RAND conducted a cyber security exercise with participants from government, industry, think tanks, academia, and the media in Canberra, Australia. The goal was to explore opportunities to improve cyber security, assess the implications of possible solutions, and inform Australia's next national Cyber Security Strategy.
- Where do private-sector and government cyber security roles intersect (such as in developing and implementing standards for cyber security), and what governance and information-sharing processes could facilitate collaboration?
- How can Australia collaborate internationally to strengthen its cyber security defence and response capabilities? What priority should such arrangements place on identifying and punishing international cyber attackers?
- How should Australia balance economic interests (promoting imports and exports) with security interests (protecting against malicious cyber actors) when the two goals conflict?
- What initiatives could raise awareness of the importance of cyber security and help technology users keep their data safe from malicious actors?
- What insights from the exercise could inform Australia's next Cyber Security Strategy?
Today's cyber environment presents unlimited opportunities for innovation, interaction, commerce, and creativity, but these benefits also bring serious security challenges. Satisfactory solutions will require building partnerships among public and private organizations, establishing mechanisms and incentives to foster routine information sharing and collective defense, and educating users about their role in thwarting increasingly sophisticated attacks. RAND developed and conducted a cyber security exercise in Canberra, Australia, that aimed to capture the widest possible range of stakeholder perspectives. Participants represented government, the private sector, think tanks and academic institutions, industry associations, and the media. The goal was to explore the challenges Australia faces in securing cyberspace by placing pressure on government authorities, industry capabilities, users' tolerance for malicious cyber activity, and the ability to develop interdisciplinary solutions to pressing cyber security challenges. The exercise was structured around two plausible cyber security scenarios set in the near future, and this was the third in a series of cyber security exercises developed by RAND. The two prior exercises were conducted in the United States — in Washington, D.C., and at the University of California, Berkeley, near Silicon Valley. Like these prior events, the Australian exercise provided a rich set of observations and options to strengthen cyber security and enforcement while protecting the benefits afforded by a free and open Internet.
Government Solutions to Improve Cyber Security and Protect Consumers Must Consider Interconnected Factors
- Participants saw a need for improved reporting processes that protect businesses from financial consequences while also protecting consumers whose data have been compromised.
- Participants questioned how the Australian government could hold device manufacturers accountable for cyber security breaches without stifling innovation. Many of the technologies sold in Australia are manufactured abroad, highlighting a need for international partnerships to strengthen cyber security.
- Participants questioned whether the standard required to assign attribution for cyber attacks in an Australian court of law should be the same as that used to assign attribution for state-sponsored attacks.
Security Is Not Designed into Products, Indicating a Role for Government to Develop Cyber Security Standards
- Consumers are insufficiently informed about security, and manufacturers, importers, and retailers are not incentivised to build and sell secure devices. A security logo visible on product packaging could inform users' purchasing decisions, leading to financial incentives for sellers.
- Participants felt that users should be able to opt out of digital connectedness and data sharing, though many devices today do not offer these options. Further, this connectedness sometimes provides no obvious value to the user.
- Even if perfect attribution of a cyber attack is not possible, future exercises should determine what level of confidence is sufficient to pursue a case, and laws, regulations, investigations, and behavioural norms should be designed around that framework.
- Australia should enter into international agreements that create avenues for criminal investigations and prosecutions, but these agreements should not limit the Australian government's options to provide for its own defence, security, and law enforcement.
- Some values are worth protecting and defending, even if doing so comes at a significant cost. However, future exercises should explore how to draw such a line, and the Australian government should determine what options it is prepared to take if that line were crossed.
- Citizens are increasingly unable to opt out of digital connectivity. Future exercises should determine whether certain types of devices should be operable offline, as well as how standards should be written and whether users should be able to opt out of data sharing.
- Local governments should collaborate with industry partners to develop a quality assurance system for connected devices that can be used on packaging and that is understandable to consumers. This initiative should include a plan for responding to attacks on these products and should assign responsibility for such a response.
- Cyber security instruction should be integrated into school curricula, with these lessons enforced by education and awareness campaigns targeting adults.