NATIONAL PRESS CLUB, CANBERRA
THURSDAY, 27 FEBRUARY 2020
Working in cyber security today can sometimes feel like being stationed in East Berlin during the Cold War.
In recent years, we’ve seen state sponsored hacking groups with exotic names like Cosy Bear, Sandworm and the Lazarus Group successfully hack multinational banks, presidential campaigns and power grids.
We’ve seen an ‘entity’ named Phineas Fisher hacking Cayman Island backs and then using the proceeds to set up a ‘Hacktivist bug hunting program’ – a bounty for public interest hacks targeting companies working in surveillance technology mining and resources.
We’ve seen very well-resourced international crime syndicates mount a wave of ransomware attacks – hacks that seize control of an organisation’s IT systems until a bitcoin ransom is paid – against over 1000 schools, hospitals and local governments in the US causing worldwide losses of over a billion dollars in 2019 alone.
There’s a bit going on.
But I find that I spend most of my time in this portfolio pondering a less dramatic and more earnest question – the health of our democracy.
This is a new thing for someone of my generation.
My earliest political memory is the fall of the Berlin wall.
I was in Grade 2.
I can remember sitting cross-legged in a classroom while our teacher showed us a tape of a television news broadcast of people tearing down the wall.
I understood something important was going on, but I had no idea what it meant.
People of my generation – Gen Y – grew up in the most benign international security and economic environment in Australia’s history.
A generation of peace and growth.
A world in which US hegemony within a rules-based international order was the default.
A world in which the internet proliferated in accordance with the norms of Western societies and economies – open and free from centralised government control.
A world which prompted the political scientist Francis Fukuyama to famously declare the “end of history”.
After September 11 2001, our complacency was challenged by the growing threat of Islamic extremist terrorism in the West, but even this threat was a challenge to our physical security, not our democratic system.
Today, though, the liberal democratic model itself faces its biggest challenge in generations.
Since the Global Financial Crisis, democratic systems have faced a crisis of public confidence, and open economies have struggled to deliver the broad-based growth of the past.
Significant minorities across the west simply do not believe that democracy is delivering for them and as a result, trust in our democratic institutions is collapsing.
At the same time, in several nations around the world, an alternative model of ‘techno-authoritarianism’ has emerged in which new tools of mass surveillance and artificial intelligence are being used to build systems of social control.
These technology-enabled autocracies are often states founded on Marxist principles of information control, where censorship and propaganda have long been core priorities of government.
This isn’t like the Cold War.
These techno-authoritarian states are not trying to impose their system upon others.
However, we have seen some authoritarian states use their model of information control to pursue national objectives via the open internet of Western democracies.
For the first time in a generation, democracies are facing external threats to their sovereignty in the form of cyber-enabled disinformation campaigns and potentially, externally controlled censorship of widely used platforms for political communication.
Whether we can meet this challenge will depend on the resilience of our democratic institutions.
In this respect, we have a lot of work to do.
The most recent Australian Election Study from the Australian National University shows that faith in our political system seriously deteriorated since the Global Financial Crisis.
Indeed, the study finds that just one in four Australians have any faith in their political leaders or institutions.
That just 59 per cent are satisfied with how democracy is working – a collapse of 27 per cent since 2007.
In Australia, faith in democracy is in free-fall.
Professor Ian McAllister, who led the study, said: “I’ve been studying elections for 40 years, and never have I seen such poor returns for public trust in and satisfaction with democratic institutions.”
Most disturbing are the findings of the Lowy Poll that less than two thirds of Australians believe that ‘democracy is preferable to any other kind of government’.
That one in five Australians – and one in three Australians aged under 30 – believe that ‘in some circumstances, a non-democratic government can be preferable’.
The causes of this loss of public trust and legitimacy are complex.
In my view, one reason is that politics has been unable to deliver on the things that really matter to people – like climate change, secure work and housing.
But it’s important to appreciate that it is not just our ‘political’ institutions that are weakened, we’ve seen a collapse in public trust in nearly every institution in our democracy.
The institution that has experienced the greatest change has been our media.
The proliferation of the internet has radically transformed the Australian media system.
According to the Australian Election Study, between the 1969 and 2019 elections, the proportion of Australians who followed the campaign via television news fell from 60 per cent to 22 per cent.
For newspapers the fall was even greater, from 55 per cent to 11 per cent.
The driver of this change in media consumption is obviously the internet.
The internet hasn’t merely changed the medium people use to consume media, it’s radically changed the entire media ecosystem.
At its most fundamental level, the internet collapses transaction costs.
Transaction costs are the costs of finding people with shared interests and then working out a way to communicate and trust them so you can work together.
Twenty years ago, if I wanted to buy a car, I might incur the transaction cost of buying a newspaper and then flicking through the classifieds section to find a seller before picking up the phone and making an offer.
The transaction costs of buyers and sellers trying to find each other underpinned the ‘rivers of gold’ that cross-subsidised an advertising funded, independent journalism for a century.
That business model is gone now.
Disintermediated by internet platforms like carsales.com and domain.com that allow buyers and sellers to find each other directly, and more efficiently.
In its place is a model in which media outlets try to stay afloat via subscriptions and targeted advertising.
The editorial incentives of this model are different.
Instead of seeking to appeal to a broad base of readers (and classifieds bargain hunters), media outlets increasingly seek to serve political tribes.
What drives clicks and subscriptions among these tribes are culture wars not public interest journalism.
The media still does incredibly valuable public interest journalism to be sure – but it’s not usually what makes them money.
In this respect, social media is even worse.
The collapse of transaction costs on social media platforms has allowed people to build communities of interest around every imaginable niche.
In an age of social media of course, it takes seconds to find a group of others who share your interests.
The problem is, these groups frequently comprise people who share and reinforce our biases.
The proliferation of Facebook groups and subreddits for ultra-niche in this new media environment might be mostly harmless, but groups for anti-vaxxers, white supremacists and Qanon cause real harm.
These problems are even more acute when these platforms enable targeted advertising to amplify messages to segments of our community that may be vulnerable to these messages.
All of this has left us with a ‘hackable’ media system.
A media system that can’t help itself from being hijacked by confected conflict and division.
This new media system is not serving our politics well.
Extremism and misinformation has flourished in this new environment.
A series of misinformation outbreaks – often about issues where the reliability of information is paramount – underlines the costs of this new environment.
This summer, we’ve seen misinformation and disinformation about the bushfires and the novel coronavirus – so much so, that the World Health Organisation has referred to it as an “infodemic”.
There’s been a lot of attention at how domestic populists have exploited this new environment around the world.
But it’s also been exploited by foreign actors seeking to subvert our sovereignty.
While democracies around the world have been ailing for a decade, we’ve also seen an alternative model emerging.
It’s been another rude awakening for the West.
Like Fukuyama, the tech-utopians who believed in the internet as a liberating technology have been badly shown up.
In the year 2000, US President Bill Clinton welcomed a trade deal with China by declaring that:
“In the new century, liberty will spread by cell phone and cable modem…
We know how much the Internet has changed America, and we are already an open society. Imagine how much it could change China.”
Clinton understood that this change would be resisted, but he was unconcerned, laughingly telling Chinese censors “good luck!” and declaring that attempts to regulate the internet were “sort of like trying to nail jello to the wall…
In the knowledge economy, economic innovation and political empowerment, whether anyone likes it or not, will inevitably go hand in hand.”
But that’s not what’s happened.
For decades now, states like Russia and later China have been arguing in multilateral forums that the internet ought to be governed according to the norms of ‘Cyber Sovereignty’, a vision of an internet that is centrally controlled by national governments which strictly manage information flows on it.
In recent times, they’ve effectively implemented it within their borders.
In the 1990s, an individual’s experience of the internet was similar regardless of where they logged on.
Today, it’s radically different depending on where you are using it.
In recent years, authoritarian governments have used data localisation requirements, VPN crack downs and coercive powers over internet platforms to effectively nail jello to the wall.
China imposes pervasive restrictions upon the online content its citizens can access and what they themselves are permitted to share.
Parallel ecosystems of websites and apps have evolved to comply with these restrictive rules and serve domestic markets.
Russia and Iran are both advanced in creating their own enclosed internet.
Both countries are developing the ability to effectively cut their citizens off from the global internet altogether, creating instead a claustrophobic eco-system of state-approved material while also making it much easier to monitor their citizens.
In a recent article in Foreign Affairs, three scholars shared their analysis of so-called digital dictatorships.
Not only did they find that autocracies are more likely to be strengthened rather than undermined by technology, but they also found that:
“Not only has the rising tide of technology seemingly benefited all dictatorships, but our own empirical analysis shows that those authoritarian regimes that rely more heavily on digital repression are among the most durable.”
Even more unexpectedly, not only has the internet failed at exporting freedom within authoritarian nations, in recent times it has begun exporting authoritarian propaganda and censorship into liberal democracies.
Foreign Interference and Disinformation
Cyber-enabled information operations and disinformation campaigns are now common in Western democracies.
According to research undertaken by the Australian Strategic Policy Institute, since the 2016 US Presidential Election 20 nations have experienced cyber-enabled foreign interference.
‘Co-ordinated inauthentic behaviour’, the tortuous neologism for distributed information operations on social media platforms, is now a jarring part of both the technology and foreign policy lexicons.
We’ve seen online information operations on issues as diverse as the Hong Kong protests, West Papua, and the alleged health impacts of 5G mobile networks in countries as diverse as Australia, Libya, France and the Central African Republic.
Sometimes there are specific objectives to these campaigns – discrediting an opponent, helping a candidate win an election or changing a government’s position.
Sometimes the objective is simply to inflame division, disrupting the ability of democratic systems to build consensus for action.
Regardless of their objective, the success or failure of these campaigns is dependent on the health of the democratic institutions of the target state.
The prevalence and scale of these campaigns is simply too much for any central government security agency alone.
If we imagine disinformation as a virus that can harmfully spread through a social body, then our immune system is the institutions that can quickly and credibly identify and counter it – a free media, civil society, and our parliaments.
The effectiveness of these institutions in this task is dependent upon the public’s trust in them.
In this way, ensuring the health of our democratic institutions is a national security imperative.
While in past national security debates, some have in the past seen a trade-off between individual liberties and national security – today they are indisputably intrinsically linked.
To understand the importance of public confidence in our democratic institutions in responding to disinformation campaigns, we only need to look at the far greater problems that authoritarian nations have with managing misinformation their own information systems.
Without a free press and absent independent checks and balances on government, people in authoritarian nations know they can’t trust what their leaders and public authorities tell them.
In Russia, ubiquitous censorship and state propaganda has led to an information system in which, as Peter Pomerantsev, the Russian-born British journalist has famously observed, ‘nothing is true and everything is possible’.
As a result, cults, faith healers, pyramid schemes and conspiracy theories are mainstream national preoccupations in Russia.
Extraordinarily, nearly six in ten Russians believe the Apollo moon landings were a hoax.
In China, government authorities and the state media compete with a constantly churning rumour mill as state pronouncements are second guessed and members of the public seek to triangulate the truth from as many sources of information as possible, not matter how dubious.
What this underlines is that our ability to respond to disinformation relies on public trust.
Technology won’t solve this for us.
Public trust in our institutions should be the comparative advantage of liberal democracy over authoritarian states in the new information environment.
Unfortunately, decades of complacency about the state of our democracy has left these institutions seriously weakened.
The absence of a serious alternative to democracy has allowed us to take our democracy for granted.
We’ve neglected it.
Renewing our democracy is a challenge for everyone in our democracy, regardless of ideology.
The Catholic conservative, G.K. Chesterton, recognised the conservative value in renewal, or re-freshening.
He wrote: “All conservatism is based upon the idea that if you leave things alone you leave them as they are. But you do not. If you leave a thing alone you leave it to a torrent of change.
If you leave a white post alone it will soon be a black post. If you particularly want it to be white you must be always painting it again.”
The white post of Australian democracy is rapidly turning black in the face of technological and social change.
Turning this around will require both advocacy and reform.
Our generation of political leaders face the same challenge that leaders like Curtin, JFK and Reagan did in the past – winning the hearts and minds of the public for the cause of democracy.
We need ask ourselves how we want our democracy to work in the face of this technological change.
How do we think about the relationship between citizens, the state and internet platforms?
How can we grow and maintain the shared space, the mutual regard and the common interests that we need for our democracy to function?
Are our actions at home – the norms we follow and the laws we pass – consistent with the norms of a free, open and secure internet that we advocate for in international fora?
What do we need to do to restore public trust in our democratic institutions?
Senate Inquiry into Foreign Interference Via Social Media
An important forum in which these questions will be asked over the coming years is the Select Committee on Foreign Interference through Social Media chaired by Jenny McAllister.
This inquiry was established in December last year and is not due to report until May 2022.
The Committee will examine the use of social media to spread fake news, stoke civil divisions and undermine elections and will ultimately make recommendations about mitigating the risk of hostile actors exploiting social media to subvert our democracy.
Given the length of the inquiry, we expect that one of the most important roles of the Committee will be in educating the public, their political representatives and the media that cover us about these issues.
There are a few issues that I think are worth particular consideration in this inquiry.
Alex Stamos, the director of the Stanford Internet Observatory and former head of security of Facebook has recently called for the limitation of microtargeting of political advertising to extremely granular segments of the population on social media.
Think of literally tens of thousands of automatically iterating ads finely targeted to exploit the specific biases and vulnerabilities of small groups of people.
Stamos has pointed out not only how this is allowing political actors to be different things to different segments, but also how much harder this at-scale segmentation makes the task of calling out misinformation and lies.
Another issue that will attract attention in this inquiry is whether social media platforms owned by companies based in authoritarian states raise special concerns.
Should we be concerned about the potential for state directed political censorship within Australia on social media platforms owned by companies based in authoritarian states with very different values and approaches to managing the online information system.
Should we be concerned about the potential for data collection from these platforms, not just for intelligence collection, but for coercion and intimidation of Australians or even foreign influence campaigns?
It’s important that the Australian government is having an open and credible conversation with the Australian public about the new risks that we face.
Attribution of Cyber Attacks on Democratic Institutions
In this context we need to start getting serious about the way we talk about the integrity of our democratic institutions.
The need is particularly acute when it comes to cyber-attacks on these institutions.
Foreign interference through cyber enabled information operations is now a real and continuous threat for democratic institutions around the world.
In recent years we’ve seen cyber-attacks on the Bundestag, the Taiwan Parliament, the Ukrainian central election commission and our own federal parliament.
Attacks on the email and social media accounts of individual politicians and candidates are even more common – perhaps most famously, the breach and subsequent publication of Democratic National Committee emails during the 2016 US Presidential election.
Sometimes the motivation for these attacks is espionage, on other occasions the intent is to leverage the breach to interfere in democratic processes.
Maintaining public confidence in the integrity of our democratic institutions in this context is a real challenge.
Despite the overwhelming evidence of the 2016 US Presidential elections, subsequent information operations have led many to view allegations about the activities of ‘Russian hackers’ with cynicism.
This hasn’t been helped by the troubling pattern of political figures publicly attributing embarrassing social media activity to ‘hackers’, and then failing to cooperate with law enforcement investigations into the incidents.
The recent escapades of the ‘One Tweet Hacker’ is a case in point.
Australian politicians have recently been tormented by a hacker with the unusual MO of breaching their Twitter accounts then using this extraordinary access to merely favourite a single embarrassing tweet.
Scott Morrison, Christopher Pyne, Greg Hunt and Joe Hockey have all been recent victims, yet after their initial public claims, only Greg Hunt followed through with a formal referral to the AFP.
They found no evidence that Hunt’s account was hacked.
Cyber enabled disinformation campaigns rely on misdirection and deniability.
They thrive on public cynicism and mistrust.
Given this, it’s crucial that the public can have confidence in what they are told about cyber-attacks on our democratic institutions.
We need to set a much higher bar in the way we talk about cyber-attacks on our democratic institutions.
It’s why I recently wrote to the Speaker of the House of Representatives about comments made by Christopher Pyne about the extent of the attacks on the Parliament House IT systems in 2018.
It’s also why I believe Australia’s policy on the attribution of cyber-attacks should explicitly treat attacks on our democratic institutions as special and distinct.
Australia’s policy on the attribution of cyber-attacks is currently a classified document owned by DFAT and Home Affairs.
I don’t know what it says and nor does the Australian public.
So it’s hard to know what the government’s current approach to attribution is.
The Home Affairs Minister, Peter Dutton has variously said in interviews that the Australian government ‘will’ attribute cyber-attacks or that it ‘has the right to’ where this is ‘in the national interest’.
In practice, sometimes the government does make formal, on-the-record attribution statements.
Sometimes the government makes on-the-record statements that obliquely refer to the historical source of the tools used in the attack without making a formal attribution.
Most commonly though, attribution is seemingly made through off-the-record comments to the media from intelligence or government ‘sources’
It’s hard to know what to make of these quasi-attributions from the outside.
Are they really the formal views of the government? Just of a few individuals? Rogue employees? The ambiguity is the point.
We don’t know how the government decides whether to make attributions or quasi-attributions. Who is involved? What considerations do they weigh up?
Who is the key audience for an attribution statement?
We often focus on the impact of attribution statements on perpetrators and the international community.
On the impact they have on deterring future bad behavior and in reinforcing norms of international law.
There are certainly some people who study this who think that more direct, formal attributions should be made in order to more clearly indicate to other countries where Australia considers ‘the line’ to be.
But the most important audience the government needs to speak to after an attack on our democratic institutions is the Australian public.
We need to establish a norm that governments will be up front with the Australian public about attacks on our democratic institutions.
There needs to be a presumption that when cyber attacks occur on our democratic institutions, the Australian government will, where possible, attribute responsibility for these attacks.
Given the stakes for our democracy, we cannot allow any room for cynicism or mistrust from the Australian public about attacks of this kind.
Finally, we need to get serious about renewing our democracy more broadly.
I was proud when the Labor Leader, Anthony Albanese, spoke about the need to renew our democracy in his third vision statement in December last year.
He described practical steps we need to take to restore public trust and ensure our democracy can deliver for the Australian public.
A national integrity commission – the urgent need for which has been compellingly reiterated by the recent sports rorts scandal.
Political donations and disclosure reform, including caps on campaign spending.
Defending a free press and the right to protest.
Backing the Your Right to Know Campaign and making it clear that journalists should not be raided by the police just for doing their job.
Properly funding our public broadcaster – one of the few institutions in our democracy that has been able to retain high levels of public trust during this period of change.
There’s an appalling contrast between how hard ABC staff have worked this summer to accurately cover the fires and provide communities with vital emergency broadcasts, and the government’s funding cuts and their ongoing campaign of denigration.
Finally, in the context of technological and media trends that are dividing us, we need to think about national projects that bring us together in a sense of common purpose.
Projects that give us the opportunity deepen the inclusiveness of the Australian national identity like the Indigenous Voice to Parliament and an Australian republic.
We shouldn’t shy away from these reforms because some of them are currently politically contentious.
As Harvard historian Jill Lepore recently wrote, “It’s a paradox of democracy that the best way to defend it is to attack it, to ask more of it, by way of criticism, protest, and dissent.”
In this way, the great enemy in the fight to defend our democracy aren’t foreign hackers or social media platforms.
It’s the idea that we can’t expect any better of our democracy.
And that’s a battle we must win with ourselves.