In December 2016, RAND Australia and the ANU National Security College partnered to facilitate a cybersecurity-focused exercise. This 'cyber game' used two separate scenarios set in the year 2022: navigating the security of Internet-connected devices without losing their societal benefits; and intellectual property theft against a backdrop of evolving international norms of behaviour in cyberspace.
In the first scenario, hackers extort businesses, government agencies, and community organisations by disabling or slowing Internet of Things-enabled devices (e.g. factory machinery, restaurant refrigerators) and hold them for ransom. These attacks eventually affect implanted medical pacemakers and cause the deaths of 12 elderly patients. A hack against a driverless car goes awry, causing it to veer onto a crowded sidewalk.
In the second scenario, hackers access a mining company's internal systems, including contract data, bidding histories and all corporate communications; but this is only discovered when the company goes bankrupt after losing one bid after another. Meanwhile, an Australian green energy innovator reveals that the design for its next-generation solar panel, reputed to be the most advanced in the world, has been stolen. The firm has state-of-the-art cyber defences and has tracked the theft to a foreign government's military cyber unit.
Citizens and companies are demanding action from the government. What should it do?
The challenge posed by Internet-connect devices is only getting worse as the number of online devices is projected to grow (PDF) from about seven billion today to over 20 billion by 2020. The number of attempted attacks on such devices nearly doubled in the past year and shows no sign of abating. And Internet-connected devices are often the weak link that criminals exploit to get to their actual target: in one case criminals attempted to steal from a North American casino by compromising a fish tank connected to the internet.
Intellectual property theft causes significant losses. A study estimated that a theft can cost a small business AU$140,000. Larger organisations can suffer losses in the tens or even hundreds of millions of dollars. And there are other costs to consider: the information stolen can include the private information of customers, employees and partners, creating an additional liability.
Last week the outcomes of the exercise were released in a report launched by Dan Tehan, MP, Minister Assisting the Prime Minister for Cyber Security.
The report gives three overarching policy recommendations from the exercise to improve cybersecurity in Australia: create and enforce technology security standards, craft international agreements to address cybersecurity challenges, and improve risk awareness to keep users safe online.
There was broad consensus that the policy domain will continue to be challenged by the pace of technological change and by both the anticipated and unforeseen impacts of change on society. This highlights the need for continued public discourse on cyber policy development—and to reach widely across the economy and community to increase awareness and understanding of cyberspace.
The report says that future exercises of this nature could consider a range of areas, including how policy development should challenge assumptions about government roles, responsibilities and authorities. They could also incentivise a broader range of government and non-governmental stakeholders to participate in building and implementing cybersecurity solutions.
The report can and should be used as a tool for organisations to consider how to leverage gaming methodologies to develop and exercise their internal policies and cybersecurity. It also adds to the seriousness through which organisations—public and private, large and small—should be considering cyber risks. But it additionally emphasises the opportunities presented to them by investing in cybersecurity as an enabler to assure and grow customers and citizens.
The 360º Discovery Exercise employed gaming methodology developed by RAND and involved around 90 participants from Australia's public and private sectors, academia and think-tanks, industry associations and the media. It was the first time a policy-focused cybersecurity exercise involving a cross-section of stakeholders had been held in Australia and the first time RAND's gaming methodology had been applied outside the United States. The exercise provided specific insights for Australian cybersecurity policy—especially how to build on Australia's current Cyber Security Strategy released by Prime Minister Turnbull in April 2016.
Interestingly, since the game was convened, variations of the scenario around internet-connected devices have played out in numerous ways in 2017. These include a technician who unwittingly introduced a computer virus into speed cameras used in Victoria and baby monitors that allowed strangers to view the video feed. International debates and efforts to embed norms of behaviour in cyberspace have also progressed, including most recently Australia and the United Kingdom reaffirming their commitment to work together on these areas of mutual pursuit.
When it comes to cybersecurity, the rules of the game are constantly changing – and we have many games left to play.
Michelle Price is the Chief Operating Officer for the Australian Cyber Security Growth Network Ltd. Igor Mikolic-Torreira is a senior fellow at the non-profit, nonpartisan RAND Corporation and a professor at the Pardee RAND Graduate School.
This article first appeared on Policyforum.net, the news platform of the Asia and the Pacific Policy Society.
Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.