This is the edited text of a talk delivered by Christopher Joye to the Centre for Independent Studies’ Consilium Conference on Friday. Joye sat on a panel with David Irvine, ASIO’s Director General, and Major General Stephen Day, who is Deputy Director of the Defence Signals Directorate.
Today I want to apply a financial economist’s approach to thinking about cyber risk and briefly reflect on the trade-off between national security and liberty. Before I do, I’d like to thank David and Stephen for participating—it is rare to get two of the top representatives from the Australian Security Intelligence Organisation and the Defence Signals Directorate to publicly engage in a forum like this.
I’d also like to pay to tribute to the circa 4000 Australians working alongside them inside ASIO and DSD. It requires a uniquely selfless character to commit oneself to a career safeguarding our national security knowing that you will never receive any public recognition or much financial reward for your efforts. While your failures get advertised, you will never be able to talk about your successes. It is sobering for lay observers like myself to consider these sacrifices.
INSURING AGAINST CYBER RISK
Folks in financial markets, who have spent so much time thinking about risk management and how to mitigate unlikely catastrophes since the GFC, are perhaps especially well equipped to understand cyber hazards, and the complex and frankly unknowable “probability distribution” that characterises them.
How does one define cyber risk? I would describe it as the potential for any individual, entity, or state to harness communications networks to conduct illegal activities, where illegality clearly has an internationally-contested meaning. What is acceptable in China or Russia may be frowned upon elsewhere.
The universe of cyber menaces encompasses criminals stealing personal data to conduct financial fraud; public and private organisations thieving confidential business information for commercial advantage (eg, in cross-border negotiations or insider trading); anarchists, discontents and terrorists that aspire to disrupt our way of life (the hacktivist group Anonymous temporarily disabled ASIO and DSD’s websites); and governments that wish to access other state’s secrets via espionage, or respond to mortal dangers using “kinetic” operations.
Unlike the frequency and severity of economic or natural disaster risks that can be empirically quantified and at least partially insured, cyber threats are unusually hard to measure for two reasons. First, our time-series data only begins in the mid 1990s with the advent of the Internet. Second, there is no mandatory reporting of these events in many nations like Australia.
There is also a fair chance that cyber risks are not constant in the way that some economists believe that financial market risks are usually “time-invariant”. It is reasonable to suppose that cyber threats are expanding rapidly in both time and space as a function of the speed with which we digitise our lives. Unless technological advance ceases, we may never be able to reduce cyber risks in an absolute sense – the challenge will be to slow the pace at which new risks materialise.
While there are some who believe that these perils are being exaggerated, I think it is more likely that we will be surprised by the regularity of cyber conflict and crime. Behavioural finance teaches us that humans underestimate economic risks after a period of relative stability. I suspect the absence of major power engagements since the Second World War combined with the societal view that technological innovation enhances our standard of living may have also made us unduly insensitive to threats delivered via the digital domain.
So just as the financial risk manager runs stress-tests using probability distributions that have “fat tails” (ie, with crises that occur more often than the past suggests), there is a case for the prudent policymaker to assume that cyber catastrophes can arise more frequently and with more devastating effects than a reasonable person might predict.
Vulnerabilities to digital threats may have also been amplified by the privatisation of critical infrastructure, like airports, roads, telcos, and electricity and power stations, since the 1980s.
A specific concern here is that the private sector may be underinvesting in the protection of these assets from nation-state adversaries in an attempt to rationally free-ride off public defence spending. This implies a banking-like “prudential supervisory” role for governments in respect of systematically important infrastructure. In short, we want to ensure that business takes out minimum levels of insurance – however that is defined – against the risk of cyber-induced failure.
If there ever was a “cold” cyber war, it appears to be quickly warming up. There are real conflicts taking place right now. What is known on the public record is that the Americans and Israelis used sophisticated malicious software, popularly called “Stuxnet”, to destroy up to 1,000 centrifuges spinning inside a nuclear facility in central Iran in around 2010.
The Iranians hit back with the “Shamoon” virus that eviscerated 30,000 computers inside Saudi Arabia’s national oil company, and distributed denial of service attacks that knocked-out the online payments systems of numerous US banks. Iranian and Venezuelan officials were also secretly filmed plotting cyber assaults on US nuclear facilities.
Earlier this year the North Koreans launched cyber offensives on South Korea that reportedly disrupted bank ATMs and TV stations. In response to the West’s support for the opposition in Syria’s civil war, the Syrian Electronic Army wiped $136 billion off the value of the US equity market by hacking the Associated Press’s twitter account and publishing a false news report about a White House bomb. The same group also penetrated The Financial Times website and twitter feed, which were then used to distribute pro-Bashir propaganda.
The concern is that the risks of international miscalculation are elevated because, in contrast to the Cold War, there are currently no agreed conflict resolution processes in place. As we saw when Stuxnet inadvertently spread from Iran to Germany, Indonesia and India, the worry is that a targeted and relatively modest cyber munition could trigger a chain-reaction of unanticipated events that leads to escalation.
SECURITY AND LIBERTY: INDIVISIBLE
I want to finish with some thoughts on the frictions between liberty and security in the context of Edward Snowden’s leaks of classified NSA intelligence. We have a national security apparatus to safeguard the freedoms we value most dearly – freedoms of expression, association, and enterprise – and, more generally, our democratic business model, from internal and external threats that would have us function otherwise.
Applying this logic, there need not be a conflict between national security and liberty and democracy: national security becomes a necessary condition for, and inseparable with, liberty in a world where state and non-state actors seek to interfere with us. This is presumably why Julian Assange advocates more, not less, Australian defence spending.
The policy question becomes how to ensure that national security agencies are subject to intrusive democratic oversight and accountability, and do not abuse their special powers.
In Australia, we have democratically elected ministers directly overseeing agencies, in addition to an Inspector General of Intelligence and Security, which has unlimited access to the agencies’ operations and information, akin to a rolling Royal Commission. We also have agencies regularly reporting to the House and Senate.
Of course, there will inevitably be mistakes and abuses. But this does not mean we have to throw the baby out with the bathwater. We do need to be vigilant to constantly reinforce governance and accountability, and to ensure the privacy concessions we individually make are justifiable in the context of preserving our broader freedoms.
AUSTRALIAN MORAL HAZARD
Allow me to close with a few macro thoughts. After over sixty years of comparative peace and prosperity, the international order is becoming much more fractured and combustible. Within our lifetimes the world’s two largest economies will likely be China and India. China, which has modernised its military at a consistently faster rate than experts expected, may start outspending America on defence. It is not inconceivable that by 2050 the world’s most powerful nation will be an assertive, non-democratic, and highly corrupt oligarchy.
Unsurprisingly, military tensions are reinvigorating in the historically conflict-prone Indo-Pacific. Worryingly, four of the most likely combatants in any major conflagration – China, Japan, South Korea and India – also happen to be four of Australia’s biggest trading partners.
Whereas the tyranny of distance shielded us in the world wars of the twentieth century, proximity could become a curse in the twenty first. Instead of taking out additional insurance against these contingencies, as the likes of Assange advocates, we have myopically elected to do the opposite.
Australia’s Labor government has made the heftiest cuts to defence spending since the Korean War. In what one hopes is just a coincidence, we have not committed as little to protecting the nation (as a share of GDP) since a year before the outbreak of the Second World War.
If you work for any length of time in business you get some raw exposures to the brutality of the human condition and the power of incentives. You quickly learn that talk is cheap. Business leaders place much more value on actions over words because they know that deeds carry more weight than dialogue, which is discounted.
Experienced negotiators understand that unless you have a credible alternative to the path proposed by your interlocutor, or ‘leverage’, you are going to end up with a poor bargain. Likewise, a good negotiator can home in on, and ruthlessly exploit, a party’s vulnerabilities to maximise gains – often with the other side not appreciating how much value they have conceded.
This is the essence of Australia’s problem today. In the absence of our alliance with America, we don’t have any military leverage, or credible deterrence, against the “nuclear-capable” nations to our north: China, India, North Korea, Japan, Pakistan and Iran.
While we all hope America will always be there to bail us out, there is an imaginable risk that she will either not be able to do so in the face of overwhelming opposition, or, more remotely again, may simply conclude that the human and financial costs of intervention are not worth the benefits.
Both these probabilities will be heightened if Australia continues to wantonly free-ride off US taxpayers by spending less than half the per capita resources they do on our defence. This is an imprudent and irrational long-term strategy.