What are Australia's policy options for responding to the internet threats of 2022? This question was explored in the 360° Cyber Game conducted jointly by RAND Corporation and the National Security College (NSC) at the Australian National University (ANU) in Canberra on Thursday.
RAND has conducted two of these games before, in Washington DC and in Silicon Valley, and has written up the methodology and results in the paper A Framework for Exploring Cybersecurity Policy Options.
The Canberra game worked the same way.
Around 60 participants from government, academia, and the private sector -- your writer was one of them -- explored two scenarios. First, we were divided into teams to consider each scenario from a certain angle. How might our proposed policy responses increase the cost for attackers, for example, or how might they affect our cultural norms by infringing on civil rights and the like. Then we reconvened as one group to compare and integrate our proposals.
The game was held under the Chatham House Rule, so I can't reveal who the participants were, or who said what, but it was an impressive lineup.
While RAND plans to release a formal report in February, these are my initial observations. Note that the entire game was about policy responses, not technical responses.
The first scenario was about the Internet of Things (IoT).
"This scenario places you in a world in which malicious exploitation of the IoT is becoming too common and beginning to be socially and economically disruptive," the scenario notes read.
A vulnerability was found in a smart door lock used by a big real estate developer, giving burglars access to thousands of homes.
A woman's self-driving car diverted from its planned route, and she was unable to resume manual control. It ploughed into pedestrians, injuring 12 and killing one. It turned out the car had been hacked by her boyfriend, who thought that bringing her to him would make a novel marriage proposal.
"The public outcry over these malicious activities [and others that were detailed in the scenario] leads to an impending crisis that demands action. But what action?", asked RAND.
The consensus was that chasing the hackers was unlikely to be successful, at least in the short term, citing the usual problems with attribution and jurisdiction. That said, there should still be diplomatic efforts to remove hacker-friendly havens.
It would be more effective to work with the players we could identify: the manufacturers, distributors, and retailers of IoT devices, and with consumers. Given the low cost and low profit margins of many IoT devices, any solution had to be easy and cheap.
As an initial response, we should leverage existing consumer law. We already have strong product recall processes for unsafe products, especially for electrical items and children's toys. This could quickly remove the most problematic devices from the market, giving time for the development of coherent cyber safety standards.
Crowdsourced security testing, along the lines of bug bounty programs, could also help identify problems quickly.
Participants noted that telcos can already identify most of the malicious traffic on their networks, but have no incentive to do anything about it. Monitoring networks and blocking certain traffic presents obvious civil liberties and privacy objections, so exploring that policy option would have to be handled carefully.
By 2022, IoT devices were likely to be smarter, with more processing power. Perhaps each device would be able to learn what constituted normal activity, and flag anomalies. Communicating with each other, they could develop something akin to an immune system. That, however, is a technical rather than a policy response, so it wasn't explored further.
However, the consensus was that we should hit the manufacturers and sellers, because they're the ones putting the insecure devices on the market.
The solution that emerged was a cyber safety rating system, the same kind of security star rating system proposed by Andrew Jamieson, the "Security Oompa Loompa" at safety science company UL.
The same problems were identified too, such as the difficulty of comparing the safety of different kinds of devices. Hacking a smart toaster doesn't have the same potential impact as hacking an insulin pump.
The Canberra game participants decided that devices rated under this system would be branded with the Cyber Kangaroo of approval. The Cyber Kangaroo regime would be phased in, first as a voluntary standard accompanied by a public education campaign, then as a compulsory rating for any device sold in Australia.
Insurance companies could also encourage consumers to buy Cyber Kangaroo-approved devices.
Participants decided that developing an international standard would be too slow. Australia should just do it.
Australia could also benefit from becoming an innovation centre for IoT security, including the rapid development and testing of secure IoT code.
RAND's previous cyber games had also identified standards and market forces as policy options likely to succeed.
"Participants saw a need for market forces to reward security and penalize insecurity. They identified a role for government in classifying products by degree of cybersecurity (assessed through certifications or performance standards). They also agreed that cybersecurity should be prioritized according to the impact of failure, with health and safety devices being the most critical targets for regulation," RAND wrote.
The second scenario was about intellectual property (IP) theft and corporate espionage, some of it state-sponsored.
The sale of an Australian mining company soured when their network was discovered to have been compromised for years.
An Australian solar technology company was concerned that it might lose a tender for a massive solar project in South America because they believed their IP had found its way to China.
This scenario was tougher.
RAND's formal report may well identify clear themes, but from this participant's perspective there we no obvious answers.
It was clear that retaliatory action in the form of "hacking back" would be counter-productive. Not only would it be illegal, it could well trigger a tit-for-tat spiral of escalation.
Instead, Australia should continue to help develop peacetime norms for cyberspace, encouraging nations to sign on to these standards of behaviour.
Australia should then develop its processes for responding to breaches, which might range from sanctions against individual companies, through to sanctions against nations as a whole, to boycotts, or even to something more physical.
On the home front, organisations should be encouraged to report incidents of corporate espionage through a confidential no-fault process.
The idea that Australia would have passed mandatory data breach notification laws by 2022 was met with laughter, and in any event the current drafts of such legislation only cover the theft of personal data, not corporate secrets.
Directors of public companies should also be reminded of their responsibility to disclose any events that might affect the share value.
While the cyber game didn't come up with any magic solutions, it made two things clear. One, this is complicated. And two, we need to start developing solutions now.