‘What are our options?’ Prime Minister asks The Reg
360° Cyber Security Game The poster child for the green energy revolution is in ruins: its executives say they have hard evidence that China’s People’s Liberation Army stole its breakthrough technology before it could commercialise it.
So now the company plans to hack back.
The Prime Minister needed response options, so the head of state asked The Register – along with about 50 other folks from government, the military, defence contractors, the diplomatic corps, academia and the security industry – for ideas.
Sadly it wasn’t the real PM who did the asking: the scenario above was one of two at a “360° Cyber Security Game” to which The Register was invited last week.
Convened by RAND Corporation and the National Security College at The Australian National University, the event took place under Chatham House rules.
That means I can characterise the participants without writing anything that would allow them to be identified.
I can tell you more about the game and the scenarios, the second of which dropped players into the year 2022 at a time when several companies have demanded government action after their IP suddenly and mysteriously turn up in the hands of offshore rivals.
Talk of offensive online action is rife, but the government’s recent assent to a multi-lateral agreement to uphold civil behaviour online and internet freedom at home makes that a difficult response to consider.
A national conversation on how government should defend the nation’s industries from online attack while meeting international obligations is therefore in full swing.
As is consideration of whether industries like insurance can perform their usual shock-absorbing role.
To address the scenario, the game assigned players into six small groups tasked with looking at the problem from one of the following six perspectives:
The six perspectives gave the game its name: in theory we looked at the problem from every angle.
Over 90 minutes each group had to identify the root cause of the problems and propose policy the nation’s government can use to respond to the crisis.
Those policies were assessed by people who currently offer advice to Australia’s government at very high levels.
The long ARM of the state
For the scenario above, yours truly was on the Technology Innovation team.
That name was a misnomer because we weren’t being asked to propose a technical fix, with innovation-provoking policy to respond to the environment instead our challenge.
The response we developed was therefore one drawing on the technology industry’s methods of using intellectual property to create profit without the kind of vertical integration the hypothetical green energy company proposed.
The group discussed ARM’s success licensing silicon IP and dominating the mobile market, versus Intel being vertically integrated and failing.
From that example came the idea that the green energy company, and the nation, would probably do better with a policy of commercialising IP through licensing and other commercial collaborations.
The thinking was that if China, or whoever hacked the company, could see an easier route to profit than espionage, why would they not pursue it? And if an economy geared to collaboration accelerated innovation, wouldn’t the nation be better off? Economic policy as a shield against trans-border and state-sponsored therefore became our position.
But that stance was deemed too focussed on defense by the senior advisors who oversaw the game and team members who work in roles that see them advise Cabinet or work in security agencies.
All said Cabinet would also want offensive responses.
Cue a long debate about hack back, deniability, imperfect attribution of attackers complicating decision-making and the state of the nation’s online arsenal.
That debate concluded that hack back cannot be countenanced, by private entities or states.
The risks of hacking the wrong target are just too high and the risks of counter-strike potentially catastrophic.
Players with policy and political science experience decided that pointed and pedantic enforcement of trade regulations and bilateral agreements would send a message that conventional instruments can mess with a state’s economy as effectively as a cyber-raid.
Australia would stay on the right side of its obligations to keep the internet open.
China would, hopefully, get the point and before long the licensing-centric Australian economy would inoculate itself against future raids.
Scenario 2: The Internet of Rogues kill confidence
Earlier in the day, the game offered a scenario in which several hacks on the internet of things had led to real-world consequences, including civilian deaths, that had undermined public confidence in all online services.
In that scenario I was assigned to the Denial of Benefits team and we got to work on a plan that would make vendors think twice before releasing insecure-by-design products to market.
The group’s thinking here was that criminals are harder to deter and that going after the source of the resources criminals exploit would eventually have the effect of making it harder to make a living as a criminal hacker.
To encourage vendors to do the right thing, we envisaged a security rating label to be applied to internet-capable products, plus a consumer education scheme so that shoppers understood that a one-star gadget was not a sensible purchase.
We hoped vendors would strive for five-star ratings, but also suggested a legislative stick for those who fail to deliver.
Fines, import bans and more were on our menu.
Those ideas dovetailed with most of the other teams, although one suggested internet service providers and telcos be compelled to monitor all internet traffic for malware fingerprints.
That didn’t go down well.
Cool heads, established instruments
I went into the day expecting some participants would offer StartupLand-grade “Blockchain will solve it” chatter.
I’m pleased to report the two groups I participated in approached the scenarios with far greater depth.
It was also pleasing to hear that conventional policy responses are held to be adaptable enough to address threats like those posed in the two scenarios we played.
Less encouraging was lack of specific knowledge among many participants: at one point I found myself having to explain how the Android patches can take months or years – if ever – to reach handsets. Once participants realised that even Google hasn’t gone out of its way to create a secure ecosystem, brows furrowed as the security problem took on more dimensions.
RAND has conducted the game on the East and West coasts of the United States. Reports on those two games, plus the Australian edition, will soon be made available.
I’ll make sure we bring them to your attention.
A final observation: If you get a chance to this kind of game, jump at the chance for two reasons.
Firstly, you’ll have a very stimulating few hours.
Secondly, my experience at this game led me to believe that the challenges of online security just can’t be solved by one group in isolation. You owe it to all of us to share your expertise. ®
‘What are our options?’ Prime Minister asks The Reg