 Good evening and welcome everybody here to this public lecture as part of the National Security Colleges Securing our future in cyberspace conference Firstly, I'd like to Welcome we acknowledge and celebrate the first Australians on whose traditional lands we meet and pay our respects to the elders of the normal people past and present Welcome you all to the National Security College, which is a joint initiative of the Commonwealth and the Australian National University It is a center of excellence in Teaching learning and thinking on issues of national security policy Today we have with us for the public lecture Professor Fred Cage whose bio you will have seen on our on our web page He is the vice president of research at Indiana University and distinguished professor and C Ben Dutton professor of law at the Indiana University Mora School of Law and also an adjunct professor in the School of Informatics and Computing His work focuses on information privacy security law and policy issues He served for over 10 years as a director of the University Center for Applied Cyber Security Research And has many other Appointments to his name has been a member of various institutes and also has been Has written extensively on legal and security issues associated with cyberspace Has appeared before congressional committees and it's also an advocate on issues related to privacy and security and legal issues associated with cyberspace is very interesting interestingly written about moving the onus of Privacy away from the individual back to companies and others in the context of consent and today He will be addressing us for a period of about 40 minutes after which we'll have time to question and answer On answers and also there will be refreshments afterwards for people who want to stay behind and continue the discussion So without further ado, I'll invite Thank you very much for that kind introduction. Thank you for coming. I Hope there's seats for everyone. I've never spoken to a room in which there was difficulty Finding a seat. So if you think somebody else is coming after me and that's what you're waiting for I'm Terribly, sorry. This is as good as it gets So I would like to talk about the challenge of cybersecurity as a legal issue and I'm going to use the term law here and its broadest definition so Not just law as informal statutory law or a decisional case law, but really thinking of law as governance law as In parallel with policy as a way in which a society or an institution governs itself and I'm going to start with a few points Which I think are going to be absolutely taken as given and I'm going to go through them very quickly But I want to at least make sure we're on the same page So you'll know where I'm coming from and if they're not given you'll have an ample opportunity to disagree with me and Let me also say what a real pleasure it is to be here now in fairness It's always a pleasure to be in Australia, but to be in Australia when the temperature I left at home is Considerably lower than the temperature that I found here and to be here in the presence of so many colleagues doing interesting work I could not be more grateful and I particularly want to thank Roger Bradbury for for hosting this and for organizing it so Again, I hope I'm on safe ground here, but our economy our society our daily lives all depend on data and We generate data in almost everything we do the mere fact you're sitting here with your cell phone on is broadcasting your location It's constantly generating data You could be using the recording device on your cell phone to be taking a video and auditory recording There's sensors in the roof. There's a camera here. They're data that are collected in thousands of ways Every single part every single day in our lives and as somebody who just got off an airplane this morning I'm reminded again of this constantly being observed as you move around your daily life Increasingly we see data being created or inferred about us So I'm going to predict something about you based on your past data And then I'm going to use it to to rate you to evaluate you Your what you will pay for a mortgage or a loan for a car or a home will depend upon My prediction based on your past behavior as to what I think your future behavior will be all a data driven industry But it's not just data in the sense of like information about me. It's not data like we might think about data protection It's also data that we increasingly rely on as part of this incredibly complex and spreading cyber Infrastructure that increasingly runs our lives The payment systems, you know, I was thinking about today. I got off an airplane having absolutely no local currency And you couldn't have done that, you know, 20 years ago today I know one of the pieces of plastic in my wallet will turn itself into currency because the Controls system that the the command and control system actually works It's interconnected and suddenly my bank account can be linked with an Australian Bank 9,000 miles away Our transportation infrastructure we increasingly control using database systems I flew here on a lovely double-decker a 380 a plane which has not one physical control surface in the plane There is nothing that connects the pilot to the controls other than data other than zeros and ones being sent Either wirelessly over or over a fixed grid We see this in utilities are just in time supply and manufacturing chain Every single time just in time. I go to get my car serviced I'm always told, you know, the part will be there tomorrow. I can come back It's not really just in time But the point is we order things based on how we use them and it is that supply system That controls costs that makes it possible to extend service farther and of course command and control Systems and military and civilian operations, which I suspect we're all familiar with Now these two worlds the world of vast amounts of data that that might be what we would think of as data or information And these data-controlled systems are rapidly merging and they're coming together in a way that is We are at the just the cusp of what is truly going to be an information revolution right a revolution that's going to be marked by ubiquitous sensors sensors in Everything sensors in our devices at home sensors in our clothing sensors in our Our cars which are already the average car sold in the United States today has 34 separate computing devices in it You no longer drive a car in and try to like make the noise for the mechanic that it made when you were driving Instead your mechanic waves a magic wand over the car collects the data from it wirelessly and Tells you what's wrong with your car? Right, but this world we are just at the edge of this extraordinary change And we talk about this sometimes as the Internet of things, but I don't want to focus on a particular Ism to describe this I want to just paint a picture Whether it's terrifying or brilliant you can have it any way you want it and which we see that these systems this interaction of of data and and and systems are going to completely alter the way we live Another example of this is machine learning where we don't tell the computer what to do the computer figures out what to do But and there are all sorts of examples of this some of them right now that we deal with are incredibly trivial I now find when I get in my car to drive home my phone, which is someplace Pops up a little message that says seven and a half minutes to your home and current traffic Well, how does it know I'm going home? It's like another wife. It's unbelievable and how does it know what the traffic is I live in a little tiny town We don't even have traffic but it knows because yesterday at the same time I went home and Because it's watched those patterns and because of course it's collecting data from other people's phones To know how fast they're moving on the same route and it's making an educated guess which turns out Unfortunately to be accurate Yeah, this is of course the foundation of now healthcare personalized medicine this idea of incredibly targeted treatments This is going to be the way in which we increasingly mark our lives are going to be these granular data systems But the challenge is that they're not secure None of them are they just aren't and we just have to take that as given and if this is something We need to stop and debate. I'm happy to do it Right think about really just imagine. What do you think is the most secure system? The one place? We'd say that will be secure Well in the United States, we probably would have said the National Security Agency Which of course Edward Snowden walked out of with a collection of documents showing it was completely insecure In fact, you didn't even have to be that right to walk out with its greatest secrets Or think about the Office of Personnel Management in the White House, which is what processes? Security clearances for personnel who work for the government. This would be secure Until of course it lost all of its records when its computer system was infiltrated So name a system that is in fact secure that your confident is secure There's not one So we are building our lives on these tools that are not Trustworthy and we've known this from the beginning. None of this is new. This is not some revelation I always use this quote from the Washington Post. It's from an op-ed that the former NSA director Mike McConnell wrote in 2010 the United States is fighting a cyber war today and we are losing its that simple Well, that's comforting When President Obama came into office one of the first things he did much to his credit was launched this cybersecurity initiative to assess the state of cyber security and that report even after being edited For security reasons read the architecture of the nation's digital infrastructure based largely upon the internet is neither secure nor resilient So this is what we're building our future on is this Resource that is neither secure Nor resilient So what I want to focus on today is while we think about Cybersecurity primarily or often as a technical issue. We describe it in terms of computers and computer vulnerabilities We often place it in computer science the programs and for example when the president announced as President Obama did Just last week that he's going to create a new Security officer for the federal government. It's based in the CIO's office. It's thought of as a data issue But I would argue it's not and that this is frankly why we're in the mess We're in because we keep thinking of it that way that if you in fact look at the real Vulnerabilities we face they are almost all involving individual or organizational behavior and legal and economic incentives and frameworks created by law and policy Now I could give you lots of examples of this and It would just be tedious But let me say that if you look at all of the major Published attacks the ones we know about in recent years chase Sony anthem Apple State Department IRS OPM you name it Every single one involved either a phishing message which persuaded someone to hand over their blogging credentials or By guessing user passwords because they were such poorly selected passwords Think about that every single one had at its heart fundamental user error In fact around the world depending upon the study you look at between 85 and 90 percent of all Successful cyber attacks have exploited a human vulnerability So no amount of technical cybersecurity is going to protect us against an employee who gives away his or her access credentials Whether knowingly or unknowingly or who chooses a password that can be guessed so easily Moreover, I'm not just going to dump on individuals today, although I have plenty to say about individuals institutions face very few serious Legal or business incentives to engage in effective cyber security Really think about it. Now. I don't know a great deal about the Australian legal system I know a fair amount about the US Outside of a few Regulated industries such as health care and banking and even there I would be happy to come back and Suggest the laws are not very strong. There is no legal obligation to provide cyber security None whatsoever we just assume people are going to do it because that's how our economy works It's based on altruism that people are going to spend money to secure something for somebody else to use Out of the kindness of their hearts Look at the way we have treated cyber security as a practical matter When we look at cyber attacks that exploit Vulnerabilities in software in almost every case we have known about the vulnerability for years in some cases for decades We just haven't patched it, you know, Microsoft released the patch. It's just you large institutional players in particular Haven't deployed the patch We still have 11% of the population that's using I usually have to sit down when I say this Windows XP Even though it's not had a security patch In months now because Microsoft's abandoned it That includes by the way hospitals my mother had open-heart surgery in the fall when we went into the recovery room There was this bank of monitors one of which was giving the XP's Error message because it wasn't working and I thought that's terrific. You are you are connecting The systems keeping my mother alive to a software system that's not even being patched any longer This suggests what is very much the point I want to leave you with today, which is I don't think we're taking cyber security very seriously I mean we talk about it a lot. We have meetings and conferences in lovely places We have task force and committees and commissions But we're not treating it as the critical issue it is today We're not treating it as the foundation upon which we are building increasingly our entire society Our national defense our economic wherewithal our research ability our health care system our transportation infrastructure and yet It is not secure And if you think about other areas in which we identify challenges Look at how we approach those So when you think about things like transportation safety auto safety Toxic pollution We deal with those very differently We treat those in a way that suggests their importance to our lives If you look at the hallmarks of that and look at what we've done with cyber security. They don't match So again, let me focus if I may on the us although in this case I feel like I'm on very safe ground the president last year the budget. We are currently living under Um Had in the budget 14 billion dollars for cyber security. It's a big number Okay, it's just a tiny bit more than what we're spending on the joint strike fighter in the same year Right, we can develop a fighter. We can secure our entire infrastructure. Let's give it a similar investment In fact, if you compare it with the type of money we spend on things where we have really invested our national interest um Take for example the iraq and afghanistan wars which have cost in direct cost about two trillion dollars each Or on an annual basis for their duration about 20 times more than even the new request the president has made in his next budget of 19 billion dollars for cyber security in the united states cyber security and the federal government is the responsibility of the I swear to you. I'm not making this up cybersecurity coordinator Can you imagine addressing any issue you care about with a coordinator? Have we ever sent troops into the field under the command of a coordinator? Right, it's hard to imagine a surgery where you have a dozen surgeons gathered around and a coordinator to help them Right things we think seriously we put somebody in charge. We have a cabinet secretary. We have a commanding general We have a prime minister. We have somebody in charge Instead our primary contribution to the law of cyber security in australia new zealand canada the uk EU and 47 us states is breach notification laws Right your data is stolen. And so what do we do when we swing into action? We send you a letter telling you your data has been stolen Imagine that in like public help You know, it's hard to believe we would do with an outbreak of a virus by saying let's send you a letter saying that we found You were you've had this virus In fact in washington today the big cyber security debate is over information sharing Right to what extent can the private sector share information with the government to what extent can state government share information with the federal government And vice versa, but again, it's astonishing to think that we're still having that debate Right, can we talk to each other about this problem when we know that the people who are causing the problem are talking to each other all the time Economist bruce berkowitz and robert hawn have observed that the government has largely rejected and i quote Regulation government standards and the use of liability laws to approve cyber to improve cyber security These are the basic building blocks of most public policies designed to shape public behavior So one must wonder why they are being avoided like a deadly virus So to speak that's economists humor They wrote that in 2003 And it's still true today So what do we normally do when we face a serious challenge when we face a Something that could threaten our society We usually look to markets and to law If markets work, we use markets and if they don't work we use law and sometimes we leap to law even when markets do work Here there is lots of evidence that markets are simply not working well My consumers don't make intelligent choices based on security security is almost always in tension with convenience So the thing that is right is rarely the thing that consumers want But one of the most common things I hear from people in industry is we would love to use multi-factor authentication for online transactions But we're not going to use it until our competitors use it because if we tell our customers you can't log in without Going and doing something they're going to go be somebody else's customers The reason we have seen such an extraordinary move To online systems has been in large part because they are cheaper. They are more convenient It's not because they're more secure And so if we think the market that got us in this situation is going to buy itself get us out I think we are sadly mistaken Moreover we deal with a problem in cyber security which is not at all unusual but is nevertheless quite serious, which is extraordinarily inconsistent behavior So for example, we tell people never click on a link in an email That's a tremendous security vulnerability and then institutionally we send out emails with links in them I received a request for additional information from the Internal Revenue Service It's the beginning of an audit And it came with a message from the IRS that said please click here to submit your data I thought for sure this was a phishing message It looked like a phishing message. It felt like a phishing message and since I don't want to be audited I hoped it was a phishing message But it was not it is the way the IRS communicates with the public in violation of everything We've taught the public about what they should expect So let me just quickly touch on five things that I think law in the sense of governance could do for us One is it could just provide incentives for better behavior better behavior by individuals better behavior by companies This is of course the way in which we deal with other problems like this Auto safety food safety pollution control toxic waste in every single case We enacted a law that set standards and created penalties for people who didn't meet those Bruce Schneier, who is a well known and and highly regarded cybersecurity I was going to say observer, but let me say at times curmudgeon said When looking at for example the recent announcements from the obama administration Proposing again more of the same of what we've been doing badly for the past decade He said if you want robust security, and I'm quoting You're going to need a lot of borders and incentives to push people down the right path And borders and incentives are what law is really good at doing So lots of things you could set standards you could create liability for absence of Of good cybersecurity behavior. We could have statutory damages We could just say every time you've reached someone's data you owe them a check for a certain amount of money It would add an absolute finite cost You a board of directors could look at that and could say we're going to spend x number of million dollars to secure our infrastructure Because we know if we fail to it's going to cost us y million dollars We could have laws requiring multi-factor authentication We could for example require chip and pin Credit cards, you know in the united states it took us about a decade to catch on to using chip We now we're very proud. We're there. We've retooled our entire infrastructure to deal with it We forgot the pin part So we now have chip and Oh, right. We didn't get that other authentication piece there a law could have dealt with that in a second Mandatory patch deployment if we have trouble with large institutional users of computers not Installing security patches. We could require them to do it They're laws for things like that. We could have mandatory information sharing think about it of all of these laws We have seen in the us and elsewhere, but particularly looking at the Law past as part of the continuing budget resolution in december of 2015 These all are designed to facilitate information sharing But who really wants to share information about their own vulnerabilities? You know, if you're a bank, would you run to the federal government and tell them? Oh, by the way, we have these vulnerabilities. I wanted to let you know may not be secure We know you auditors, but we just thought we'd tell you Right, how about mandatory information sharing? How about saying if you have a security vulnerability? You must disclose it We do it in lots of other areas. We have mandatory disclosures if there's a known defect in a house We have mandatory disclosures around pharmaceutical products. We have mandatory disclosures throughout our lives, but not for security So you can hold yourself out as a secure institution knowing it as a false claim and you do not violate violate a law Now I want to be clear. I'm not a nutcase here about regulation I've spent most of my life opposing regulation and there are lots of ways that the government can create these incentives Regulations one, but remember their tax benefits their benefits There's tax policy their benefits their procurement regulations There's where they invest money for research and development. There's modeling good behavior So for example when the navy paid microsoft last year almost 10 million dollars So that it could keep using windows xp. That is what I would not call modeling good behavior Right, so one thing to start would be okay fine. Let's let's just clean up our own act Now let me be clear There are lots of tensions about this role for government and one's an economic tension. Nobody likes more regulation Especially in difficult economic times the great fear when president obama did his early cyber security review Was that it was going to call for regulation and in fact early drafts did but we were in a tremendous recession globally And the president and his executives struck that out Leading industry executives. I'll quote one in particular to say we dodged the bullet there Well, I think the bullet's gonna find us Moreover, there's another problem here which also deals with law and I'll get to this in just a moment And that is we don't want to be You know too quick to rule out various forms of cyber attacks because of course our own governments engage in them And so we can't take an overly strong stance against something that we in fact do even even our limited sense of hypocrisy would be troubled by that So for example that current head of the nsa commented on china's alleged role in the anthem medical data breach Saying look if they were after medical files on important government officials. I admire them. I'd do the same thing This is by the man who's in charge of our cyber defenses And then there are always tensions about privacy and government overreach when the government gets involved in this type of activity And this is one of the things that's held up the discussion for so long about information sharing When you share information about threats you almost always are going to share personal data Right if I send you the file from the attack on my system It's going to include some personal information about the things that were attacked All we want is the government to say we won't use that personal information for any other purpose and governments cannot bring themselves to do that They just can't they think it's it's a it's an incredible difficulty to say You know if we find something auditable or we find something else criminal We're not going to use the data for that as well And so not surprisingly if you know when you give the government data it can use it against you You're a little hesitant to do that Okay, so in addition to setting creating incentives for better behavior by everyone Second the law can set limits It can set limits on the cyber attacks that the governments themselves engage in It can set limit on The reuse of the information that it has It can set limits on its own behavior in terms of Encouraging or in some cases requiring back doors and do encryption products Right the law can restrain the government in important ways that not only protect human rights, but also advance cybersecurity And around the world we have been loathed to do that Third law is a critical part of engaging our international partners Cyber security is not a domestic issue not anywhere. It is always international The vast majority of attacks cross national borders We all are living our lives on networks that are connected internationally And it is very difficult to conduct diplomacy on a non-governmental level So if we really want to talk with the Chinese or we really want to talk with the russians Or we really want to talk with anybody about our common interest in this area It's going to be up to our governments to help do that Now I don't mean they have to do it alone, but if they don't lead there it's going to be very hard for anyone else Let me just give you a really practical example one major issue in the u.s. Chinese relationship over cyber security is whether industrial espionage is part of national security or not Now in the united states we argue vociferously that there is a bright line between the two that it's perfectly all right to Break into your network and spy for purposes of national security, but it's not all right to do it for purposes of economic advantage There are two problems with that one is the chinese don't agree And the second is there's no international law that really helps support that either But by the way the u.s. Might be right i'm not for a moment taking a position on this issue I'm just saying if we want to advance that position internationally We'd be better to engage other countries like minded countries countries that we share a lot in common with To say maybe we should get that installed as a principle of international law There's going to be a bright line rule one will be okay. The other won't be The fourth thing that law and government can do is as i've already suggested get the government's own house in order Now a nice place to start would be to get government security to be better It is really hard for governments to Crack down on industry behavior when the government's making exactly the same mistakes And whether it's the uk sending tax data in the mail Backup disks in the mail or whether it's the u.s. Government that seems incapable of securing a database It would be a good thing to start to to first get its own house in order I'm astonished at the limits on doing this So for example, the united states has spent a lot of time now six years publicly developing einstein a Series of systems einstein one einstein two einstein three which look at email traffic and attempt to discover if there are malicious activities going on in it purely based on code analysis not on content analysis So what do you think we do when we discover that? Nothing almost nothing now We have started moving some email into a separate server to be looked at again But for example in my university If a machine is connected to our internet and spewing out viruses We block it automatically it doesn't matter whose machine it can be the president's machine It could be anyone's machine. We just block it. We have a system that blocks it There is no one in the federal government without authority absolutely nobody And in fact in most departments there's nobody without authority Okay, but another thing the government could do to help get its house in order is not just to enhance its own security But to do things that might make the infrastructure more secure for the rest of us And again, let me give you a very us-centric example and but an extremely important one We have spent well over a decade now trying to protect social security numbers There's nine digit numbers that are issued to every person Used primarily intended to be used primarily for tax and employment benefits. All it does is link a person to a file Here's your nine digit number. It should match with your name and address and so forth Social security numbers were never meant to be Private they've always been public the the government prints them on your tax return label anyone who reads your mail can see it The military up until two years ago still printed them on identity tags if so if you had a you had a Duffel bag, that's the right word. There's my military advisor If you had a duffel bag going on a plane that identified it as yours, it would have your social security number on it Right, so we have spent literally billions of dollars trying to secure social security numbers Why why didn't we just publish a directory of them? Right because there are still institutions Including banks in the united states that use social security numbers as default passwords So so we are like it's like trying to protect air You know, we're just trying to protect this little sphere of air and we're going to really exert ourselves to do it Rather than just acknowledging the air is not going to be held in And so let's just make it either illegal for them to try Or clearly attach financial penalties to it And then fifth and finally Governments can help I don't in any way mean to suggest they're the only folks who can but help think strategically about these issues You know one of the challenges in this area is every time we get a new announcement from a government about cyber security without question It's telling us something we already knew And in most cases it's telling us something we knew five years ago Wired magazine entitled its coverage about the president's recent cyber security announcement in the united states back to basics Meaning these are like things we were telling people a decade ago and now the obama administrations decided to tell us All what we've known we should be doing and aren't doing We must think strategically about these issues. We must think in a way that will set priorities We we've spent too much time people like me and others telling industry to worry about everything We've got to figure out what it is to worry about that should first command attention Too often we've used this idea of critical infrastructure, but in the united states critical infrastructure is everything There's nothing not included in the list of critical infrastructure Absolutely nothing you are a useless human if you're not on that list somewhere So that is not a way to help prioritize if you've got one dollar and we say make sure you spend it on critical infrastructure Well, there's nothing left So what could we say that would be more useful guidance to tell industry how to focus that But most of all we could think strategically about the future of cyber challenges Not the challenges we see today the challenges that are just emerging are just on the horizon and we expect to see More of tomorrow as again our lives become more digitally mediated Data not just being stolen, but being altered or substituted Right think about it right now we get all upset if you're like bank account information is accessed by somebody else Imagine if while they're there they change it That'll be something to worry about Or broader use of ransom demands right largely to date we we think of ransomware as those things that Encrypt your files and pop-up saying you have to give money here and then we'll send you an encryption key But what about ransom demands for not revealing your data? Not unlike the sony attack, right? I've got your data and for the right amount of money. I won't reveal it Think about industries like lawyers and accountants and doctors who have sensitive information Think about cyber attacks that interfere with command and control structures Right in the United States we use a wireless networks to control the switches that control trains We use them to control natural gas pipelines the flow increasingly local utilities like Water and sewage plants use wireless controlled switches You know as upset as we might get about people stealing opm records imagine when they start mixing clean water with raw sewage Think think just what will be involved there literally you pollute a city's water supply it will be Five days five weeks five months before it can be used again These are real issues like i'm not making these up. I'm not giving the bad guys any ideas here Or integrated kinetic and cyber attacks You know where we see real troops moving or real attacks or real things happening in the real world And suddenly the internet communication system we have doesn't work In the United States one of our largest retailers moved to an all internet-based communication system That's how they reached all of their offices through digital digital phone digital email digital facts Until they lost their connection to the internet They couldn't do a thing. I mean literally They were dead We need to think about this from an if you will an end-users perspective rather than Rather than from the government's perspective We need to think about it from the impact. It's going to have on real individuals us Not just today but in the future Now let me say a lot of people give lots of reasons for why law and policy won't work And the most common is that it's too slow Right and that is true if we're all we're talking about the legislation. It's way too slow But let me say I reject the argument that we can just dismiss the role of law and policy On the basis that technology always moves faster that attackers always move faster Right, there was no reason at all that by using law to create appropriate frameworks for behavior incentives to guide behavior Limits on the things governments will do with data or do with cyber attacks That the that the that the Role of law and governance cannot be a critical step indeed. I would argue a fundamental step an essential step In securing our own cyber infrastructure. Thank you please I'm still a stymied by your beginning the question. Do I have any sense and the answer is almost always no No, I don't and let me say I don't think there are many examples of where we could say at a national level We see cyber security being done. Well, I think we see countries. They get attacked less frequently that deal with fewer if you will threats There are others here who might have another view Are there countries that do this? Estonia because it's been through its own catastrophic cyber attack and has learned from the experience But again, remember it's a comparatively small country with a with a much smaller surface area to guard Yes, please Thank you My question would be so we've got all this money that we shouldn't be spending on cyber security And I agree with you totally for the reasons that you gave What should we be doing with that money to address the problems that are created by that insecurity? Yeah, I think we should be spending money on cyber security. I think we should just be spending it strategically on cyber security And so instead of chasing Not protecting things like protecting the perimeter of most organizations. It's virtually impossible You know, you've got employees coming in every day. They're bringing their own devices. They've got their own USB fobs with them. We want, you know to save money We want them to use their own cell phones and yet we still argue that we're trying to protect the perimeter We've lost the perimeter. We should give up what we ought to figure out is where it matters So for example, good backups of data. That's one place. I'd spend money Making sure that you can detect alterations in your data if it matters now if it doesn't matter You know, if it's your family photographs, you may not really worry about that If on the other hand it's financial or trading records that that would seem to make a lot of a lot of difference By the way, I mentioned backups, but let me just say one more word about that It's not just having the backups like in a bank vault someplace. It can you switch to those backups instantly? You know, one of the things we see is a lot of retailers do a quarter or more of all of their business in the few weeks Right around the Christmas holidays So if your website's down for a week, then you may be bankrupt So you can have all the backup in the world, but if it if it's not instant If it's not like a generator that switches on when needed, that's not going to help I think research is another area. Now, you know, I'm a vice president for research. I like research. I naturally But this is interesting in area where most of our research dollars. I think have been very poorly spent We've tended to research things we already know about You know, how much more research do we need? Well, whatever I say here, I'm going to get in trouble So I'm going to stop without without making fun of anybody's research, but I think we need to really think about researching In a risk management way, you know, where is the real risk that we could actually do something about Tom Wellington from the research school of computer science apart from more research As you say, there are there are no laws mandating this sort of security in most cases but we do have a corporate governance of ICT standard developed in Australia adopted internationally and there are laws about governance of Government agencies and companies could we simply enforce The law that exists through implementation of the standard which exists which talks about that cups and security or that stuff Otherwise aren't we just reinventing What a lot of us sat around and papers and wrote Is Yes, we could and in fact, I think it's a I think it's a brilliant suggestion In other words, we already have tools in place. Let's let's try to use them I'll tell you why I don't think it's adequate though. Think about something like auto safety We we all have some familiarity with autos We all typically get in them and think that they are secure and usually it's not because of our knowledge It's not because like we've checked the tire pressure every day or check the make sure the engine's working It's because there are thousands of safety regulations that apply to cars Now that's too many. I'm not I'm not asking for thousands of regulations But it's also backed up by a high degree of liability if you make a car that is not safe You're going to pay for it Even if you manage to thread your way through the regulatory environment I think we need a more of a feel about that around cyber security Particularly where security should matter So when you're promised security when it's a transaction that ought to have security Help information medical or command and control structures Right now we leave that up to industry Even when there's a regulator involved the regulator is rarely competent to deal with the cyber aspect of it So even if I'm a I'm a food and drug regulator, I regulate pharmaceutical companies. I come in I look for cleanliness. I look for do you have locks on the doors to people wear masks, you know all of this But am I really competent to evaluate your software to see if it's compounding correctly? And so again, I think this is areas where I don't want the legislation to say you must do x y or z I want the legislation to say you must meet the industry standard Or there's going to be a regulatory body that can adopt the industry standard So I think we have to think creatively and if you will iteratively so that we take advantage of what's there And the ability to to build on that knowledge not have to recreate it But we add some some umph to it. We add some real force Okay, I'm going to lean to my right for a little while now I've been very left-wing and I apologize. So we'll start here and come forward Thanks, Fred. Look, I'd like to say a bit of positivity to this because I agree A lot of it is a glass half full because it needs to be a glass half full and it's a call to action But there are some positive signs. So last year in um In this march time frame asset, which is Australian Securities Investments Commission They actually produced a report, uh, which is report 429, which doesn't make a lot of sense But the important thing is its title does and that's cyber cyber resilience health check and the intent is Asic regulates all companies public companies and other companies in Australia And so this report is actually quite prescriptive or definitive in terms of what companies can do. So not prescriptive the definitive And my belief is that it is actually sufficient such that any director that didn't actually take this seriously could be Are considered as being negative So at some point in time in the future, there will be a class action against the setup directors Who have not actually considered this report and not actually asked these questions Even if they've asked the questions and not sought the right answers or not actually seriously followed through They're still being negligent And so I think we'll start to see the courts actually acting our favor too I think we're just at that point where these things are now in place and they can start to work in our favor Well, I'm very pleased to hear that and as you might expect I didn't know about that specific report Let me just less we get too optimistic. Let me just add one more negative view here so You remember it's been Close to 40 hours since I've last slept in a bed So if I'm feeling negative you'll understand why and that is In the u.s. We've had maybe 300 class action lawsuits around data breaches for example And all but three I think have failed because of the difficulty of showing Harm and the difficulty of showing the harm was due to the breach Now they probably should have failed. I'm not for a moment Criticizing those judges that those were probably all very wise decisions But it's a long slow process. Maybe it's faster in australia, but but it needs to be faster We're dealing with a challenge so vast and expanding so rapidly That if we wait for a slow judicial process to work I I worry that it may be too little too late And therefore profitability more likely to be shareholders that will actually soot because of a lot of lots of profitability And therefore they'll be able to show up. Yeah, and I think from that point of view it'll be easier to do than the Dennery scenario, but I agree with you in time. Okay. Just hand the microphone on down there if you don't mind Thank you. Thanks very much. Um, uh, just on on that point, uh, one of the trends we're seeing in australia already with the The companies that takes up security seriously admittedly, uh, which is not everyone A lot of contractual arrangements before they enter into business with a supplier They'll say show us your eyes into these securities and I said set up We want to be certain that when we send you data about our customers That you've got it that's secure sort of rather getting it through the the actual civil lawsuit stuff. It's actually Preempted which is really encouraging but uh, uh, the point I wanted to make was before the climate isn't much, um I work with security and government and policy and I I do have a relatively existence. Uh, look at my country and go Oh, we could do a lot better But I want to thank you tonight because I actually been sitting down this thing for the The things the law can do and I actually think well, actually we're not doing too badly. Okay Um, and I'll give you one case important my colleagues around great green because they are spruity my apartment um, we've got setups already institutional setups that help businesses, uh, Protect themselves without regulating them to tell them and how they do it We have organizations like computer emergency response Australia to Australia. There's a equivalent us to it There's around the world the whole thing They've got setups where they can actually advise on and give support to critical infrastructure closely defined as well. Um And they have non disclosure agreements So we can being a civilian agency if they show us their books and we go, oh, that doesn't look right We're not allowed to pass it on to the law enforcement. What it does it builds relationship with that We're also not an intelligence agency. Therefore, we're not allowed to we we're giving that trust Those relationships I find have been mindful across government to actually promote cyber security without being hit the heavy hand of the government and also just one other point is like within Australia, we have Very clear distinctions legally distinctions between what the difference of cyber security operational agencies can actually do and what they can't do And so we have a body called the Australian side security center Which bring all these bodies together, but they're very clear legislative Limits on what they can and can't do so cert sits in there being the civilian arm Looking at business the afp straight federal police. Sorry. They have theirs for law enforcement We have the spooks doing their spooky stuff. I'm not sure but while say while say have a limited sharing capacity they're actually not um, you know I would be collaborating to their they're co-located To say they were not blending too much. I know it seems that The picture you painted tonight Very briefly and I was thinking I think I can see it all but I might have been a little better about myself Which so I wanted to thank you. Good. Well, I'm delighted. I mean really I have nothing else I feel like we've accomplished something worthwhile And I also You know, this is an area of which is Hard to be overly optimistic about so let me say it's not it's not like the weather You can have great weather. You can have bad weather. We pretty much all know what it is um This is an area where when you look at the degree of change and the speed of change um You know, it's hard to know what a what a perfect solution would look like and I don't want to in any way Obviousgate that I mean, I recognize that and I recognize that there are many people doing their best to make the situation better I would still argue that on the whole we have not been well-served Um as a society broadly By the types of responses we see From the governance system from the legal system And that to some extent we've done as well as we have largely because of the goodwill the number of companies the number of Individual agencies who have stepped forward to do something that they thought was right in the circumstances But I do worry. I still think about cybersecurity more in terms of like natural disaster or war And imagine, you know catastrophic flooding Thousands maybe millions of people displaced from their from their homes and their businesses Are any of us prepared to deal with that? I mean, do do we have a government response plan that doesn't involve using the internet? Right and you would be unique in the world in terms of of having that Because I can tell you I mean for example when the united states department of homeland security runs its cybersecurity tabletop exercises It runs them from nine to five Because it doesn't want to pay overtime for the employees. So we just hope the attackers also stop at five Well, you know, I don't really want to pay overtime either I'm not I mean that's a rational decision But it leads me to question whether the results of the tabletop exercise You know the merit they they carry Fred, thank you for that. That was that was wonderful enlightening and depressing and equal measure Can you make a further comment about about this tendency of of access creep into into data when In in the private sphere, we have companies like Apple which will say We just don't give our data out to anyone at any other third party We just don't do it and and there's a measure of trust given to that and say we can do it But we know when when we give government government data They they as you said are very reluctant to ever say we won't pass it to anyone else They'll put some weasel words around it and say except according to law or something like that And is it anything more than just sort of bureaucratic creep that Any decent bureaucrat will try and do their job in the easiest way and if you're a copper And you know that the the traffic department has got traffic cameras And you've got a motor on your hands. You'll ask the traffic department Can I have a look at your CCTV please? There might be something on it even though when the traffic cameras were installed Everyone crossed their hearts and said this will only be used for managing traffic And you see that creep going forward all the time that that There's a reach into the data into the data systems of other agencies But I'm not suggesting it's always from the various characteristics, but it's But there's no there's no policy set for any of this. There's no it's just a it's just a Creeping connection of things because you can Um, it's a great question. Let me um, let me say this I am not the least bit concerned about for example the the example you gave of You know using the CCTV to track down a murderer and my guess is most people would not be widely concerned And in fact, that's probably the way it should work In other words, you would articulate a serious purpose You might go to a court or someplace and get authorization then you'd get to use the data The the type of creep I'm talking about is where we You know, it may just be to the natural acquisitiveness of government agencies When we get data, it's for example, it's very hard to get our government agency or a company We could put them all together here to delete something They just think they might need it a little bit later And you undoubtedly know this has been a constant fight for the past 15 years between europe and the united states over For example passenger records when someone travels, you know, nobody's saying don't check the passenger against the Terrorist watch list. They're just saying delete the name after you do and we're like well We just like to keep that maybe 20 years or 25 years and what are we going to do with it? No bloody idea what we're going to do with it But if we've got it if we've spent taxpayer dollars to collect it Let's hang on to it And I think that has become a real issue in the data world We saw this again. I'm going to stick with us examples here In our transportation security administration wanted to be able to run background checks Very limited background checks on all passengers and they wanted a bunch of data to do it 19 data elements Including your credit card information you used to pay for the ticket Everybody opposed this congress opposed it the airlines opposed it the public opposed it In large part because it was an overreach for the purpose and in large part because the CSA the security administration wouldn't agree to not use it for other purposes Once they agreed actually congress passed a law Saying they could only use it for other purposes They discovered all they really needed was your full name Your gender and your date of birth just three data elements Well, so you have less data Serving a limited purpose protected by law and it goes off without a hitch it works incredibly well I think that's where we need to get with cyber security is a certain sense of of rationality I worry about it not just from a privacy or data protection point of view I worry about it from an efficacy point of view if we overload people with too much data They're going to miss the important bits if we can focus instead on what might be most relevant for the purpose at hand You know, we have a chance they might get the job done So I guess I'm going to dial it back to bleak for everybody. Okay, good I can be the optimist now. This will be a real change So we hear a lot about The us in particular insisting on well putting putting pressure on companies for backdoors Into their data and there's a lot of heated rhetoric around the dissemination of such basic technologies encryption Might the lack of interest in furthering the interest of secure Cyber space be a calculated position on the part of governments, you know as a part of an effort to maintain an advantage as it were over the private sector Yes, I think almost certainly that that case and you know, one of the pretty consistent recommendations of the many different groups including the president's own national security review group is to separate out for example in the national security agency the offensive Use of cyber weapons from the defensive use that those should be in separate agencies So that you don't have this incentive problem about do we want to fix problems or not fix them because we're exploiting them And for whatever reason the president has absolutely refused to do that. In fact, he's collapsed them together even more clearly So I think we have to assume that the defense message is in part being compromised By the offense message, you know if I if this vulnerability persists I can use it to my advantage And I suspect that's true in governance. It may be true in some industries as well You know, are you sure you want to report a known vulnerability if you can use it in a way that advances your Your interest This interest The benefit It's an excellent and really tricky really tricky question The most successful argument so far has been I think the international competitiveness one Which is if we do it Then everyone's going to flock to australian encryption or german encryption or something else if ours is known to be weak I mean, you know, would you would would you go on the lot and buy a car that you are told has a defect But you're not told what the defect is Or would you want to buy a car that works, you know, that has no known defect Now what worries me is that we end up seeing an agreement among a handful of key nations that they all want back doors You know, china would like back doors. I'm just guessing russia would like back doors. The us wants back doors You know with the five eyes all say we want back doors And if so is that international competitiveness argument gonna gonna work any longer But but but I think for the moment it is and Even in the united states and again, there are people here in a probably a better position to comment than I am I think it's largely now down to the fbi the federal bureau of investigation That is still arguing for the back doors. I think most of the intelligence agencies have said You know, we understand that's a lost argument I'm not wanting to pile on to the problems but something I think We do need to address and it picks up on points that Gary and Simon and this gentleman made is actually working out where we've got things that work well And cyber security just needs to be normalized as part of that and raising awareness and skills So people understand how to apply it and then where we've got genuine gaps and it needs any of the interventions and and new approaches and actually prioritizing those as a discrete issue because I think when you're looking at incentives and interventions No one likes broad ranging ones that are designed to fix 10 things and actually don't fix anything well Which is a risk in cyber security when it can mean so many different things to different people And so with that in mind with incentives and standard setting and and looking at creative ways to do that What do you see insurance companies roles as in this space? I'm sorry. We're out of time, but Had to go a step too far. Um I actually don't like insurance in this area, but I'll tell you exactly why and I you may appreciate it It's such an uninformed opinion. You're you regret asking as much as I regret that you asked it Um, I think there's a tremendous kind of moral hazard problem here, which is if you say to people you've got insurance for this It um, it's not doing anything to improve the infrastructure. It's just shifting some of the economic costs From one party to another, but you have exactly the same problem And I would rather try to address the problem Um, on the other hand if I ran a business and faced this, you know Massive liability if I had a tremendous breach that actually did cause clear harm or or if there were for example Federal statutory penalties that said if you have a breach you you pay a certain amount of money Then I would want to pass off that loss to somebody else and insurance would be One way of doing that the best thing I can say about insurance and it's it's quite good Is that insurance today at least in the us is effectively setting the standard for cybersecurity in many industries Because you know insurers don't just come in and say we'll just take your loss They say we've got a list of 45 things you have to do and when you've done these Then we'll take your loss under certain circumstances And so it may in fact be that insurance becomes the de facto regulator or incentive creator For cybersecurity in in some economies On the whole I would still rather see that be led either by government or by industry expert groups Um, but that you know, well I may have to be satisfied with with what I can get so Professor Kate. Thank you very much. Thank you very much. What what was both a stimulating thought-provoking and particularly provocative presentation Over the last hour. I myself am convinced about strict liability now after listening to you Um, but I just would like to invite everybody to join hands and thank professor Kate