Exploring Cyber Security Policy Options in Australia

Igor Mikolic-Torreira, Don Snyder, Michelle Price, David A. Shlapak, Sina Beaghley, Megan Bishop, Sarah Harting, Jenny Oberholtzer, Stacie L. Pettyjohn, Cortney Weinbaum, et al.

ResearchPublished Aug 7, 2017

Today's cyber environment presents unlimited opportunities for innovation, interaction, commerce, and creativity, but these benefits also bring serious security challenges. Satisfactory solutions will require building partnerships among public and private organizations, establishing mechanisms and incentives to foster routine information sharing and collective defense, and educating users about their role in thwarting increasingly sophisticated attacks. RAND developed and conducted a cyber security exercise in Canberra, Australia, that aimed to capture the widest possible range of stakeholder perspectives. Participants represented government, the private sector, think tanks and academic institutions, industry associations, and the media. The goal was to explore the challenges Australia faces in securing cyberspace by placing pressure on government authorities, industry capabilities, users' tolerance for malicious cyber activity, and the ability to develop interdisciplinary solutions to pressing cyber security challenges. The exercise was structured around two plausible cyber security scenarios set in the near future, and this was the third in a series of cyber security exercises developed by RAND. The two prior exercises were conducted in the United States — in Washington, D.C., and at the University of California, Berkeley, near Silicon Valley. Like these prior events, the Australian exercise provided a rich set of observations and options to strengthen cyber security and enforcement while protecting the benefits afforded by a free and open Internet.

Key Findings

Government Solutions to Improve Cyber Security and Protect Consumers Must Consider Interconnected Factors

  • Participants saw a need for improved reporting processes that protect businesses from financial consequences while also protecting consumers whose data have been compromised.
  • Participants questioned how the Australian government could hold device manufacturers accountable for cyber security breaches without stifling innovation. Many of the technologies sold in Australia are manufactured abroad, highlighting a need for international partnerships to strengthen cyber security.
  • Participants questioned whether the standard required to assign attribution for cyber attacks in an Australian court of law should be the same as that used to assign attribution for state-sponsored attacks.

Security Is Not Designed into Products, Indicating a Role for Government to Develop Cyber Security Standards

  • Consumers are insufficiently informed about security, and manufacturers, importers, and retailers are not incentivised to build and sell secure devices. A security logo visible on product packaging could inform users' purchasing decisions, leading to financial incentives for sellers.
  • Participants felt that users should be able to opt out of digital connectedness and data sharing, though many devices today do not offer these options. Further, this connectedness sometimes provides no obvious value to the user.

Recommendations

  • Even if perfect attribution of a cyber attack is not possible, future exercises should determine what level of confidence is sufficient to pursue a case, and laws, regulations, investigations, and behavioural norms should be designed around that framework.
  • Australia should enter into international agreements that create avenues for criminal investigations and prosecutions, but these agreements should not limit the Australian government's options to provide for its own defence, security, and law enforcement.
  • Some values are worth protecting and defending, even if doing so comes at a significant cost. However, future exercises should explore how to draw such a line, and the Australian government should determine what options it is prepared to take if that line were crossed.
  • Citizens are increasingly unable to opt out of digital connectivity. Future exercises should determine whether certain types of devices should be operable offline, as well as how standards should be written and whether users should be able to opt out of data sharing.
  • Local governments should collaborate with industry partners to develop a quality assurance system for connected devices that can be used on packaging and that is understandable to consumers. This initiative should include a plan for responding to attacks on these products and should assign responsibility for such a response.
  • Cyber security instruction should be integrated into school curricula, with these lessons enforced by education and awareness campaigns targeting adults.

Topics

Document Details

Citation

RAND Style Manual
Mikolic-Torreira, Igor, Don Snyder, Michelle Price, David A. Shlapak, Sina Beaghley, Megan Bishop, Sarah Harting, Jenny Oberholtzer, Stacie L. Pettyjohn, Cortney Weinbaum, and Emma Westerman, Exploring Cyber Security Policy Options in Australia, RAND Corporation, RR-2008-WFHF, 2017. As of September 23, 2024: https://www.rand.org/pubs/research_reports/RR2008.html
Chicago Manual of Style
Mikolic-Torreira, Igor, Don Snyder, Michelle Price, David A. Shlapak, Sina Beaghley, Megan Bishop, Sarah Harting, Jenny Oberholtzer, Stacie L. Pettyjohn, Cortney Weinbaum, and Emma Westerman, Exploring Cyber Security Policy Options in Australia. Santa Monica, CA: RAND Corporation, 2017. https://www.rand.org/pubs/research_reports/RR2008.html.
BibTeX RIS

The research described in this report was funded by a grant from the William and Flora Hewlett Foundation as part of its Cyber Initiative and conducted within the Acquisition and Technology Policy Center of the RAND National Security Research Division (NSRD) and the Science, Technology and Policy Program of RAND Justice, Infrastructure, and Environment (JIE).

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.