360° Cyber Security Game The poster child for the green energy revolution is in ruins: its executives say they have hard evidence that China's People's Liberation Army stole its breakthrough technology before it could commercialise it. So now the company plans to hack back.
The Prime Minister needed response options, so the head of state asked The Register - along with about 50 other folks from government, the military, defence contractors, the diplomatic corps, academia and the security industry – for ideas.
Sadly it wasn't the real PM who did the asking: the scenario above was one of two at a “360° Cyber Security Game” to which The Register was invited last week.
Convened by RAND Corporation and the National Security College at The Australian National University, the event took place under Chatham House rules. That means I can characterise the participants without writing anything that would allow them to be identified.
I can tell you more about the game and the scenarios, the second of which dropped players into the year 2022 at a time when several companies have demanded government action after their IP suddenly and mysteriously turn up in the hands of offshore rivals.
Talk of offensive online action is rife, but the government's recent assent to a multi-lateral agreement to uphold civil behaviour online and internet freedom at home makes that a difficult response to consider.
A national conversation on how government should defend the nation's industries from online attack while meeting international obligations is therefore in full swing. As is consideration of whether industries like insurance can perform their usual shock-absorbing role.
To address the scenario, the game assigned players into six small groups tasked with looking at the problem from one of the following six perspectives:
- Imposing costs
- Denying benefits
- Cultural values
- Economic vitality
- User benefits
- Technology innovation
The six perspectives gave the game its name: in theory we looked at the problem from every angle.
Over 90 minutes each group had to identify the root cause of the problems and propose policy the nation's government can use to respond to the crisis. Those policies were assessed by people who currently offer advice to Australia's government at very high levels.
The long ARM of the state
For the scenario above, yours truly was on the Technology Innovation team.
That name was a misnomer because we weren't being asked to propose a technical fix, with innovation-provoking policy to respond to the environment instead our challenge. The response we developed was therefore one drawing on the technology industry's methods of using intellectual property to create profit without the kind of vertical integration the hypothetical green energy company proposed. The group discussed ARM's success licensing silicon IP and dominating the mobile market, versus Intel being vertically integrated and failing. From that example came the idea that the green energy company, and the nation, would probably do better with a policy of commercialising IP through licensing and other commercial collaborations.
The thinking was that if China, or whoever hacked the company, could see an easier route to profit than espionage, why would they not pursue it? And if an economy geared to collaboration accelerated innovation, wouldn't the nation be better off? Economic policy as a shield against trans-border and state-sponsored therefore became our position.
But that stance was deemed too focussed on defense by the senior advisors who oversaw the game and team members who work in roles that see them advise Cabinet or work in security agencies. All said Cabinet would also want offensive responses.
Cue a long debate about hack back, deniability, imperfect attribution of attackers complicating decision-making and the state of the nation's online arsenal. That debate concluded that hack back cannot be countenanced, by private entities or states. The risks of hacking the wrong target are just too high and the risks of counter-strike potentially catastrophic.
Players with policy and political science experience decided that pointed and pedantic enforcement of trade regulations and bilateral agreements would send a message that conventional instruments can mess with a state's economy as effectively as a cyber-raid. Australia would stay on the right side of its obligations to keep the internet open. China would, hopefully, get the point and before long the licensing-centric Australian economy would inoculate itself against future raids.