Malicious cyber activity and the enduring challenge of cyber security have not been far from headlines in 2016. This year has witnessed the largest breaches the world has ever seen, and cyber security's relevance has entered a new golden age.
A common cry from Australian stakeholders in the business of cyber security – private sectors, researchers and policymakers alike – is the need for deeper and more thoughtful discussion on the challenges and opportunities of the digital domain.
In particular, the dynamics between policy and operations, the intersection of domestic and international action, getting better at anticipating what the future might hold for cyberspace and getting a handle on user perspectives – perhaps one of the most underdeveloped areas of policy thinking.
As a means to contribute to this, the National Security College and RAND Australia recently delivered the 360° Cyber Game on campus at the Australian National University. About 80 people participated in the full-day event and a further 25 people facilitated, took notes and supported delivery of the policy-based exercise, which focused on two scenarios set in the year 2022.
Participants came from around Australia, representing federal and state governments, most private sectors and the research community – bringing to bear expertise across engineering, computer science, informatics, forensics, psychology, criminology, economics, financial services, business management, law, political science, diplomacy, strategic communication and policy. Importantly, participants also ranged in their stage of career, from those just beginning in the workplace through to those in the most senior of positions.
"The Cyber Game was a great opportunity to see how people across the board are thinking through these problems. It helps to galvanise thinking on how to carry big initiatives forward for national impact" said Craig Davies, the recently announced chief executive officer of the Australian Cyber Security Growth Network, of his participation in the Game.
The Game's scenarios considered the state of play for securing the Internet of Things and the complex intersection between protecting Australian intellectual property while pursuing global norms of behaviour in cyberspace. Participants worked on the imagined yet plausible circumstances each scenario set out, by being mixed across six groups. To remove "group think" influences, the groups changed composition for each scenario.
"The scenarios bring to life how complex cyber security challenges are, and how our tried and tested understanding of the roles of policy makers, regulators, business and consumers are put to the test and found wanting in the face of specific cyber threats," said David Forman, manager of industry and policy for Macquarie Telecom Group, also a Game participant.
So what happened on Game day? What conclusions did the groups reach for our cyber future? The detailed answers will come in a report due out early next year from the National Security College and RAND Australia.
Participants were challenged and came up against some interesting but healthy clashes of perspectives. In a general sense, there was much focus on Australia's legal frameworks and law-enforcement capacity to tackle malicious cyber activity, as well as clarity of expectations and codification of acceptable behaviour domestically.
There was an agreed call for regular public communication on what organisations, including governments, are doing to improve cyber defences and secure our economy. There was also reconfirmation that context is everything – engaging internationally on complex and highly interconnected issues around cyber security requires nuance and sensitivity.
Mr Forman also noted "If we are to plan appropriately to manage risk, and to respond effectively when the inevitable problems hit us, we all need to know how the boundaries are changing and be able to work together in new ways. For Macquarie Government, working out how to work with our clients and partners in this environment is core business."
Greg Gale, Microsoft Australia's national security officer, referred to the impressive expertise, knowledge and calibre of those involved in the game when reflecting on the value of his participation.
"It was refreshing to be able to devote an entire day to solving complex problems whose solutions have the potential to positively impact the nation as a whole. The most significant take-away for me was the open and collaborative approach at the heart of the game and that we as senior leaders in cyber security now need to build greater collaboration in our daily work.
"That is why it is vital for industry, academia and government to come together to solve these problems. Whilst the scenarios were set in 2022, they are based on very real problems we face today and, frankly, if we are having these same discussions in 2022 we will have failed. I for one am determined to ensure that does not happen" said Mr Gale.
Michelle Price is senior adviser, cyber security for the National Security College at the Australian National University, on secondment from the Department of the Prime Minister and Cabinet. The 360° Cyber Game's report will be publicly available in early 2017.