelligence services wouldn't target other countries corporate intellectual property for economic gain so intelligence on intelligence type activities are absolutely not covered broader cyber activities that don't fall into that corporate espionage are not covered as well and so it's a first of all a subset of overall activity that you see emanating and secondly I'd say that that is not a big enough group of activity to drive down the overall threat environment which we continue to see going up and so early indications still sort of anecdotal but both private sector and some initial government input is that there has been a drop in that type of activity covered by that agreement. I'd say that that has not changed the overall threat environment and I'd say there's a lot longer to go so there is while the initial indications are such around that corporate espionage driven by state sponsored activity I think there's a lot longer to see whether or not that has an overall impact in that area and whether it holds true. One last question, oh I'm sorry. I was just gonna comment on that so correct me if I'm wrong but it sounds like most of the firms that are out there saying that the Chinese espionage activity has diminished as a result of the deal they are monitoring the attack platforms that they've associated with Chinese espionage activity and they're seeing that activity go down but when you look at what's actually going on internally within the PLA, the People's Liberation Army and the Ministry of State Security you see what is a maturing of their cyber capabilities, their plans, the way that they do targeting it's much more routinized, systematic and some people would say that the Chinese are getting simply just better at being stealthy and covert so can we say at this moment that the Obama-Xi deal has had a dramatic impact on commercial espionage targeting the United States? Probably yes but they've also shifted a lot of their activity to other countries so I think that the question about norm setting whether or not we've adequately now set this international norm of commercial espionage as not acceptable state behavior, I'm not sure that that is fully a norm, I know people would like to say that and tout the successes of the agreement but I'm curious to hear what you Ryan having probably worked on that while you were at the White House and also Toby from your perspective in Australia watching your neighbors experience a lot of Chinese and in Australia experience a lot of Chinese cyber espionage activity, what you think of the deal? I think you make a couple of points that so I absolutely agree there's a lot to be seen here so I think one of your points is it's hard to know whether or not the firms and initial evidence that have come out are an indication that this activity has stopped or is it a change in techniques, tactics and procedures that actually go less detected? It may be a combination of the two it may be that folks are not looking in the same places or they're not targeting the same things or it could be a temporary drop off. I'll tell you from our perspective we don't do incident response and we don't focus as much on attribution as others do and so I wouldn't give you a hard and fast data from my company cause we focus on the what are the attacks that are coming at our customers and our client base and we're less focused on the who and so our goal is to stop attacks regardless of whether they're nation state based for corporate intellectual property purposes or criminal attacks or anything else and a lot of times you do see a mixing of the same TTPs used for a number of different purposes so I do agree that we need to continue to build the body of evidence we need to see if that norm is upheld and you're right as well that if that is just a bilateral agreement rather than a broader norm that is spread then you're just shifting the target set potentially to other countries. I want to follow this up with a two part question so how is one how is the effectiveness of that bilateral agreement what's your perspective on this from down under but then second the approach of it being a bilateral how is that viewed? Firstly Australia is supportive of that entire agreement clearly it's a five eyes partner it appreciates the efforts that the US is making in trying to firstly call out behavior and then try and set norms is Australia likely to do something similar which is a slightly different response but is it likely to not at this moment I don't feel that there's quite that level of maturity in the public facing part of the conversation and Australia to that happen in terms of the value that Australians place on that bilateral and those kinds of discussions an enormous amount undoubtedly you know where Australia sits China huge trading partner an enormous amount of reliance on China buying up raw resources and minerals from Australia okay that side of the economy is faltering somewhere at the moment but we have this huge reliance but we're also conversely very strong alliance partner of the US so that there is a fine line that Australia has to tread so we're very very supportive of that obviously we do not want our own businesses to be subjected to a great deal of IP theft but they are quite clearly and I don't think awareness is quite as high as it should be across the private sector in Australia as to what actually they are facing because you also have to understand the Australian economy is fundamentally built on small to medium enterprises not big end of town it's a quite different economy to that which exists in the US so I think once you get down to that level of understanding about cyber security it's pretty low grade I mean just in reflection to what Denise said there I think actually it's symptomatic of these big changes that have been going on inside the Chinese system in terms of the structural changes that the Xi has brought about over the last number of years I think it's more a consequence of that taking hold if I'm honest I think that bilateral and the norm setting is vital but I think the change in behavior is more around the structural changes and Xi actually beginning to take increasing centralization hold of the agencies trying to get rid of those PLA generals who are siphoning off IP for their own back pocket it's more about strategic use of that cyber intelligence if you will and I think that's where we're getting to it's just becoming slightly more sophisticated it used to be we just said it was all about quantity I think now you're talking about perhaps quantity and sophistication in a way that perhaps wasn't there before so again it's not that we have to wake up and cry into our pillows about bad evil China not at all but it's being aware of the change of that threat and also being aware that there is a massive internal fight within China between the departments about who owns cyber and that plays out in some of the documentation that comes out where you see very heavy handed PLA statements about the MSS and the MFA all being under the jurisdiction of the PLA in terms of delivery of cyber capabilities and I think that to me is quite evident of the PLA playing their hand and saying we own this cyber thing keep your hands off because it's also well known that other agencies are developing their own capabilities under this new structural shift that's going on let's open it up to the audience please raise your hand wait for the mic to arrive and introduce yourself right here in the front I'm Mike Nelson with Cloudflare I'm glad you're doing this is a very important report here in the US there's a massive amount of confusion about what the word cyber actually means and the West Coast and the East Coast can't agree we're not as confused as the debate last night about cyber but I'm curious in Asia is there a pretty common understanding in Russia we have people talking information warfare by which they mean partly blocking information they don't like not blocking malware and cyber attacks do you see the same confusion between cyber security and content people don't like and is there any way we can come up with a new word maybe to get consensus I'll happily take that on I sit in a lot of ASEAN regional forum meetings and it seems that the definitional question comes up time and time and time again and here's the line we are a region of different cultures and different experience and we have different understandings of what cyber or information security might mean we need a common language set before we begin actually working on anything practical and that worries me more because if you get stuck and entrenched in the definitional issues then you stop doing anything useful and practical I mean you could come back at me and say just as easily while you know if you do things off the bat without any common understanding then actually maybe what you do might be more counterproductive than doing nothing but in my view if we get stuck in that discussion too much it then begins to play to the dynamics of the region that certain countries want to exploit for example certain countries Thailand India Malaysia China love to put on the table the discussion of cyber terrorism okay and that's a word that I personally detest you know it's the internet use sorry it's the terrorist use of the internet for me because where that conversation immediately goes is to content control and language then becomes very very divisive so whilst I note the importance of it I think if it ties us down too much before you can get on with the good practical work which is genuinely assisting countries in their development process then we should put it to one side if I can implore you all to do one thing it's just whenever anyone uses that term with you can you just correct them or just give them a flick in the ear or something stop it I would note that term has been used in over 50,000 news articles, books, blogs, reports and at least according to my definition of cyber terrorism there has never been an actual incident of it in terms of or not just mind the FBI definition of cyber terrorism which is to cause physical damage not merely to communicate with it do you want to weigh in on this sort of definitional how you set the boundaries part of it either one of you yeah absolutely I'd agree with Toby the definitional issues between the west coast and east coast of the United States are not isolated when you move to an ASEAN region that's so diverse in language and culture and approach to cyber I'd second also Toby's caution about this cyber terrorism use I think it is unproductive and in many cases counterproductive to conflate intelligence missions and investigative missions with cyber security cyber security fundamentally should reinforce privacy if a network is better protected your personal information your confidential communications your health records are all better protected that's very different than the investigative mission that often is juxtaposed with cybers well terrorists using information means and or technology to communicate and as Toby said that goes directly into content can I follow up on this are we so the division that was laid out in the US was said east coast west coast which you could really put it as policy world versus private sector and that's been made very clear on the encryption debate are we seeing that so we then moved over to Asia in terms of kind of overall are we seeing a similar split inside countries there between private sector tech companies and government I could just I actually don't I was sort of picking up on his sort of shorthand nomenclature I don't think there I think the definitional issues around cyber in the United States are not coast related and you could get fifty cyber people in the US in a room and you could probably come up with fifty different definitions of cyber and so I think it's a matter of perspective and the relative newness of this issue and needs to mature in definitions but you have seen a split in terms of for example the encryption debate sure and again I think that is separate than cyber security I think that focuses around the investigative and law enforcement national security mission that can be conflated with cyber but in actuality is a different issue I mean let's walk straight into the encryption discussion then I mean one thing to say about that isn't that amazing that we can actually have that discussion because you can't in certain countries that I work with in the region you know the whole concept of talking about encryption and how an individual would view the importance of encryption to them versus how a government would utilise encryption or want access to encrypted data that can't take place in many countries in the region and that actually concerns me a great deal and do I if for example in China is there a difference between how the private sector or state owned enterprises view cyber security or information security between themselves and the government I'm not sure but is there a very active public discussion on encryption? No, certainly not I mean let's reflect on that in the Australian sense no I don't sense this great kind of friction between the private sector and government in terms of how they define the terms yes there are friction points in terms of regulation so it's very similar to the US it's the similar kind of things is this going to affect my bottom line are you going to affect my business model by the kind of regulation that you take is the discussion as polarised and as active as here? No, and that surprises me sometimes even in that sense but you know I think in the Australian context often the public are very accepting of changes that take place in policy without as active a discussion as plausible to be honest that's where our centre came about because we just saw there was this great vacuum of lack of discussion on these very important issues I think the encryption debate suffers from a lot of the definitional problems that we see in the cyber debate as well I mean when you watch people talk about encryption it's usually do we want encryption or do we not want encryption it's not a binary decision like that or do we want strong encryption or weak encryption it's just casting the debate in this choose one or the other mutually exclusive either security or privacy type of approach it's just not helpful and I think that when I hear foreign governments talk about encryption I think the definitions are even more muddled than the discussion is here in the United States that's a real big problem because like Ryan said it's about law enforcement and investigations and it's about national security authorities it's a little bit separate and distinct from cyber security yet the two get muddled together frequently someone else's question Rob Morges from right here, cyber security initiative first quick plug for those of you more interested in a broader discussion on definitions we do actually have a large definitions database where we scraped definitions from every national strategy on cyber security that we could find you can find that at cyberdefinitions.newamerica.org quick question on capacity building that Tobi you touched on a little bit when you talked about Laos I think Asia Pacific sort of writ large is an interesting case study into the sort of political side of capacity building when we talk about importing policies as well as tech sometimes those two things are connected and I'm curious for me it comes down to sort of being an informed consumer and knowing what you are getting into when you're accepting aid and I'm curious your thoughts on what can be done to help especially the smaller countries with a little bit less capacity to start with get that capacity to be an informed consumer of the goods and the policies that they're bringing in information information information I think it starts with governments being willing to accept that they need to understand a little bit more before they take the aid or the policy advice that they actually accept a country that will remain unnamed I was requested to go up and give a series of briefings on particular countries and what they do or don't do in cyberspace because there had been subsidized provision of infrastructure to that country and advice to government had been not to take it but it was taken so it was after the event talking about what that might mean and that to be frank is too late if you haven't taken that advice in advance then you're not doing it in an informed fashion so how do you get countries to do that? that would be great difficulty because it means a country reaching out and admitting that they perhaps don't know something the way that that is being assisted is through forums like the ASEAN Regional Forum and I'm pretty passionate about the work plan because that just provides so many practical elements of work that countries can accept work bilaterally on or work as an ASEAN Regional Forum together on and that genuinely has the ability to raise policy awareness build capacity in the right way but as ever with these processes it begins to get from a very good genesis of an idea you can see how it's being steered down different paths which might not be quite so beneficial one thing, couple of things on private sector and also public awareness when you have so many online users emerging and especially in the mobile sense of internet access which is the predominant accessing of the internet now in the region what you find is with first time users they are the least experienced and least understanding of what basic cybersecurity might mean and especially when they're given a mobile platform to be frank so many people are unaware of what a mobile platform the kind of vulnerabilities it provides them with so there is a gap in understanding there in the region and that is only due to increase enormously over the next five years that's somewhere where the private sector can assist and that's something in terms of capacity building in the region need to find projects where the private sector and government can work together and the private sector something that does assist them in the products and services that they put out there is if they are dealing with a more informed public so publicity it sounds like a really simple almost you know apple pie thing but you know publicity around basic cybersecurity on mobile devices great capacity building project I think easily private sector and governments can plug into and that raises the bar in a way that's just not there at the moment in the age of a city Brian you nodding your head so to pick up right there for those of you that heard Prime Minister Turnbull speak last week one of the things he talked about was capacity building and awareness within C-Suite's corporate boards and corporate executives that's something that we have focused on starting in the US we did a book with the New York Stock Exchange last year it is not for sale it is actually free to educate boards and execs who in the US I'd say over the last five to ten years have realized that this is part of our core responsibility we've seen an overwhelming increase in cybersecurity subcommittees usually on the risk committee it is part of the overall way that US corporations have begun to approach risk management for their organization actually just last week we launched a regional version of that book in Australia admittedly we would have said it a different week had we known the ministerial meeting was coming at that time but great response to in Australia a thousand people came out to begin that dialogue Toby was actually one of our authors so we brought in authors from all different walks of life within the Australian cybersecurity and business community we're going to be launching similar supplements in Singapore around the GovWare conference and then in Japan around the Cyber 3 conference which Japan is hosting in November and this will be the second the last year they did a joint Cyber 3 conference with the World Economic Forum in Okinawa that again had a lot of discussion around this sort of education around top executives and how do you put cyber and technological issues into means of overall risk management that are required for governments and companies Let's get another question in here right here in the front Hi, I'm Ditz from Sausage Cow Peace Foundation USA thanks for this great panel today I want to follow up with what you were just discussing and talk about building the cyber workforce in Asia Pacific so a lot of what I've been hearing here is that Asia Pacific is just starting to get to the stage where it's talking about policy, we're getting discussions and dialogue going which is great but we're still building public awareness and we're building the capacity to actually follow through on these things a lot of the countries that I saw were listed high up on the report that was just released today these are countries that are well connected and that we're hearing a lot of dialogue from but we're still seeing as you said a lack of awareness in the C-suite and we're seeing a lack of people to actually follow through on getting these countries not just more connected which also means more exposed but getting them more secure what does the Asia Pacific need to do to build their cyber workforce and get more folks actually working on the ground to get their network secured better so I think the workforce issue again is something that is not a regional problem we see it everywhere that we go I'd approach it from both the demand and supply side I'd say every country needs to build up its cyber workforce, you need to build cyber literacy I'd say at the earliest age of childhood development needs to be part of as my two year old now can use his iPad I think we also need to start infusing cyber security into that early age sort of functionality use of technology and there are certainly countries within the Asia Pacific region that are focused on that every time I talk to the cyber security agency from Singapore that is one of the major areas of focus they want students, they want training they want to work with companies to build up their expertise in that area the other piece I think is really important about cyber workforce is we need to look at the jobs that we're putting people into right now so we've just over the last few years particularly in the US started to come out with all these studies to talk about tens of thousands, hundreds of thousands millions of unfilled cyber jobs I do think we need to look at whether or not we're trying to put people into jobs that software could do better in this way because there's just no way for people to scale in certain responsibilities against automated threats and that's not a pure vendor pitch there's no substitute for people throughout the cyber ecosystem and cyber security requires people processing technology but we can't just throw people at this area you will never get small and medium businesses able to scale in that way and so we need to look at places in which we can automate defense more appropriately combine with people and process and then focus our workforce on places where people have the core competency and the advantage so are you on your way in as well? Sure, I mean I give you a few minutes on that I think everyone's in the same boat to varying degrees of severity which is lots of new jobs being created not enough people to fill them I mean something that worries me is the fact that we're setting up a lot of managers to fail almost in this regard here you go we can double the size of your department and then the managers looking at this situation saying I've already got a shortfall in staff already how the hell am I going to double up in size in a year and that's worrying for middle managers everywhere I think how do you go about it as Ryan said try and get kids of all genders and backgrounds involved in this as early as possible hey the North Koreans do this they're scanning kids as young as 3 to 5 years old and working way through the system I've used this example a couple of times and I always feel a bit twisted for saying it but they've been doing this for a long time and there's a reason that they have a effective cyber capability and they filter through the system at every level and I'm not saying we should all adopt a North Korean model of education but certainly getting people and kids excited about the kinds of jobs and opportunities that exist and making making cybersecurity sexy that was a strap line that came from a conference in Australia around the Australian Cybersecurity Centre and that was where we got to is how do you make it like a really exciting career for a kid to envisage because we have problems with politicians making them understand what the hell the cyber is for God's sake if we're in a presidential debate and that's the level we get imagine what it's like across the rest of the political elite so we need to be able to make it visual and touchable to kids so that they can go yeah I want to do that I'm going to be like Rob and abuse to tout New America we've got two projects wrestling with that question and one is we actually have a program that's going to work out in Hollywood partners UCLA on how cybersecurity is depicted and how does that affect things and the other challenge in the human resources side is the diversity you know it's not a diverse workforce and it already has a pipeline issue so we address with that but this question and your introduction of North Korea which I'm happy to call a malactor it's a different question I wanted to put out here so we have workforce opportunity on the positive cyber security side how do you three see the development of we can call it the underground marketplace we can call it you know it's the enabler for both the state threats the hybrid threats the non-state threats there's been some work here looking at how dark markets actually break down along language lines are where do you see the sort of underground marketplace as it pertains to Asia compared to the global whole maybe in Denise is something I think you've worked on so one fascinating thing about the underground economy for cyber crime in Asia as it's not actually that underground it is very much a gray or white market activity when you look at the types of platforms that hackers use to communicate with each other to share exploits vulnerabilities malware this the platforms that they use to monetize hacking it's completely legitimate communications platforms and payment platforms like Alipay for example or WeChat you can literally go into a WeChat forum and order a DDoS attack so you know clearly there is a law enforcement capacity issue here there there aren't you know legal structures in place to really crack down on this activity there aren't there isn't the actual expertise and human capacity and you know technical understanding to go after these folks it's really astounding I think you know when you look at the ways to combat cyber crime and so we're going to split the world of sort of malicious cyber activity if we split it up into sort of you know run of the mill criminal activity versus the nation state level activity on the criminal side where you know financial gain is the primary incentive we really need to find a way to disrupt the ways in which these groups monetize cyber crime and you look at the sort of supply chain for cyber criminal activity you find that the people who actually write the malware and deploy the attack only make a very small percentage of the total revenue associated with a campaign it's the money mules it's the mule herders that actually earn the most in this economy and you know we're not really doing enough to combat that type of activity so looking at how to disrupt virtual currencies that are being used to monetize cyber crime you know a lot of the same types of money wandering methods and vehicles that are used for cyber crime are actually used for other illicit activity like threat finance so you can actually kill two birds with one stone so we need to be thinking more about more creative ways to disrupt the underground economy which is not so underground in the region and working closely with law enforcement cooperating on how to do this you know definitely want to build on that and take it out of the underground and talk about just what you've got in the Asia Pacific in parts is just this unbelievably permissive environment for cyber crime activity expanding bandwidths, increasing connectivity but legislation that just simply doesn't keep up and especially in terms of cyber crime enforcement you now have certain countries which are just open game to actually physically relocate and now what we understand that there are parts of Eastern Europe which used to be feigned for housing certain cyber crime criminal gangs they're physically relocating to the Asia Pacific now because they understand that there are parts of being arrested they have just as much ability to have fast bandwidth that means that chiming along with that there's some basic assistance needed in terms of educating judiciary's legislation support in order that police understand how the forensics work how they actually begin to prosecute and how they begin to put simply the bad guys in jail that to me is deeply concerning I mean physical relocation of cyber crime gangs we all thought this was something that we could just do from wherever we were in the world without any kind of comeback on our activities but actually clearly some of the strong actions taken by certain governments are working but certainly that shift is taking place it's like all of us we look at the opportunity and there's a great amount of money to be made in the Asia Pacific and the digital economies but crime is a business and it sees that opportunity equally as a student let's get one last question and right here in the back thanks Russell Schell with GTI a new policy think tank focused on Taiwan policy my question let me reiterate the comment that everyone had for the aesthetics and the content of your report but I'm a little bit surprised on a report on cyber in Asia Pacific that Taiwan was admitted in the scope of your study I think Taiwan as exposure to cyber attacks from China to experiences with handling cyber attacks and to also you know it's knowledge perhaps of TTP from China that there are a lot of knowledge that Taiwan could share in dealing with governance issues as well as cyber issues in the Asia Pacific so I guess question is why was Taiwan admitted out of the scope of the study and more generally I suppose for the rest of the panelists to sort of discuss Taiwan's role in cyber governance in the Asia Pacific thanks well firstly I'll say it's an intuitive process so it's impossible for us to cover every single country in the Asia Pacific immediately understand that we're a small team and the amount of research that goes into this is ludicrous I don't think apart from those maybe you work in research this is distilled from about 300 plus pages of word document to actually get to this point actually there was a visit from an ASBI delegation to Taiwan recently and there was discussion of an extensive discussion about cyber I wasn't actually present at that we will look in future additions to make sure that we have full coverage of the Asia Pacific and I'm sure Taiwan will become part of that consideration as you rightly state there's an enormous amount of activity of all sorts that we're describing here that's taking place in Taiwan especially again when you look at the whole strategic backdrop of the Asia Pacific Taiwan clearly is a significant player and recipient of cyber activity so we've got time for in essence a closing comment and I want to set you up for this question to each of you is so you've laid out on the report trend lines that for the most part are getting better but there's a long way to go and there's a wide amount of variability so what is one key policy action we're in Washington DC so it's going to be an American question what is one key policy action that the next administration should take so that these metrics keep moving in the right direction and so I'm going to turn to you Toby but I want to hear from the rest of you as well it's simple whoever next comes into administration make sure you redouble your efforts in the Asia Pacific in this area that there's the US is present at redouble that's not a specific policy action this is I'm going to be even meaner for hold one specific policy action and implement to redouble just to kind of try harder I have a 10 year old son who's very good the boy Donald Trump's son could be a policy action well I mean look Peter I can try and give you absolutely specifics but I would say ensure that there is strong financial investment in US led capacity building in the Asia Pacific okay and if there's one thing I can give you redouble efforts in that area so fun capacity building at a much higher level otherwise you stand to lose influence and get left behind everything else that's going on there great I would second what Toby said but the funding for capacity building I think should really focus on law enforcement capacity there is a huge need for better law enforcement coordination between US law enforcement and those in the region as well as just within the region and you see a lot of interest in this already taking place a lot of the confidence building measures have to do with combating cyber crime and exercising law enforcement partnerships I think there's a lot more we can do there the second piece is our military paycom has already started looking into investing more into exercises with countries in the region key allies in the region we need to put more resources behind that not just operationalize or exercise communication and sharing of information but real operational platforms and I think that could be a priority for the next administration Toby is going to ask for a way in here just to add on to the back of my mind for the US to put more pressure on its alliance partners to be doing more in the region as well around capacity building sure I think the biggest mistake the next administration could make is to start anew you've seen a great trajectory I believe from the Bush administration through the Obama administration in building in a bipartisan and nonpartisan way the roles and authorities of US government agencies and building up the funding and resources behind that so the specific request I would make is there's a 19 billion dollar cyber budget out there dispersed across the US government congress is going to leave town soon for a continuing resolution and we'll be back until after this elections over I think we need to support and move forward initiatives that are underway and not begin to view cyber under a partisan lens I think that would be hugely destructive to the national good well said well thank you to the three of you for joining please join me in a round of applause