 Well, thank you all for joining us today for this special event with US National Cyber Director Chris Inglis. I'm Ben Scott, and I direct the rules-based order project here at the Lowy Institute. Of course, cyberspace is great, but we're really glad to be having in-person events back here at the Lowy Institute. The traditional owners of the physical space on which we meet today are the Gadigal people of the Yorah Nation, and I want to begin by paying my respects to their elders, past and present. I'd also like to welcome representatives we have here today from the governments of Japan, Canada and the Netherlands, and of course the United States. This event reached capacity in record time. I think that shows the intensity of the interest in this topic, but also in our very distinguished guests. I can think of no one more qualified to talk to us about the state of cybersecurity and geopolitics today. Just under a year ago, Chris Inglis was confirmed by Congress as the first-ever US National Cyber Director. He is a principal advisor to President Biden on cybersecurity policy and strategy and cybersecurity engagement with industry and international stakeholders, us. Director Inglis began his career in the Air Force. He spent 28 years at the National Security Agency and rose to become its Deputy Director. Not an easy job, but one he fills for seven and a half years. I'm going to invite Director Inglis now to come and make some remarks from the podium. After that, I'll ask him a few questions on the stage, and then we'll take a few questions from you. Thank you very much, Director. Thank you very much, and we very much appreciate the warm welcome we've received in Australia at every turn, and we've had some terrific discussions. This is an alliance of partnership that continues to prosper largely because of the collaboration and the common values that underpin it. I think also I'm just really pleased to be in the presence of so many of you, so many of us. I used to quip that after my time at NSA it took me a couple of years to learn how to speak in the presence of natural light, but here we are after COVID or perhaps kind of on the tail end of COVID. I'm kind of learning to speak in the presence of one another and it's a joy. So it's very, very welcoming to be here because I think it's really hard to root out two million years of human evolution in one generation, which then causes me to turn to cyber. I'm going to make a few very brief remarks, framing remarks, which hopefully then sets up a question and answer session where we can explore areas of interest to you. The first remark I'd like to make is to perhaps set the context of cyber. What is cyber for? And I do that by beginning with a question that a colleague of mine, Jeff Moss, often asks at this moment. He's the person who started Black Hat and Def Con and we're on our way to Black Hat Asia in Singapore to have a further discussion with him kind of in the public domain. But he asked the question of why do race cars have bigger brakes? It's an odd question to start a cyber talk with. He quickly answers so that they can go faster. That's a really interesting question to lift and shift into cyberspace. We have to ask why do we do cyber? I might be accused as the national cyber director within the United States of being a cyber hammer in search of a cyber nail that all things have something to do with cyber. But I have to actually honestly humbly kind of understand that cyber doesn't exist for its own sake. We don't do cyber for cyber's sake. We don't do IT information technology for its own sake. We do it so that we can achieve our personal aspirations, our business aspirations, our societal aspirations and we therefore need to make sure we get that alignment right. We need to make sure we understand what we want to do with this space, make the necessary investments so that the space will then have a chance to deliver on that and then not so much obsess with the threats to it but get on with those positive compelling aspirations forward. But then leads me to point two which is well how are we doing? I'm reminded of the anecdote of a chief executive officer. Could be an agency or department head in the government but a senior in an organization who was walking around that organization one day happened to see the word cyber on a door frame, thought boldly I'll go in and see what this is all about. I've read so much about it and happens to encounter someone who's in charge of defending right the business on digital infrastructure, the so-called chief information security officer and ask the following questions like so I've read so much about this I'm the CEO you're the CISO that's the term of art. How are we doing? And the CISO being somewhat intimidated said in a word I'm good right the CEO then pressed on thinking there's a really good story here that he might be able to share that with the board said how about how are we doing in two words two words not good right now it turns out both of those answers are relevant right to where we are in cyberspace right there's so many reasons for us to believe that cyberspace is delivering on our expectations right we were able to in record time kind of develop a vaccine and deploy that requiring some no small amount of miracles in terms of the exchange of information coordination and synchronization that's only possible on the internet cyberspace as we know it today turns out that we can solve problems of equal or greater magnitude if we get this right and that happens every day so there's reason to say that it's good. There's reasons also to say not good because there's so many challenges in this space that support our efforts to do what we want to do individually or organizationally at the business level or even at the governmental level those of you who follow this space closely would know that attacks like not petro want to cry which were nation state attacks in the year 2017 had an extraordinary effect on on the commerce the business that was essentially coursing across the internet at that time but more importantly had an effect an attack on the confidence of people who would then say should I perhaps stay in this space should I do the new thing in this space should I extend my aspirations my reach a bit further so it's not just data and systems that are at risk it's not just the critical functions that rely on those data and systems that's at risk it's the confidence of our societies and you think about the ability of cyberspace to hold free fair open elections at risk not because there's the possibility of changing boats but there's the possibility of influencing broad populations we have to consider how do we then make sure that cyberspace plays its appropriate role to deliver what we expect of it the integrity the availability the confidence that those things that we inject into the space will be fairly represented and come back to us from that space it's not a political choice that's not even a value choice you just want cyberspace to do what it's supposed to do the third frame then is if at the end of the day we have some challenges in this regard I would begin by saying that as I suggest strategy we have to understand whether that answer of good or not good is fate or choice I think it's choice I think we can choose to invest in this space in various ways that I'm about to suggest we can choose to invest in this space such that it meets exceeds the confidence that we need to have that it will do our bidding we can choose not to which has largely been the story of the last 40 years we can invest in the primary functions and race ahead on the visible performance perhaps the bandwidth the ability to access broad swaths of data but without giving time and attention to the resilience that's necessary to deliver that with the full faith and competence that we prefer we can choose by our inaction by our complacency to get the result that too often we get today where we obsess because those those threats are real we obsess about those threats those choices then if we make them essentially have to come down to we have to get the doctrine right roles and responsibilities we have to get the skills right and we have to get the technology right now I mentioned it in that particular order because so often the discussion about cyberspace starts and ends with technology right there's no number there's no small number of technologies that are kind of trumpeted that would kind of be brought to bear to solve one or another problems in this space generally they react to respond to some pratfall that occurred last week or something that's occurring at the moment and they will kind of solve that problem in isolation perhaps through the soda straw that you're looking at on the map they'll solve that problem but too few of them are holistic in nature and essentially solve the real problem which is we don't have the roles and responsibilities right we don't know who is accountable for what imagine for a moment that you're a user of technology where no one took particular responsibility of building cyber resilience in it then populates down what we would describe as a supply chain and you're at the end of that chain and you inherit this technology the resilience the robustness of it is an afterthought it'll catch up later who is now the poor soul that has to then deal with that resilience and robustness that's not been built in you what kind of capabilities do you have what resources can you bring to bear to solve all of the investments to inject all of those investments let alone to know something about the nature of the space you're operating in precious little imagine if we built and deployed cars that way but there's no air safety bags in them there's no antelope breaks in them there's no locking mechanism on it there's no there's not even a set of breaks that you can guarantee make it through the first 5000 kilometers and you enter into a road system that is not designed with safety in mind it's simply designed to get your from point A to point B but it's your issue as to whether you do so safely we don't have road systems like that we don't have cars like that we don't have airplanes or drugs or therapeutics like that we've invested as necessary to get those systems into the right place because we first attended to the doctrine the rules and responsibilities we then got the people skills up to speed such that not simply the experts who actually develop deliver perhaps sustain those systems but the people who use those systems know something about in the role of an automobile how to drive defensively we need to do all of those things in cyberspace there's no miracle there right it's something we've done before we must do it yet again but that's only the first part of the strategy because if we do all of that and we have resilience by design in our roles and responsibilities in our people skills and the technology that's then bent to that purpose what we'll have as a defensible proposition but not one that's secure these systems do not defend themselves user participation is required right individuals organizations sectors governments need to stand in and play a role in the defense of those systems and in that I think I bring to bear the second aspect of the strategy that's possibly new and novel but that we can no longer do this using a division of effort we can no longer say you defend your piece of this shared infrastructure I'll defend my piece of this shared infrastructure possibly getting to that moment in an open boat where you say holes in your side of the boat so good luck with it turns out it's the same boat we need to actually use our collective capacity to understand what's happening underfoot to use the hunches and the shards and the insights that one of this might have to compare and contrast those with some party to the left or the right of us so that we can discover and deal with things together that no one of us could have understood alone our uk counterparts have done that and something called the national cyber security center to good effect for the better part of five years there's really counterparts have done that we've begun to do that in the united states actually to issue this idea that division of effort is the right strategy and to move forward to where collaboration collective defense is the right strategy getting to a place where the slogan might be if you're a transgressor in this space you need to actually beat all of us to beat one of us there's nothing offensive or aggressive about that it's simply a statement of fact of for too long we've been crowdsourced by adversaries who have stolen seas and sustained their own initiative we need to seize that back so that at the end of the day we can get back on the trail that we were on in the early 90s which is we had very positive boldly audacious expectations about what cyberspace would deliver and that therefore is where we need to get back to my role along with many in this room all of us have some roles and responsibility to play is to engage in that thought leadership to where we can define roles and responsibilities we can get the skills up to speed and we can then define and bring to bear the technology so that a collective defense on top of that can essentially deliver what we expect what we want the relationship the United States has with austria is an excellent example of how we can take that into the international domain because the collaboration I'm speaking about must be done in the largest possible context if we do that right then we will have formed a new social contract one that's not new or novel because we've done it in other domains of interest but one that we can lift and shift into this space so that cyberspace can and will make our expectations I look forward to your questions well thank you very much for those remarks you covered an awful lot in a short time on an enormous topic so we can go many different directions with this I find that especially refreshing the way that you are reframing all these cyber questions in a more positive light getting us back on the good as you put it I'm going to start on the not good though but we'll get to the good Ukraine of course I want to ask you about the the war in Ukraine and the consequences Australia yesterday attributed three sets of attacks of cyber attacks to Russia related to Ukraine so the questions are three what should we expect from Russia next in cyberspace especially if they continue to lose the conflict on the ground what's China learning from this conflict and should we still be thinking about worried about a cyber pearl harbour yes those are all good questions those are actually three very different questions perhaps I'll take them in reverse order or maybe kind of slightly reverse order cyber pearl harbour and there's often a lot of discussion as to whether we should be kind of standing by for cyber pearl harbour or 9-11 moment which which I think is possible but less probable by the day by the year what's more likely is the slow insidious creep of kind of weakness into this system in the ways that I've suggested in my remarks where what what really is happening is there's this a slow rot right in the system or there's a slow decay of confidence based upon that system that's what we have to worry about it may well be that the cyber pearl harbour is happening all around us even as we speak it's just sufficiently diffused in time and space that we haven't had that collective appreciation of it there hasn't been that shared cathartic moment I think that's more likely and therefore the sense of urgency should be all the greater we shouldn't wait right for that thunderclap it actually has already happened or is happening in ways that are perhaps insidious in the nature of its onset but but have all the same effect in the longer term in terms of the Ukrainian situation I would say the following that we can all observe I think what we have seen in that space the egregious bestial behavior of the Russians is not respected to the kinetic space the physical space we've seen that in their disinformation campaigns you know what they tell their own people what they attempt to tell those of us listening kind of in the open domain on the far side of this right that's egregious right it's kind of it's simply beyond the pale in terms of the way they have kind of twisted and corrupted of their their version of the facts but second what they've done in kinetic space in terms of their attacks has been kind of replicated in cyber space to some extent not broadly not outside of the Ukraine but certainly inside the Ukraine there's a report published by Microsoft about a week and a half ago actually described in great detail a series of attacks some of those have been further attributed as you mentioned by Australia recently is overnight another attack on some satellite communications was collectively attributed by various nation states as attributable to Russia but they've been actually actively engaged in conducting attacks in cyberspace the question before us is why they haven't attacked outside of the Ukraine and perhaps why they've not been terribly successful inside the Ukraine I suggest pun intended that there may in fact be an analogue in cyberspace what we've observed right in the physical space that the Russians exhibited a certain degree of arrogance and hubris going in that they thought they might kind of own right outright the territory within a very short period of time and therefore didn't take the time and trouble to conduct attacks that would then have made it more difficult for them to manage and administer the systems that they would inherit may well be that it's harder than it looks right and the ability to do a campaign of the sort that we were worried about is harder right then either the Russians had imagined or that the Russians are capable of may well be that the Ukrainians and I think that this is the case are very good at cyber defense or at least good enough to blunt and kind of block and parry to a large degree that surprises the Russians and they to be honest had eight years of practice given what the Russians have been doing all along that track finally there's some degree of deterrence in the part of the Russian self-imposed deterrence where I don't think that they want to trip a full response right from either NATO the United States or others and so you can see that there's some self-imposed restraint there it's not a restraint that they've kind of exercised inside the Ukraine but we've seen that outside of Ukraine having said all of that I think that our systems broadly across the globe and certainly in the critical suck sectors that we care about in societies like Australia and the United States are not impervious to attack they're not self-securing they're not as robust as we would prefer and therefore we have to be mindful that we're not through this yet and we may yet be open to a further kind of attack that could succeed if we find ourselves in an unguarded moment allowing it to succeed as to what the Chinese might be learning from this I think that it's an experience of vicarious sort that allows them to work their way through what's working what's not working and kind of lift and shift that into their own context I'll leave it to the Chinese or others to kind of imagine what their aspirations are I can perhaps devolve secrets if I was in the right place but it's a bit of a mystery as to the timing of what they're going to do and that's a further matter but I would say that observing what the Russians are doing in that space it may well be that Chinese aren't concluding that that's the wrong strategy it may be what they're concluding that it's not being competently executed and that would then be a further challenge for us it won't dissuade the Chinese to observe what the Russians are doing it may simply convince them that it's an it's an aspect or a matter for execution and we should therefore be all the more kind of careful about preparing for the possibility that this isn't the first or last time that we'll see this on that particular question of attribution are we getting better at attribution and if so why but also are we getting better at using attribution to change the calculus of malicious cyberactive I think the answer to those those two questions is yes on both counts so are we getting better at attribution we are I think that we kind of long ago realized that attribution in cyberspace besides being hard it is you know what that old saw was what one dog says to another about the value of cyberspace is nobody knows you're a dog it's hard to attach a physical kind of reality to a persona in cyberspace that being said it's harder if you do it from a cold start and so we don't do that anymore we try to actually instrument our systems to have solid identification and authentication mechanisms we have analytics that run across those systems so that it can understand behaviors in that system and essentially match those behaviors with kind of known persona in those systems we actually before some event of consequence occurs have some knowledge of the neighborhood and the characters in that neighborhood so that kind of on a fairly short basis if something untoward happens you actually have the muscle memory in the context necessary to say fairly quickly I think I know who that is all of that done appropriately using either consent or the kind of the ownership and properties the privileges attended to those who are authorized to do that but but I think if we instrument these systems right and we essentially say the cost of admission is you have to identify yourself and be known for kind of what you propose you report to be then I think attribution gets easier does attribution make a difference you betcha you know attribution allows us to quickly kind of take resources and apply those to either the interdiction or the eviction of something that otherwise if it was anonymous you wouldn't know whether this is simply a process that some innocent kind of well-intended person is running or something that is attributable to a malignant a malign actor um attribution works especially well when in the broader scheme of things you have found some actors who continue to transgress and transgress and transgress and you want to bring all the instruments of power that a society a just society bring to bear whether that's a lawful arrest whether that's some kind of restriction on travel whether it's seizing assets all of those things affect the decision calculus and in turn right the ability of that actor to hold us at risk so attribution matters Focusing more on on defense and building resilience which was a large part of your remarks I think I'm right in saying that a lot of those improvements in attribution are linked to a really quite a radical change in cyber doctrine in the US which took place under the Trump administration which is often summarized as the move to defend forward I think that's concept is probably not that well understood outside the US so I was wondering if you'd be able to talk us through a bit more what that means in practice and if the way that is practiced has changed from the move with the move from one administration to another yeah so I would say that I would view what I've described as an emerging strategy as additive that that actually complements you know all of the tools that are already in this space I think I'll describe defend forward in a certain context but say that if all you did was to defend forward meaning all you did was to understand what risks are being arrayed against you by certain actors you'd be in a position where your homeland whether that's virtual or physical undefended would be a great risk right you therefore need to attend to your knitting at home before you then understand what risks may be arrayed against you abroad right and so the resilience by design it's a concept that's probably thousands of years old right to make sure that you've attended to the resilience and robustness of the physical manifestations of your society and in this case the cyber extensions of that and so what then is defend forward right it's a concept that came into vogue about four or five years ago when it was used by the US Defense Department to say that kind of in the context of cyber threat that they kind of as a matter of doctrine would persistently engage valid kind of cyber threats and that they would essentially as a matter of doctrine engage those as far forward as possible so that you achieved the earliest possible action with the highest possible leverage that's actually a concept that's been broadly applied in just about every other domain of interest and I think it was high time that we caught up to it in cyberspace as well and what do we mean by that and we have long deployed troops in NATO forward right so that we have kind of an early engagement a persistent engagement if you will and an ability that if there's a crisis there that we kind of as that crisis is on the rise we're not mobilizing to that scene we're essentially already there and we can defend forward we do the same things with legal remedies we do the same things with diplomacy we have an expectation that there is broadly deployed all of these kind of possible kind of instruments of power the issues of do we discern those issues early do we engage those issues early do we with the highest possible leverage bring those kind of back to heal so that we don't so much create a fuss but rather solve it in the in the most depth kind of the least offensive way possible I mean so in my view that forward defense is actually something that simply says cyber is an instrument of power it's not the right response to all cyber issues it therefore can be brought to bear in the constellation of all those other instruments that I mentioned in the same way that we brought those to bear in other domains of interest so the trick to defending forward is is doing it in the least offensive way possible I think is the way you put it but part of the trick I think what you're saying the other part of the trick is not to forget to focus on pure defense and resilience probably first and foremost Australia is tripling its offensive cyber capability over the next 10 years what can we learn from the US experience about how to use this capability in a way that doesn't risk turning cyberspace into even more of a battle space I'm confident what Australia is doing hues to its kind of enduring values which is that in our society in Australian society what we would characterize as offensive capabilities possessed by the military are an extension of defense we call it in the United States the Department of Defense for a reason that's not a sleight of hand that's not trying to by rhetoric kind of ignore what capabilities they can bring to bear say that defense is the predicate to offense and the offense must therefore be properly an extension of that defense and so if there is some kind of increase in capacity for the offense we must first make sure that it is a proper extension of the defense and that it achieves both moral purposes as well as the kind of the effect purposes that are intended I'm very confident that that's what Australia is doing which is a clarify so defend forward you're situating very much then as part of the responsibilities of the Department of Defense and the military but if I understand correctly persists in engagement is something which takes place below the threshold of conflict that's that's that's the whole idea really it should be going going constantly and without being necessarily linked to well that's true so so precision engagement broadly across diplomacy and kind of the the legal attaches and any number of others who representing various instruments of power for nations deployed forward persistent engagement is almost always done below the use of force and cyber is no different it might be particularly true in cyber where the vast majority of things that can be done in cyber do not constitute the use of force and that makes it at once something that is sometimes more attractive especially in the hands of an autocrat who wants to perhaps achieve some effect without having the consequence of a response either in kind or use of force but at the same time it makes it such that if you are in fact kind of persistently engaging those threats and you interdict those at the lowest possible level and always in a partnership that might be available to you kind of unilateral is never the preferred method to do those in international collaboration you can in fact kind of achieve some order and discipline in the space because you haven't waited on shore for the problem to magnify the kind of analog or the analogy that I have loved for the years and thinking about this so you can wait on shore for kind of a flock of arrows to arrive where you can figure out where that bow is that essentially is aimed at you and simply make sure that the bow no longer works right but again it's a defensive mechanism it's not an offensive mechanism it must be properly characterized as responding to a threat as opposed to creating a provocation I want to turn now to the back to China but to the longer term threat posed by China rather than the more immediate daily cyber attacks China is advancing its own vision of cyberspace of the internet how it should work the new IP for example what's the best western response to that should we be decoupling to to build our own ecosystem which is safer or is the answer to to continue to defend this existing free and open global unfragmented internet I think though I think it's more the latter than the form right we don't seek competition or conflict we will collaborate whenever possible we will compete when necessary and conflict is not the preferred choice it's not the thing that we're attempting to set up what we're attempting to do and it plays out in the NZIG kind of the NZIS relationship that goes back what now 71 years plays out in August it plays out in the asian relationship is to not so much kind of choose who we're against but rather to choose what we're for and to then celebrate those values through the execution of various lines of effort that create security and resilience and the shared underpinnings of societies that essentially want to get on with the business of what they want to do with their resources China can choose to join that can choose to complement that can choose to compete with that or conflict with that that choice is largely China's it's not a choice that we would drive them to one or the other of those options I mean one way you've done that recently and we've done that as well is through the declaration for the future of the internet which 60 countries have signed that's a good positive step forward from an Australian perspective though we look at that the list of signatories we see that India isn't there and we see that no Southeast Asian countries are there so right the question for us really is how do we continue to to push for that single open unfragmented internet when what China is offering is often very attractive to a lot of countries that don't share our liberal democratic values well first I don't think we want to compete on an unlevel playing field and we have to level the playing field by understanding what the values are that should essentially define that playing field if we start with economics which is often an important determiner in terms of what you choose to buy or what you choose to sustain you start with economics that economics having no soul will lead you to a corner than on occasion you don't prefer and so that declaration for the internet signed by 60 nations we don't all have the same geopolitics and wouldn't all agree about a vast number of issues was in fact the foundation to say this is what we want the character of the internet to be we want to be able to deliver digital infrastructure the internet that has the character of being free and open and resilient and that we can then exercise our personal and societal aspirations on nations if 60 nations can agree about that well they can't agree on to that level about any number of other things I think that's the right start the question then is how you then act on that have you create the technologies and the roles and responsibilities that deliver on those values and promises we shouldn't make nations choose a geopolitical system or even for that matter to pick favorites amongst countries but we can in fact ask them to sign up and subscribe to common values and then build on those values so that we transcend what otherwise would be difficult choices that are at the moment front on the topic of building on common values and this will be my last question I promise even though I have a very long list here you've made a very powerful and persuasive argument for a new cyber social contract mostly addressed to the United States I think my question is why a new social contract and why not just a more interventionist state that would compel the private sector to more actively protect private data which would allow the state to go in and remove malware without consent when necessary some of these things that are happening already but why do we need to frame it as a social contract well two reasons one we're not going to shoot our way out of this right we're not going to actually by picking and choosing what we choose to allow into the system or not and therefore trying to deny the access of transgressors we're not going to essentially solve it by kind of solving the problem in the way I would describe as responding to two and three alarm fires right if we did that perfectly if we responded to every transgression if we shut down every bad action in this space if we did that with perfection in time detection to time resolved we just lose more slowly right you have to have resilience so that you're actually preventing these attacks this is a capital expenditure exercise for those that are involved in business not an operational exercise there's a role to be played for response but it needs to be that we've taken every effort necessary to avoid these problems in the first place having said that this is not a vertical right where kind of government can essentially at the top of that kind of pyramid drive and dictate all the actions that takes place in this space and then everyone else follows that script or perhaps kind of exercises broad roles and responsibilities that are wholly defined by government this is a horizontal right which what you find in terms of the way we build we innovate we create sustaining systems is the vast majority that occurs in the private sector not in the public sector therefore the government needs to think its way through how does it become a supporting organization for the activities that take place in the private sector that deliver critical functions life critical functions right to the citizenry of a given nation I think if we do that we'll find that it's more about the roles and responsibilities horizontally and getting those to complement one another than it is about the vertical where you kind of script and dictate and direct that from the top down turns out it works that way in the physical world I have my own volition I came here today in a kind of a manner of kind of a conveyance that I chose right I can choose to do that I wasn't dictated to take some particular safe transport so I came in one door or another I could have walked I could have ridden the bicycle I could have taken a car the government however plays its role to ensure that those systems have some inherent system of safety built in that the roads are navigable and that we kind of remove the kind of major obstacles and threats and so on and so forth but that's a horizontal I still have broad discretion in terms of how I live my life in businesses similarly we just need to make sure we do that in a rational system that actually has resilience by design built in that I know what role I'm supposed to play in my own defense and that those complementary activities then line up horizontally to make the system that we want to have going forward well thank you direct English we have about 20 minutes for audience questions if you have one please raise your hand and we'll bring a microphone to you and if you are asking question please stand up state your name and affiliation and ask a brief question which ends with a question mark no statements or comments please thank you thank you for comments Yelena Park I'm a freelancer right now I want to go back to the Russian-Ukrainian conflict and ask you about your opinion in terms of NATO NATO a few weeks a NATO official commented that a cyber attack could be considered an armed attack could you elaborate what sort of cyber attack should it be to trigger article five and you already referred to sort of the potential response thank you I would say that that is at the moment unsettled kind of law or kind of doctrine at the moment I think that the question that would be before us if a cyber attack was to be considered as the having the possibility of tripping article five as to what the effects are right not whether it's an attack as some might describe it in cyberspace because a cyber attack very seldom has the same level of effect on life and health and safety as a kinetic attack as a physical attack so need to take great care to look at that effect and consider it on its merits as opposed to kind of on the labels or the terminology we might wrap around that it's good to be back at the low institute after many many years my name is Paul Manohar and I work for Lexis Nexus and direct English thank you for the very insightful talk on cyber resilience and of course as we slip into a new emerging world order you know that's a really critical space for all of us to invest and collectively work together my question is rather about is there a need to create a global institution along the lines of the old institutions like the Benton Woods system which would create a platform from ground up as a means for like-minded democracies to collaborate and solve these emerging challenges thank you it's a great question um this is not an intact and kind of perhaps um definable entity that has physical shape and form even the way a financial system might where you can say that the kind of transactions in a financial system kind of emanate from place a and they go to place b and that the pathways and the mechanisms by which they're processed and reconciled and considered are kind of discreetly definable cyberspace defies that and therefore coming up with a single institution that might be kind of you know one kind of one one kind of organization to rule them all if I can borrow a slogan that's difficult and so what I think we find ourselves doing is starting at the beginning which is can we first describe the values platform that kind of declaration for the internet was was an approach to that kind of the UN the United Nations global group of experts in 2015 and 2016 to find norms which are largely subscribed to so that's a foundation for that then through bilaterals and multilaterals and kind of coal coalitions that naturally already have an alignment on those common values we can begin to build towards what you've described but but at the moment cyberspace is too broad too diverse too ungainly for us to get our arms around as as if we could in fact have a single point right of influence on it to control or direct the efforts inside of it at the back Geraldine Duke from the ABC I'd like you to elaborate if you would on the response you're getting from private players I sort of in I think you're implying that there's different possibly sensibilities at stake there and and you very you know keenly described the permutations of it but I wonder how what sort of response they're giving you because I wouldn't have necessarily thought they'd be totally keen to play right first I would observe that the private sector is not monolithic any more than many governments are not monolithic and so you get kind of very very given responses but second I think that what we have found following on the model of the United Kingdom Israel some others is that if the government is truly sincere about we're going to put value on the table we're going to give you things that would help you defend the private sector's component of the critical infrastructure which is the vast majority of it they'll show up right and if you deliver on that they'll come back the second time and more importantly they'll stay in between the highly continuous relationship what we need to make sure we do however is to protect protect proprietary interest and privacy interest as a matter of design as opposed to we think about that at the end of the game right so we say up front this is what we want to achieve we want to find and root out threats that hold us at common hazard we're going to put on the table governmental kind of insights perhaps some sense of best practices things that are truly valuable that you couldn't do and we'll compare and contrast that with what you might be able to generate discover and mitigate things together and maybe the together part is implicit collaboration because we can't achieve agency between these kind of private sector entities and the government but essentially affect a new contract or a new compact that says why don't we actually see if we can discover some things together that no one of us could discover alone it's working at the moment I think the UK which puts out a report on annual basis their national cybersecurity center would give kind of some ample evidence to say that the concept is solid the question is whether it scales into a very complex and diverse society like the United States and so if we have a challenge at the moment it's not a response from the private sector that's positive it's how do you actually do this coherently across the very diverse kind of landscape that is the private sector but but I'm bullish on this I think a division of effort has shown itself to not work over time and this therefore is all that remains I'm going to ask another one I think builds on those last two questions you've posed the question what do we owe one another in cyberspace as a way of starting to build those values and better allocate the risks and responsibilities for resilience my question is if we look at that internationally what do states owe one another in cyberspace but in particular the role of the United States what does the United States owe the rest of the world and what do we owe the United States given that the US is the home to the biggest and most powerful private tech organization well the nation intends that allies and both Australia and the United States do and they view each other as an ally not merely a partner and what they owe each other is a declaration of what their shared prospects their shared values their shared intents are and then they owe each other kind of a commitment to work through the various lines of effort that will then deliver on that AUKUS is an example of that but so are so many other lines of effort that actually join these two nations and so kind of it starts with kind of declaring affirming the shared values but it must be followed through with how do we actually then on the back of real work give voice and traction right to that declaration that are taking place in the area of critical infrastructure particularly maybe starting off with the United States because within the Australian context there's been quite a lot of work in that area and I'd just be interested in your thoughts on that versus your comments on the social contract yeah so let me give a general mark about the role of regulation and then a very specific remark both about the Australian and the American experience generally speaking I think that as we have learned in other domains of interest I've mentioned the aviation industry the alma village street food there food therapeutic drugs we have learned that self-enlightenment on the part of the manufacturers the providers takes you a certain distance down the road they naturally want to do in many cases exactly the right thing market forces might take you a further distance down the road that that if it's a value that is respected by the consumers then market forces will then deliver on that but they often and in most cases don't take you far enough there then remain some non-discretionary features that you have to specify and ensure are delivered air safety bags is one of those right if you wanted a cheap car you might be able to go to some provider unless it's required and get such a car right so if this is a car that then broadly is going to affect aspects other than that individual consumer's choice the state can and has stepped in to say this is not a non-discretionary feature I think we're going to experience the same in cyberspace for those digital infrastructures that support the critical functions whether that's the generation flow of electricity water supplies all manner of things we're going to find that there are some non-discretionary features we'll have to step in and say these are not discretionary and with the lightest possible touch but no lighter kind of ensure that that is in fact done now let's talk about the specific experiences in both the australian and the american experience but to spend some time with some folks who explained to me how australia does this and I think it's a quite brilliant scheme which says that look many of the things that we would regulate are already regulated because they show up in a sector that has long been regulated maybe the finance sector might be one of those and so broadly again you know the failure my explanation is my kind of ability to explain it not kind of the benefit of the system broadly what I understand is that what then australia will do is to say we'll establish a floor that says you know what does you know the specification of function look like for something that's critical in our society what are the properties that those things need to have what confidence do they need to give us and then we'll take a look to see whether that's already accounted for in some other scheme if it is we're not going to re-regulate we're not going to double down on that regulation we're going to essentially say look it's already been done but if it's not we're then going to stand in and we're going to ensure that that gets done seems to me to be sensible and efficient and at the end of the day that cost being borne by society I think is a necessary cost right it's no greater than it should be but it's no lesser than it has to be in the United States we haven't quite sorted all that out right you would have seen looking over our shoulder that we had this kind of attack on something called the colonial pipeline not long ago which kind of upon examination there weren't specified requirements by the governing organization to essentially attend to the properties inside of that which then meant that you know even if the proprietors had said we followed all the rules that hadn't actually made it defensible enough and then defended it to the extent that most of our citizens would say it should be this and no less right so we've stood it and essentially applied authority we've long had to that but but we can't do that episodically and we can't do that unevenly across all the critical aspects of our society we have to come to an understanding of what does critical mean what are the foundations of that what's the floor and what are the extensions of that in each of these critical sectors and make sure we don't over regulate such that we create an unfair burden for the intended benefit I wish it was a simpler answer but it's a great question well this one's coming can I just ask you on critical infrastructure I mean that is the focus of regulation but and thanks very much for the kind words about our system but whenever I look at lists of critical infrastructure they just seem to get longer and longer and the incentives at least bureaucratically are to add to that list how do we prioritize better how do we make sure that critical infrastructure list is what is truly critical my sense is that Australia is doing that right so that they broadly describe the categories but then inside of that they're very specific and intentional about saying but before we declare an entity as being critical let's understand what its role is and let's make sure that we understand whether some of these things that we might think are critical are actually showing up in multiple systems and so let's prioritize those let's bring those up a bit as opposed to what what we had done in the past in the United States we're moving off of this I'm simply declaring that there are critical functions we have 16 of them 16 sectors and then presuming without specifying further that everything inside of that system is critical and therefore everything is equally critical meaning that you've set yourself up to defend all things against all perils that's impossible and so we have to actually be quite you know intentional and precise about that what's emerging in the United States is the sense that it might well be that we preserve the sense of these can be critical sectors their verticals transportation finance energy but that what we're going to begin to do is to cut across that to say but the functions we really care about actually derive benefit from multiples of those if you're going to run an economy you need a solid telecommunication system solid finance system need electricity possibly water to make sure that those plants operate properly but when you pull that horizontal thread you might then find perhaps a more succinct sense of what's critical and therefore double down on that's what I need to attend to and rationalize this sense of you can't defend all things against all perils to the few things that you want to prioritize and say that's what I'm going to work on thank you thank you on this issue of critical infrastructure I'm just wondering whether the how did the the environment that we live right now in your political environment has increased the exposure for attacks to critical infrastructure is there anything that individuals command a citizens can do and to prevent or to prepare towards any type of attacks or cybercrime impacting on critical infrastructure yes there is I wish I knew the names of the websites in Australia but I'm sure they exist but in the United States our Department of Homeland Security has a rich array of websites that say look if you're worried about ransomware you run a small business you have some intellectual property that's installed somewhere in a server or computer of yours and you're worried about being the victim of ransomware there's a website out there stop ransomware.gov that quite succinctly says this is what you can do to participate in your own defense and you wouldn't be surprised most of it's based on critical thinking applied right to the mechanisms that exist in cyberspace whether that's about passwords making intentional choices about what you store on the network making backup copies but I don't want to kind of enumerate all of those things just to say that there is a lot of guidance out there I think what your question suggests though is can an individual do everything that's necessary to defend him or herself in a world where you don't need to be the target to be the victim answer unfortunately is no which means that we need to allocate some responsibility for the creation of resilience and the sustainment of resilience across all of those parties who build deliver develop deliver deploy operate these systems of interest today as I indicated in my remarks too often it devolves to that poor soul who's at the end of that supply chain who given all of the critical thinking and kind of earnest effort in the world probably isn't going to prevail when it's their turn in the barrel you know against a nation state that's come at them with some kind of overwhelming attack hi there uh jonathan prik I run our below institute specific islands program a challenge we have on top of just the immense challenge of just defending ourselves is to try and help our friends in the region better defend themselves and the challenge there is just the capability gap is so immense you know these countries are run on gmail and whatsapp I mean Australia sometimes feels like that as well but like just in puppany guinea for example last year their entire integrated financial management system was hacked and held to ransom as they're going through a COVID a massive COVID response so where do we even get started like how do we help these countries capability up when they have so many competing challenges that are dealing with in the governance space thank you yeah I I think you start with some pretty simple questions and not to diminish the value of the model I'm about to suggest but in the United States and there are similar models here there's something called the national institute of standards and technology nist framework which essentially asks some very basic questions right so can you identify what your critical assets are do you know what's on your network right do you know whether you have personnel records out there or financial records or the customer database is that on your network yes or no it's a very simple question um you believe that that is kind of something that you could afford to lose if the answer is no have you got a backup copy pretty simple question if that's something that you couldn't afford not just simply to lose but to have exposed because it's personally identifiable information or it's security critical information security to your business then do you encrypt it right and they're fairly standard encryption schemes that you bring to bear but you begin to walk through those questions which really don't require in the early kind of stage an application of resource dollars or the introduction of new technology they're just simple questions do you know what your risk is are you prepared to then say I'll accept that and if you're not are you prepared to make some investments necessary to essentially guarantee that you participate in your own defense to guarantee some modicum of resilience because of the actions you've taken what I find often enough though is that there's a willful ambivalence on the part of organizations or individuals to say I know there's a problem in this space but it's not mine to fix and they presume assume that somebody else is going to fix it and that's a flawed assumption in just about every case that I've experienced that's not to say that I've offered you something that's kind of the magic bullet the silver bullet we can't treat this as kind of something that a panacea would would solve but I think there are some basic questions when you begin to ask those that lead you to some kind of fundamental considerations and just like navigating kind of a busy city straight might be overwhelming to a small child it can be done right we have to actually make it such that those things are navigable we have to make sure that we teach people how to navigate them and that all the parties necessary participate in the creation of that resilience the sustainment of that resilience and the defense of what happens in that space. David Masters from Mastercard increasingly corporates are facing the challenge of being asked around the world by governments to localize their businesses. Do you see that as a legit in the interest of national security and cyber security do you see that as a legitimate request from sovereign states? Certainly the right of those sovereign states to ask for something like that we have to think our way through whether or not that's going to achieve the intended purpose which is to make that data safe right or whether it's going to somehow deny us the opportunity to kind of use analytics that run across that data to derive insights and kind of extensions of what those analytics might offer that they're going to say we can only kind of understand and deal with issues if we compare contrast combine the the information so I just think that the initial concern that if I localize my data I then defend myself in a silo because I've concentrated that risk in a single place whether that's an inappropriate concentration of risk it then might become a more viable target for somebody who would go after it and it might deny us the opportunity to use the breadth of cyberspace analytics or run on top of that so there's not a simple yes no question but we have to think our through the fullness of that the second and third order consequences are often not considered and are often misunderstood. No welcome. Elliot Brennan I'm a security analyst you've spoken and written previously about the democratization of the tools of cybercrime was it surprising to see how many non-russian aligned groups quickly volunteered themselves as proxies in the Russia-Ukraine conflict and is there a concern that in the future they may turn their sights towards the US and its allies? Yes and yes I think it goes without saying that you know all of us I think most of us if not all of us I'm kind of wanted to figure out you know when this happened when the Russians transgrossed in this important way into the Ukraine what can we do so dropping a dollar in a box or sponsoring kind of you know some fund that that is within our kind of wherewithal legally permissible to do and therefore kind of like we encourage that but but taking it upon yourself to stand into a role that kind of is inherently the role of government to deny and destruct things that outside of your kind of your authority you don't own that territory that's problematic and we have to think our way through the question you asked which is it might be that at the moment that kind of favors the interest that we would prefer and we're therefore kind of sitting up in the bleachers saying you know yay for the home team but that can turn around on a dime and kind of be reflected back and that's why we restrict those authorities and capabilities to governments which are accountable to the people that elect and sustain them in office. Okay we'll have to leave it there I want to thank you again Director Inglis for for joining us and sharing those insights today. Thank you very much. Just let you all know that the video from this session will appear on YouTube later today for those who weren't able to make it in person. In closing I'd just like to thank the events team at the Lowy Institute for their tireless work behind the scenes especially to my colleague Sasha Fegan as well as to Jim Curvan from the US Consulate for bringing this event to the Institute today and thanks to everyone in the audience for joining us. Thank you. Thank you.