The political debate over strong encryption, security, and civil liberties is "unavoidable" and "needs to be confronted", according to Dr Tobias Feakin, director of the International Cyber Policy Centre, and a senior analyst at the Australian Strategic Policy Institute (ASPI).
Feakin rejects the idea that security and civil liberties, or security and privacy, are at opposite ends of a linear spectrum, however.
"It's over-simplifying what is an incredibly complex debate ... I don't think it helps policy-making, or helps the public understand exactly what's going on," Feakin told the Australian Information Industry Association (AIIA) Navigating Privacy and Security Summit in Canberra on Tuesday.
"Security and liberty aren't polar opposites of one another ... The opposite of security is insecurity, and the opposite of liberty is control," he said. The combination of liberty and insecurity is the libertarian default. The combination of security and control is what he called the "securitiser default".
"Ideally, as a liberal democratic society, we're trying to find the security measures that land us in that top left-hand spot [in the diagram], the sweet spot, where we enhance our security in ways that accommodate our civil liberties," Feakin said.
"The bottom left quadrant is the place we don't want to be, which is really the natural home of authoritarian governments and dictatorships ... It should require extraordinary dangers for us to be seeping into that quadrant. Still, that's not to say that extraordinary dangers don't exist, and don't arise occasionally, within our society, which require us to impose certain measures outside of our usual comfort zone."
But emergency measures are only for emergencies, Feakin said.
"The real measure of a liberal democratic society is how quickly it can shake those new pro-active measures to face new threats, and allow it to return as quickly as possible back to that sweet-spot zone."
Telstra's chief information security officer Mike Burgess agreed that the imperatives of security and privacy are not mutually exclusive. He cited recent comments by Admiral Mike Rogers, director of the US National Security Agency (NSA), who said that "encryption is foundational to the future", and that agencies like the NSA need to meet both imperatives.
"I'd like to see more of our agency heads talking on this subject, but I understand perhaps why they don't," Burgess said.
Burgess wouldn't be drawn on the Apple vs FBI case, saying that was a matter for them and not for him or Telstra, but he did speak more generally.
"There is no doubt that encryption is a fundamental capability that is required in this cybersecurity challenge that we all face. No doubt whatsoever," he said.
"As a security professional, I'm fundamentally on the side of it is wrong, and not acceptable, to out backdoors in technology, because it will cause you a security issue ... It's actually the use of technology and connectivity that means that crime, espionage, protest, and let's face it, even mistakes, can happen at a pace, scale, and reach which is unprecedented."
Burgess stressed, however, that Telstra complies with the requirements of its telecommunications carrier license to provide access to law enforcement agencies when legally required to do so, in Australia and in every country in which it operates.
"I am fundamentally happy to live in a country such as ours where we have law enforcement capabilities that actually have the capabilities they need to do their job, because that is absolutely important, but they're used lawfully, with oversight," he said.
Feakin says that the tension in cases such as Apple vs FBI stems from differing priorities. Private-sector organisations want to preserve the privacy and security of individual customers and their data, while governments want to preserve the security of citizens and the national interest collectively.
Such tensions will need to be addressed in the forthcoming cybersecurity review, originally planned to be released in late 2015, but rescheduled following close interest by the new Prime Minister Malcolm Turnbull. Feakin said we can assume to see three key features in the review:
- A focus on advanced threat information sharing between government and the private sector, to enable faster responses to threats.
- More private-sector links to academia to help meet the "increasing skills gap" for information security specialists.
- The promotion of Australia as a "cyber innovator", illustrated by the December 2015 announcement of AU$30 million funding for a Cyber Security Growth Centre.
Feakin put the current shortage of infosec professionals at 1.5 million unfilled positions globally. That's well up on estimates of the planet being 1 million infosec professionals short by 2020, as cited by Cisco chief information security officer John Stewart in January 2014.
We're already seeing links being forged with universities, such as the collaborations between the University of New South Wales and Commonwealth Bank, and between Western Sydney University and Macquarie Telecom.
"There's much to be positive about, and we're looking forward to all of these things bearing fruit, and positioning Australia for a positive future," Feakin said.
If Australia gets cyber innovation right, then it can capitalise in the rapidly-growing market for cybersecurity products, services, and training. Every new disruptive online business model will need to address cybesecuity issues.
The scale of the potential market was indicated by R Chandrashekhar, president of India's National Association of Software and Services Companies (NASSCOM). India's public cloud market is predicted to grow from $0.8 billion today to $7.4 billion in 2020, he told the conference.
By 2025, India's cybersecurity market will be $35 billion -- compared with today's global cybersecurity market of around $70 billion -- and the country will have a projected 1 million infosec employees.
"The investment equation on the surface just seems terribly straightforward," Feakin said. But one continuing issue, however, will be building trust between the public and private sectors -- and that takes time.
"The UK's Cyber-security Information Sharing Partnership (CiSP) is the result of nigh-on 10 years of conversations and trust-building, and at times very difficult relationships," Feakin said. Now, around 1,700 organisations are actively participating in that network.
The French system for information-sharing in relation to critical infrastructure protection took "well over two years of discussions".
Feakin said that while the national discussion about cybersecurity needs to be about finding that sweet spot combining security with civil liberties, it won't be easy.
"It does involve a lot of debate, and an incredible amount of hard work in that conversation, to make sure you can be hitting that spot as frequently as possible, especially since security and transparency aren't exactly easy bedfellows at times," Feakin said.
"I think we are getting to a spot ... where there is a broad cross-section of policy-makers and, dare I say, a number of politicians who are a bit more cognisant," Feakin said.
"To be fair, even if they're aware that it's an important issue they need to be dealing with, I think at this stage I can accept that, because that in itself is a leap forward from where we were perhaps five or six years ago... What we do have now is a prime minister in Australia who is far more aware of what that language means, and actually dealing with it from a business point of view as well as a public point of view," he said.
"There's a lot of anticipation about what he might have to say on this issue when the review arrives."
Disclosure: Stilgherrian travelled to Canberra as a guest of the Australian Internet Industry Association.