Lowy Institute

The internet is now so central to the world economy (McKinsey estimates it contributed US$2.8 trillion to world GDP in 2014) we forget how weak the norms are governing behaviour online. In several areas these behaviours threaten to degrade and limit the internet’s future contribution to global growth.

Happily the G20 has recently begun to weigh in. In 2013, the word ‘digital’ first entered a G20 Leaders’ communiqué (in relation to taxation) and in 2015 its communiqué referenced a wider range of digital issues.

The G20 now has the opportunity to build on some of the progress made in 2015 and expand its engagement into new areas. In the most recent Lowy Monitor, I propose three issues it could usefully grapple with.

Read More

1. Commercial cyberespionage

State-led, or backed, commercial cyberespionage is imposing huge losses on business (a US Commission estimated US losses at US$300 billion annually) and threatens to lead to retaliatory sanctions or other disruptive measures such as the authorisation of offensive counter-attacks by the private sector.

In September 2015, China just managed to stave off US sanctions when a presidential-level agreement was reached to cease the practice. The G20 extended coverage of this bilateral deal to all its members when it endorsed the same prohibition against commercial cyberespionage in its 2015 communiqué.

Now that the norm against commercial cyberespionage has been agreed, the challenge for the international community is bringing state practice into line. It is here the G20 could fill a gap, encouraging compliance and maintaining political momentum for advancing the agenda. Although the G20 is not a naming and shaming venue, the Business 20 could report on overall levels of state-led, or backed, attacks with G20 Leaders responding to this in their communiqué. Leaders could also encourage a global body, such as the OECD, to provide regular reporting on state-backed, or led, commercial cyberespionage.

2. Peacetime state cyberattacks

State-led, or backed, cyberattacks during peacetime are also a potent challenge. They can impose huge costs on business and are a threat to civilian life.

Examples are numerous. For the G20, three developments make consolidation of this norm a recipe for chaos and a threat to the global economy. First, the threshold for acquiring offensive cyber capabilities is now so low, most states of a reasonable size can build them and strike back. Second, the growth of the ‘internet of things’ expands an already enormous range of targets. Finally, as the defence of government and critical infrastructure targets are improved, businesses and civilian institutions become the more attractive soft targets imposing large costs on businesses and civil society.

All G20 states have an interest in winding back this norm. I make a number of suggestions the G20 could consider, including measures to limit the operational freedom of the most egregious global offenders such as North Korea, endorsing various confidence-building measures (CBMs) and, more ambitiously, suggesting members implement domestic arrangements that allow them to sanction individuals or organisations that conduct or support cyberattacks as the US did after being caught unprepared in the wake of the North Korean attacks on Sony.

3. Free flow of data

Restrictions on data flows are another emerging impediment. They increase the cost of doing business, distort markets, and create inefficiencies.

Many states, including several G20 members, have begun to erect impediments to the free flow of data across borders. Data protectionism can take different forms including requirements that certain data categories (such as that relating to national security or healthcare) be stored and processed domestically or by imposing conditions on the cross-border transfer of personal data. For example, two Canadian provinces mandate that personal information held by public institutions be stored and accessed only in Canada.

This is justified using a range of reasons most of which are spurious, however, the consequences of this trend have far-reaching economic effects. Every business with an online presence is potentially affected, for example via increased data storage and processing costs, with multinationals most affected.

While several G20 members engage in data protectionism, limiting scope for wholesale reform, there are a few steps that the G20 could take to help wind back the trend. At an overarching level, the G20 should state a commitment to the free flow of data. To prevent every state developing unique flow-inhibiting standards that apply to its nationals’ personal data, the G20 could also endorse efforts to raise privacy protections to a global standard and extend mutual recognition of laws that reach this standard to achieve interoperability. To ease frictions arising from delays in processing legitimate government requests for data stored abroad (such as in criminal investigations), the G20 could explore options for improved sharing of information among authorities in G20 countries. This could include encouraging members to review domestic processes for handling requests from abroad with a view to improving responsiveness.

Photo courtesy of Flickr user Marcus Schwan


'[update wording against latest status at time of publishing'. This typo in Australia’s first Cyber Security Strategy since 2009 is not only a pointer to a hurried release. It spoke to the fact this is very much an iterative work in progress. There’s good stuff in the strategy, but a lot will come down to the implementation.

In my earlier post I argued the yardstick of the strategy’s success would be whether it can stand up the structures necessary to manage reaction to the impending tech revolutions.

The verdict after release? Solid progress. Getting to where we need to be is probably a step function, and this strategy gets us closer. It raises the profile of the issue to the top of government with the prime minister to host annual cyber security meetings with leaders from business and the research community. That should allow the government to pivot and beef up its approach as the impact of the next wave of tech revolutions become apparent. The strategy proposes the appointment of a minister assisting the prime minister on cyber security, (hopefully) paving the way for a minister for cyber affairs further down the track who would be able to drive a whole-of-government approach to the full spectrum of cyber issues (not just security). Internationally, it proposes the appointment of a much-needed cyber ambassador to engage on neglected issues critical to Australia’s economic and security future and, if the appointee is good, formulation of a cyber foreign policy.

At an operational level, moving the Australian Cyber Security Centre outside the strict confines of government has the potential to lead to stronger collaboration with business and the research community. Particularly appealing are proposals for a 'layered' approach to cyber threat sharing, with more sensitive information on threats being exchanged with business. Other proposals to harden business defences will depend on implementation. The idea of voluntary business health checks and awareness raising should help. But a heavier hand may be needed to get cyber issues pushed up to the board level and force laggard companies to act when they threaten others.

At a government level, there are solid efforts to strengthen defences, including 'a rolling programme of independent assessments of Government agencies’ implementation of the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions'. After the debacle at the Office of Personnel Management in the US, there is ample evidence this issue needs to be taken extremely seriously. And as the strategy admirably acknowledges, an audit of seven Australian government agencies found 'most fell well short'. 

At a policy level, the Strategy is fairly light on guidance, but there are some useful pointers scattered throughout. The prospective cyber ambassador is told we 'champion an open, free and secure internet'. There is also a clear warning to China in the Prime Minister’s foreword: 'states should not knowingly conduct or support cyber-enabled intellectual property theft for commercial advantage.'

 Proposals to sponsor research on the cost of cyber crime may sound squidgy until you read (on page 15) about the lack of baseline knowledge: the Strategy’s variations in estimates range from $1 billion to $17 billion.

The section on commercialisation got bogged down in bureaucratese in places: '[The Cyber Security Growth Centre] will provide the national mechanism for cross-sector collaboration and investment in nationally-significant cyber security infrastructure and frameworks that are not singly commercially-viable.' But as with much in this worthwhile strategy, a lot will depend on implementation and constant adjustment.

Photo: Gavin Roberts/Getty Images


Somewhat awkwardly, Australia's new cyber security strategy was leaked online Monday, pointing to the hard work ahead. The review will be Australia's first update since 2009.

Then Minister for Decence, John Faulkner, at the opening of the Cyber Security Operations Centre in Canberra, January 2010

The update is well overdue. There are gaping holes requiring attention, several of which appear to be covered in the strategy. However, early responses suggest the strategy will be more about catching up with better global practice rather than positioning Australia out towards the front. 

The pace of technology-driven change coming down the pipeline is so massive the most important yardstick of success for the strategy will be whether it can stand up the structures necessary to manage reaction to the impending tech revolutions: particularly artificial intelligence, autonomous vehicles, robotics and the internet of things.

As the US Director of National Intelligence noted to Congress in February:

'Technological innovation during the next few years will have an even more significant impact on our way of life. This innovation is central to our economic prosperity, but it will bring new security vulnerabilities. The Internet of Things will connect tens of billions of new physical devices that could be exploited. Artificial intelligence will enable computers to make autonomous decisions about data and physical systems – and potentially disrupt labor markets.'

In this regard, iTnews reports: 'the government intends to streamline its cyber security structures. At the moment, cyber capability and expertise exists in pieces across a myriad of agencies including the Department of Premier and Cabinet, the AGD, ASD and others.' 

That's tentatively promising, but still sounds a ways off a joined-up national strategy, that incorporates critical elements like agreements with China to stop stealing Australian IP and accelerating international rules on peacetime cyber attacks.

Read More

Next in importance will be funding to get the strategy on the ground. The US upped its cyber security spend by US$5 billion to US$19 billion for 2017. News on funding when the strategy is released will be worth watching.

Beyond these issues, the strategy 'outlines five key areas: strengthening cyber defences, education, partnerships, research and development, and awareness, containing a total of around 19 specific initiatives.' It also emphasises the heavy reliance on the private sector 'which the government will lean on to help deliver the majority of its points of action.'

The focus on defences and raising awareness is especially important given the risk of attacks on critical infrastructure (as the NSA recently noted) and the huge cost to the Australian economy from stolen IP. The specifics here will be important. At present business is highly exposed to cyber attacks. There are numerous examples of attacks destroying individual companies, but even here business is not always aware of the threat. In other cases, a business might not assess IP theft as a high risk to its continued ability to operate (a law firm, for example, where it's not possible to simply replicate the expertise and training of its employees or where knowledge of Australian law won't be of much value in a foreign country), but cyber theft can still pose big financial risks to the wider economy (for example by exposing the confidential dealings of the law firm's clients to foreign state owned entities competing against these clients). The government has a responsibility to both make business aware of the threat and to correct any market failures where businesses' failure to act poses a threat to the wider economy.

The initiative is a good one, and the provision for annual reviews provides the much-needed room to continually adapt. Next stop should be development of an international cyber strategy that allows for systematic prosecution of Australia's many cyber interests abroad. And perhaps appointment of our first Minister for Cyber Affairs.

Photo courtesy of Australian Defence Image Library.


Fergus Hanson is author of Internet Wars: The Struggle for Power in the 21st Century. This is the final installment in a series. Part 1 examined economic cyber espionage; part 2 cyber war; and part 3 citizen activism 

Internet mythology suggests the online world is the sort of free market paradise Adam Smith would have hyperventilated over. But what if the opposite were true: could the internet be prone towards monopoly or oligopoly?

To answer that question, let's start with historical precedent. In his classic book The Master Switch, Columbia University Professor Tim Wu traces the rise and fall of previous information empires and forensically details a common trait: their tendency towards monopoly.

Wu argues there are five reasons for this:

  • The network effects information industries create.
  •  The economies of scale they facilitate.
  • The power of integration.
  •  The ‘will to power’ that the heads of information industries exhibit.
  •  The nation state’s taste for monopoly.

All of these apply to the internet.

Read More

Facebook is useful because everyone already uses it. The cost to Google of having a new user conduct a search is close to nothing. An integrated hardware and software system, like Apple’s iPhone has helped create the most valuable company in history. I’ll leave the judgement on the CEOs personalities to others, but they certainly have some interesting views on the world. As for the state taste for monopoly, the PRISM program detailed in these NSA slides, suggest the value of concentrated ownership. No doubt China and Russia feel the same way about their own home grown platforms like Baidu and Yandex.

What about the practical realities though? It would be nearly impossible to list all the start-ups and companies operating online so how could a monopoly exist? Internet Wars doesn’t argue off all these businesses will be killed off. But it does appear that a few companies are rapidly securing monopoly or oligopoly control of key economic chokepoints, through which most companies will have to operate if they want to reach customers. For example, we see Facebook dominating social media, Apple and Google dominating mobile, Google dominating search, and Amazon becoming the world’s online department store.

The prevailing logic suggests the barriers to entry are so low that even these large players will soon be disrupted by the next big thing. But that ignores the characteristics of information industries identified by Wu. A critical one is size, which provides access to cash and means any potential rival can be bought. To this end there have been some eye-watering deals: Facebook’s US$1 billion for Instagram and US$19 billion for WhatsApp, Google’s US$1.65 billion for YouTube, Microsoft’s US$8.5 billion for Skype and Apple’s US$3 billion for Beats. This also applies to new industries: witness Google's spending spree, buying up the world’s top robotics firms and those at the forefront of the internet of things.

Well, assuming these companies are securing monopoly positions — so what? The most obvious impact will be on competition online. Explaining Amazon’s 'ridiculouslyhigh' price-to-earnings ratio, Peter Cohan observed in Forbes:

...investors have long believed that Amazon would use its low prices to wipe out competitors in many product categories. And having vanquished those competitors, Amazon would be in a position to reap the rewards of its huge market share – by raising its prices with impunity.

It will also affect dynamism. If all businesses eventually migrate their individual websites to Facebook, for example, the internet will be a much less vibrant place because everyone will have to conform to Facebook's rules.

It also affects basic rights. Now that one-fifth of the world uses Facebook, it plays an important gatekeeper role over the news we can and cannot see: a role for which it is poorly equipped.

The 2012 leak of Facebook’s censorship rules highlighted the odd moral code it was imposing on the world: breastfeeding images were banned, but crushed heads got the thumbs up.

The latest Pew survey shows nearly two thirds of Americans get news from Facebook, up from 47% in 2013, a finding that underlines its rapid development as an information gatekeeper.

It’s not hard to find other examples of internet giants exercising arbitrary control over our rights. Google and Facebook have both courted controversy by banning users from using pseudonyms.

In one high-profile example, Facebook deactivated the account of author Salman Rushdie and only reactivated it once it had changed his name from Salman (his middle name) to Ahmed (his first name). Rushdie tweeted Facebook’s founder, Mark Zuckerberg, with the message: ‘Morons. @MarkZuckerbergF? Are you listening?’ Eventually his original account was reinstated, but for many less prominent figures, the policy held. Facebook followed this up by going after drag queens using pseudonyms.

What does this mean for policy makers? For a start, there is a need to look seriously at options for maintaining competition online. This isn’t easy, but the Europeans have begun. We also need to consider the implications and obligations companies with global monopolies might have when it comes to issues like censorship: if a company like Facebook is where most people get their news, should it be able to apply a stricter censorship regime than that allowed in your country of origin?


Fergus Hanson is author of Internet Wars: The Struggle for Power in the 21st Century. Part 1 of this series looked at economic cyber espionage; part 2 at cyber war. The next and final part in this series examines economic chokepoints.

The internet has presented the masses with radical new ways to aggregate their voice in order to exert influence on decision makers. For the first time in history, we are able to do this on a regular basis, outside formal structures like trade unions and political parties.

What is remarkable about this transformation is the scale on which it is occurring. Several online citizen-aggregation sites  have memberships in the tens of millions. Change.org, the biggest, claims more than 100 million users. Others, like Avaaz  and Care2, have 42 million and 32 million respectively. To put these numbers into context, in the 2012 US presidential election, Barack Obama received a little under 66 million votes in his successful bid for re-election.

Unsurprisingly, these membership numbers mean big business. The for-profit sites (Change.org and Care2 are B-corporations) sell access to their membership. 

It also means great influence for the individuals leading the campaigning sites. They can exercise this by shaping which campaigns have the most prominence on a site, and allocating in-house resources to help the campaigns they like with editing of material, generating media and behind the scenes lobbying. A prominent example in Australia was the Stop the Super Trawler campaign run by GetUp!

Read More

When a Tasmanian woman, Rebecca Hubbard, started an online petition on the GetUp! community campaigning platform protesting the trawler's arrival, staff soon realised they had a winner. Hubbard started the campaign as 'Stop the Trawler Coalition', but GetUp! staff soon rebranded it to the significantly scarier sounding 'Stop the Super Trawler' (emphasis added), a loaded term that was quickly adopted by all media outlets. It then lobbied furiously for the cause.

There is a now a long list of examples where these organisations have exerted influence on corporations and politicians, but they are still undergoing considerable evolution.

Many of the large citizen aggregation sites rely almost exclusively on petitions. This is probably driven by commercial motivations to grow membership with a view to selling access to it. But petitions are limited in their ability to effect change, especially as politicians become desensitised to them. 

GetUp! is one group that has led considerable innovation beyond simple petitioning: crowd-sourcing funds, running successful high court challenges, stationing members at polling booths and hijacking corporate meetings. If the larger petition sites follow suit and more aggressively mobilise their memberships, their influence would grow considerably.

There is also a potential evolution underway in their politics. Most campaigning sites are openly progressive in orientation, but this is changing. In late 2012, Change.org controversially shifted its policy to allow advertising from non-progressively aligned groups. Conservative groups have also started to digitally mobilise, a prominent example being the Heritage Foundation in the US, which has a significant online presence.

Whatever their political leanings, the policy reality of this new force is messy.

The nature of online campaigning is not always conducive to good policy because the groups lack institutional policy-making expertise and often launch campaigns off the backs of crises, allowing little time to think through consequences.

Ironically, these people-power sites also face a question of legitimacy. Three hundred very vocal people with a clever campaign can sometimes drive change that the majority wouldn't necessarily support. The nature of the internet can also occasionally make it hard to distinguish between the views of local nationals and foreign citizens voicing their concerns from abroad. Finally, there is the question of the legitimacy of the heads of these organisations, who can be unelected business-people with outsized influence.

This is not the only way the internet is empowering citizens and disrupting global power dynamics. Internet Wars looks at three messy, but intriguing ways citizen power is reshaping the world.

Photo: Getty/Alex Bramwell.


Fergus Hanson is author of Internet Wars: The Struggle for Power in the 21st Century. This post is part of a series that will also examine citizen activism and control of economic chokepoints.

It was only mid-2009 when the US Secretary of Defense ordered the establishment of a dedicated Cyber Command. Now more than 100 countries have military and intelligence cyber warfare units. In the words of then-Chairman of the Joint Chiefs of Staff Martin Dempsey, cyber has become 'one of the most serious threats to national security'.

A key problem is the absence of well-accepted norms of behaviour spanning the use of cyber in conflicts. Even more concerning, there are a broad spectrum of scenarios in which cyber weapons can be used in peacetime.

Russia was first to synchronise cyber attacks with a military offensive when it invaded Georgia in 2008, and there is no doubt cyber will be integrated into future conflicts. Less clear are the appropriate limitations. International law suggests the use of force should be proportionate and limit civilian casualties. However, the internet makes civilian targets the easiest to strike and in many instances causalities are not immediate. For example, disabling an electricity grid during summer might lead to deaths through heat exhaustion. 

Also unclear is the appropriate response. If a cyber attack is deadly or enormously destructive, or if the attacked country has only a limited cyber-attack capability, is a conventional military response justified? The ease of launching disruptive cyber attacks also makes them tempting, low-cost ways for a third-party, perhaps an ally, to get involved by launching cyber counter-attacks.

The nature of cyber warfare also means attacks will not always come from states.

Read More

A well-organised diaspora population located in a third country could launch a cyber attack during a conflict. If this population was in a friendly state, a law enforcement response would seem likely, but if it was in an unfriendly state a range of other response options might be on the table depending on the severity of the attack. As US Director of National Intelligence James Clapper noted in his statement to the Senate Armed Services Committee in February, it can also be difficult to distinguish between state and non-state actors within the same country, further complicating a decision on the appropriate response.

State-backed efforts to agree to norms of behaviour have begun, but are still in their early stages. One wordily named forum is the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. This formation was established last year 'to study, with a view to promoting common understandings...including norms, rules or principles of responsible behaviour of States'. In June 2015 it offered recommendations. Many were sensible, such as the suggestion that 'A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure'. Unfortunately, the characterisation of some of the recommendations as 'norms' was more aspirational than founded in practice, considering they are being breached on a daily basis. 

James Clapper characterised cyber attacks as a 'growing reality' and noted: 'foreign actors are reconnoitring and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary's intent became hostile'. Key threat actors named were Russia, China, Iran and North Korea, the latter two noted for having 'possibly more disruptive intent'.

Cyber attacks should now be expected during times of war. Of far more concern though is the emerging norm in favour of conducting cyber attacks during peacetime. In 2012, the UK's then-Minister of State for the Armed Forces, Nick Harvey, even made the case to the Shangri-La Dialogue that cyber attacks were 'quite a civilised option.'

Practice would suggest several states agree. In 2012, it was revealed the US had been targeting Iran's nuclear program with cyber attacks. It was the first time a cyber attack had turned hot, doing physical real-world damage. In retaliation, Iran launched a major attack in August 2012 on the world's largest energy company, Saudi Aramco. 

North Korea has also been active, attacking South Korean banks and broadcasters in March 2013. In November 2014, it struck again, targeting Sony's spoof movie, The Interview, about the assassination of the North Korean leader. The attackers used the threat of terrorism to persuade theatre chains in the US to pull out of screening the film. As President Obama said at the time: 'We cannot have a society in which some dictator someplace can start imposing censorship here in the United States. Because if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don't like, or news reports that they don't like.' 

These attacks didn't lead to any deaths, but that seems unlikely to last. Major attacks on critical infrastructure could easily result in casualties, making escalation to traditional military options more likely. Cyber attacks may have appeared to be a soft, civilised option when not everyone had them, but with over 100 states now having military and intelligence cyber warfare units and cyber capabilities increasing, their more benign nature is unlikely to last or to escape the pitfalls of miscalculation and escalation.

As an advanced, open economy, Australia is vulnerable to cyber attack, including on critical infrastructure, as the first unclassified Australian Cyber Security Centre Threat Report made clear. There were 153 attacks reported last year on 'systems of national interest, critical infrastructure and government'. Australia has a strong interest in encouraging a much more robust global discussion that will agree on norms of behaviour and challenge the emerging norm in favour of using cyber weapons in times of peace.

Photo by Chip Somodevilla/Getty Images


Fergus Hanson is author of Internet Wars: The Struggle for Power in the 21st Century. This post on economic cyber espionage (parts of which were also included in an article for the Brookings Institution) is part of a series that will also examine citizen activism, control of economic chokepoints, and cyber warfare.

Prime Minister Malcolm Turnbull has said 'We have to recognise that the disruption that we see driven by technology...is our friend'. But if this friendship is to be maintained, we have to acknowledge major transformations are occurring that require urgent engagement.

A huge issue is economic cyber espionage, particularly the state-sponsored variety. This is what the then director of the NSA General Keith Alexander referred to when he spoke of 'the greatest transfer of wealth in history'.

After troubled previous attempts to reach agreement, last month presidents Obama and Xi announced 'neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property', and referred to significant progress in how the two countries will co-operate on law enforcement when perpetrators are identified.

But as President Obama hinted, the issue is far from resolved. Standing beside his Chinese counterpart he said 'the question now is, are words followed by actions'. Unfortunately, the most immediate test of the new agreement is also one of the most fraught.

In May 2014, the US Justice Department issued five arrest warrants for members of the Chinese military who were alleged to have conducted cyber attacks against US companies . It's hard to imagine China is in a rush to hand them over, but surprisingly, the Washington Post has reported that 'The Chinese government has quietly arrested a handful of hackers at the urging of the US government...It is not clear if the hackers arrested were with the Chinese military, but they were accused of carrying out state-sponsored economic espionage.'

Despite these positive early signs, the agreement leaves many serious gaps.

Read More

Given the massive economic losses experienced by the US, the focus last month was naturally on the theft of intellectual property. However, there are other reasons for attacking a US company besides stealing its IP. In April, the Citizen Lab at the Munk School of Global Affairs released a report on a new offensive tool, 'the Great Canon', that China had developed and used against selected pages of GitHub, a code-sharing site. The targets included pages on the site that monitor Chinese online censorship, and others that publish a Chinese language version of the New York Times.

Political revenge is another motivator: last year Iranian hackers launched a large cyber attack on Las Vegas Sands casino in an apparent attempt to get back at its CEO and majority owner Sheldon Adelson for comments he'd made about Iran. There are also military rationales for hacking into certain companies, which could be activated in the event of a conflict or as a coercive measure.

The Iranian example also highlights how the bilateral nature of the China-US agreement excludes other significant perpetrators of IP theft. As US Director of National Intelligence James Clapper stated in his report to the Senate Armed Services Committee in February: 'several nations — including Iran and North Korea — have undertaken offensive cyber operations against private sector targets to support their economic and foreign policy objectives'. He also noted 'the Russian cyber threat is more severe than we had previously assessed'.

The threat to Australia is also real, especially if we are to meet the Prime Minister's ambitions of being 'a nation that is agile, that is innovative, that is creative.' The first unclassified Australian Cyber Security Centre Threat Report released in July described the threat as 'undeniable, unrelenting and continues to grow'. It stated:

In 2014, CERT (Computer Emergency Response Team) Australia responded to 11,073 cyber security incidents affecting Australian businesses, 153 of which involved systems of national interest, critical infrastructure and government.

As the report noted, this was very likely an underestimate, as CERT relies on voluntary reporting and many companies would be unaware they have been attacked. The report also noted the key role of governments in these economic attacks:

Foreign state-sponsored adversaries are targeting the networks of the Australian government (including state and territory), industry and individuals to source economic, foreign policy, defence and security information, and gain advantage over Australia.

There are two major issues here that Australia needs to address. The first is domestic. There is an urgent need to increase the cost and difficulty of stealing Australian IP, theft that erodes our economic competitiveness and ultimately our national security. There are many options available to government. A low risk option is to work with the private sector to ensure organisations are aware of the threat, and enforce cyber security standards. As the US Director of National Intelligence observed: 'China is an advanced cyber actor; however, Chinese hackers often use less sophisticated cyber tools to access targets. Improved cyber defences would require hackers to use more sophisticated skills and make China's economic espionage more costly and difficult to conduct'.

The second imperative is to develop norms of behaviour that counter the current permissive environment. As President Obama acknowledged in his press conference with Xi Jinping:

…because this is a global problem, and because, unlike some of the other areas of international cooperation, the rules in this area are not well developed, I think it's going to (be) very important for the United States and China, working with other nations and the United Nations...and the private sector, to start developing an architecture to govern behavior in cyberspace that is enforceable and clear.

The challenge will be finding the right forum to pursue what will likely be a long road to consensus. The UN route has the advantage of bringing all states to the table, but it also has many downsides. These include excluding critical actors, such as the internet governing bodies and major IT companies. The UN is also vulnerable to efforts by some states to reduce protections for human rights and free speech.

Another option might be the G20, which brings together key states, the private sector and civil society (through the B20 and C20). It operates more informally, which lends itself to an area like this where agreed norms of behaviour are desperately needed but formal agreement is unlikely for many years to come.

If Australia is to embrace technology-driven change, there is an urgent need for government to ensure Australian IP is protected from theft both by strengthening defences and ensuring Australia is front-and-centre in developing acceptable global norms.

Digital Disruption

When you look at the global response to the threat of ISIS, a glaring gap is the cyber domain.

The internet has been critical to the terrorist group's success. It allows it to communicate unfiltered to the rest of the world, for onward mass dissemination by the media. It helps the group radicalise and recruit fighters and financiers. It also allows recruits to organise and network in the field and maintain ties when they return to their countries of origin.

For these and other reasons, ISIS's command of cyberspace needs to be aggressively contested, as I argued in this recent paper.

Yet some counter-propaganda efforts have been shown to have questionable impact, and others risk making things worse. There are, however, multiple ways to combat ISIS online, including:

  • Structural disruption: current efforts to hinder ISIS communications online are rudimentary. Twitter began deactivating ISIS accounts in September last year, but as my Brookings colleague JM Berger recently showed, this hasn't worked because it failed to grasp how ISIS is using Twitter. A more informed approach would make it much harder for ISIS to communicate and recruit.
  • Targeted counter-propaganda: in a brilliant piece in The Atlantic, Graham Wood makes the case that the key to understanding ISIS is discerning its interpretation of Islam. This includes the revival of what ISIS calls '"the Prophetic methodology," which means following the prophecy and example of Muhammad, in punctilious detail.' It is readily apparent that ISIS's ideology is bankrupt, but the centrality of its archaic interpretation of Islam makes it even more important (and easier) to highlight its hypocrisy. The State Department has started, but there is scope for a much more targeted local response and to join up efforts.
  • Regional cooperation: Australia is not alone in needing to combat ISIS online. The State Department has already announced a partnership with the UAE to combat ISIS online and others are keen to join forces.

In June last year, TIME dubbed Australia 'the biggest per capita contributor of foreign jihadists to ISIS'. Given this, and the fact ISIS and its members continue to exploit the internet almost unchallenged, it makes sense for Australia to make a modest investment in an ICT offensive to complement other efforts. The Government's announcement of $18 million to do just this is right on point. It is critical that it be implemented effectively, that it draws on top tier technical and area expertise, and that it leverages existing resources, including the emerging efforts of other countries.

Photo courtesy of Flickr user U.S. Department of State.


The US Embassy in Pakistan has just cracked a diplomatic milestone, becoming the first mission in the world to pass 1 million fans on Facebook.

Its rise to top spot has been swift. The Embassy only decided to make social media a priority in late 2011. Following a request to Washington for technical assistance from a social media expert, Tim Receveur was sent to Islamabad, moving the page from 20,000 fans to more than 500,000 when he left in the summer of 2012.

Its closest competitors are also all majority Muslim states led by US Embassy Cairo, which has around 800,000 fans, Jakarta (just under 600,000), Dhaka (around 530,000) and the Consulate General in Lahore (383,000).

The success of the page has in some respects been against the odds. Its audience is young (half are 18-24 years of age) and 93% are located in Pakistan (Saudi Arabia and the US are the next largest audience locations). Yet in contrast with the anti-Americanism commonly associated with Pakistani views of the US, in an email interview for this post, Kellee Farmer, a press officer with the US Embassy in Islamabad, wrote: 'the main surprise is how active Pakistanis have been in sharing their stories and experiences on the site. We have thousands of young Pakistanis who sincerely seem to be interested in interacting with us.'

Technical hurdles have also been overcome. As Farmer noted: 'Our biggest surprise has been how fast social media has expanded across Pakistan despite massive and ongoing electricity shortages and limited information infrastructure, such as the lack of a 3G network.'

Read More

Getting to 1 million has involved a range of techniques. The Embassy attributes it to initially bringing in a social media specialist, targeted Facebook advertising and an emphasis on compelling photos. Regular postings and constant engagement were also important. As Kellee Farmer put it:

We post content at regular intervals, primarily in the evenings when our audience is online, and try to engage consistently on each one. Every post elicits questions or comments that can easily be addressed and, while we do not respond to polemics or vitriol, we try to answer all the questions that we can. We don’t remove comments critical of the US or its foreign policy.

So what's been the point behind building this capability? Farmer answers:

While social media has helped bridge the 'last three feet' with Pakistanis on a daily basis, it has also served as a major tool to engage face-to-face with other entities in Pakistan who are also trying to figure out how to best use social media to reach audiences. Our social media team actively reaches out to bloggers and prominent social media personalities in Pakistan as part of our media outreach. We have also conducted briefings and workshops for numerous entities within the Pakistani Government, non-governmental organizations, media organizations, students and political parties across the spectrum.

Social media allows us to reach out directly to – and engage in a dialogue with – young Pakistanis that we might not be able to reach through traditional media. It is one part of a wider public affairs strategy to reach the broadest number of Pakistanis that we can on all media platforms.  This site is a force multiplier in promoting directly to Pakistanis the value of the US-Pakistan relationship.

The US mission in Pakistan's Facebook page has a few lessons. First, with a good strategy and interesting content, a large audience can be built relatively quickly, even in apparently difficult operating environments. Second, with the top five US diplomatic Facebook pages in Muslim majority countries, there appears to be a concerted effort to strengthen ties with young populations in the Muslim world (these five sites account for 16% of the State Department's 20 million total Facebook fans). Finally, it shows the advantage of social media as a tool for communicating with large and young populations that have traditionally been beyond the reach of diplomatic posts.

This piece has been cross-posted on the Brookings Institution's UpFront blog.

Photo by Flickr user The Reboot.



So unfolded the abhorrent events on the Boston Police Twitter feed today. The feed – with its updates, instructions and attempts to crowd source — went out to the Police Department's 110,000 followers. Through Twitter's network effect, many, many more were able to see the Boston PD's messages (the tweet calling for video was re-tweeted over 3000 times).

Social media was used by a range of other services too, such as the Emergency and Medical Services, the City of Boston, and the Massachusetts Emergency Management Agency, reflecting the way social media has increasingly become integrated into government communication.

As has become typical for tragedies nowadays, non-government groups also quickly stepped in to help online, Google's Person Finder being but one example.

Read More

As Bill Braniff, Executive Director of the National Consortium for the Study of Terrorism and Response to Terrorism, put it: 'Authorities have recognized that one [of] the first places people go in events like this is to social media, to see what the crowd is saying about what to do next. And today authorities went to Twitter and directed them to traditional media environments where authorities can present a clear calm picture of what to do next.'

The communication value of social media can, however, rub up against security considerations. An early AP report claimed mobile coverage had been shut down to prevent detonation of other explosive devices (this later proved to be inaccurate). But this is increasingly a consideration for police forces in dealing with incidents like these. And it is a response that has already been used in protest situations: in August 2011, San Francisco's Bay Area Rapid Transport authority shut down cell phone coverage to prevent a protest; Prime Minister Cameron also considered it in response to the London riots.

Hopefully, the same tools will prove helpful in apprehending the perpetrators of this horrific crime.


I've spent the past week in Yangon, Myanmar. It's a country where you can almost see the change happening.

Take the headlines from The New Light of Myanmar ('The most reliable newspaper around you') on Monday 5 November: 'Denmark Opens Embassy in Yangon'; 'Norway Embassy established in Yangon'; 'President U Thein Sein holds talks with Finnish PM in Vientiane'; 'Myanmar, Luxembourg keen on economic cooperation'.

In other areas, too, change is evident. The cost of mobile phones is steadily falling from completely unaffordable for the average person to increasingly accessible (I bought a temporary SIM for about $20, while a permanent one costs around $250, down from over $3000). Business leaders talked of fatigue from meeting all the incoming foreign business delegations. In meetings with government, officials are impressively frank about all that still needs to be done. There are pictures of Aung San Suu Kyi everywhere, from taxis to cafés.

In the past year restrictions on importing new cars have been lifted, with predictable consequence for traffic. The Monday paper carried an article that made traffic sound like it is still a novelty: 'Traffic Rules Adherence in Yangon Questioned'. The article offered a range of speculative explanations, from speed to corruption.

Unsurprisingly, the changes are winning the Government praise abroad and at home. On the home front, there may also be a tendency towards overly favourable coverage of the Government*. Thursday's paper carried just two articles on the front page. The lead was 'President U Thein Sein Arrives Back in Nay Pyi Taw'. Nearly an entire column of the story was devoted to a list of all who had farewelled the President at Laos airport. The minor article, below the fold, was 'Obama Wins Re-election as US President'.

Photo by Flickr user avlxyz.

* This sentence added later for clarity.


Stop procrastinating and throw away the typewriters. That's the message from the Joint Standing Committee on Foreign Affairs, Defence and Trade's inquiry into Australia's overseas representation, which has just recommended DFAT establish an office of ediplomacy, modeled on that of the US State Department.

Having looked at DFAT's use of ediplomacy several times over the years, this time the Committee showed a little more frustration with the pace of modernisation.

After noting the Lowy Institute comment that DFAT's websites are 'among the worst websites hosted by any arm of the Federal government', the Committee went on to observe: 'DFAT agreed that some of the Lowy Institute's criticisms of their websites were justified.'

It went on to state:

The Committee notes DFAT’s advice that in the current budgetary situation improving its websites was less of a priority than increasing on-the-ground diplomatic representation. The Committee responds that it is not a competition between e-diplomacy and increasing on-the-ground representation.

It went on to recommend DFAT 'immediately refurbish Australian embassy websites'.

Read More

Although it recommended DFAT's 'funding be increased in the long term to a set percentage of gross domestic product', it simultaneously dismissed DFAT's argument for putting off innovation, noting:

The Committee is sympathetic with DFAT's view that it would put any additional funding into increasing Australia's diplomatic footprint rather than into an office of e-diplomacy. The Committee considers, however, that better engagement with e-diplomacy requires cultural change and is not necessarily resource intensive. It should not be a choice between extending Australia's diplomatic network and an office of e-diplomacy.

And while the Committee recommended the Department make better use of social media and take note of the importance of preparing for national brand-damaging incidents, it also took an appropriately broad view of ediplomacy:

E-diplomacy is commonly perceived as the use of social media to promote government messages overseas. The Committee, however, agrees with the Lowy Institute that e-diplomacy encompasses a far broader range of activities and raises the issue of the balance between DFAT controlling information as opposed to exchanging information.

It's a strong report, worth reading and worth taking action on.

Photo by Flickr user Foxtongue.


Fergus Hanson is a non-resident fellow at the Brookings Institution.

As with many new things, a lot of foreign ministries were initially skeptical of ediplomacy. What did 140 character messages and social media have to do with serious diplomacy?

There have now been more than enough social media infused international crises to silence those critics. When the tweets of an angry pastor in Florida can catalyse deadly riots around the world, a Weibo message by an assaulted Chinese student in Australia can threaten a massive export industry and an obscure NGO can reshape the global narrative on Uganda and the Lord's Resistance Army, foreign services need to adapt.

The diplomatic operating environment has changed. And one foreign ministry in particular is taking up the challenge with some intriguing innovations in ediplomacy: the US Department of State. In 2011-12, I was lucky enough to spend nine months in the US researching ediplomacy at Georgetown University and the Brookings Institution. That included time embedded in the Office of eDiplomacy at the US State Department where I conducted interviews with nearly 100 State Department officials. Today, Brookings has published the culmination of that research.

Read More

The underlying message of the paper is this: the point has now been reached where a foreign ministry will fail the national interest if it does not adapt to this new operating environment.

The paper zeroes in on the three areas at State where ediplomacy has so far attracted the most resources and greatest innovation. The first is public diplomacy.

Social media is opening up access to a traditionally difficult to reach diplomatic audiences: the general public and youth. State now communicates directly with over 16 million people on Facebook and Twitter, double the 8 million it was reaching at the end of January 2012. The paper identifies six different ways it is using this new capability.

The other two areas the paper covers – internet freedom and knowledge management – receive far less public attention, but are both striking examples of bureaucratic innovation.

The internet has rewritten traditional foreign policy issues such as taxation, privacy and intellectual property, but it has also created new foreign policy issues: among them internet freedom. State's policy in this area is gutsy. In one respect it is simply applying its offline support for basic human rights to the online world. But spending nearly $US100 million since 2008 on directly countering efforts by governments around the world to filter and censor the internet is not what many associate with orthodox diplomacy. Unsurprisingly, this policy has created some challenges, one of which is when close allies such as the UK pursue inimical policies.

Knowledge management is where State's innovation has attracted the most private sector interest. The State Department has essentially set up a research and development facility aimed at overcoming some of the most difficult informational challenges technology is throwing at large organisations the world over. So far, it has produced an intriguing suite of solutions.

The detail is in the paper: Baked in and Wired: ediplomacy at State. I hope you enjoy reading it.


Shannon Smith's post on Australian ediplomacy raises some excellent and often overlooked points on social media. There are also a few that I take a slightly different view on.

Most strikingly, his post points to the modernisation of Australia's government generally. Shannon provides a whole list of great digital initiatives from different arms of the Australian Government operating overseas. The notable absence (with the exception of the new Facebook page) was DFAT, although even that is changing and clearly the embassy in Jakarta gets it. AusAID could also have been added to the list. It has been working hard on the technology transition.

Shannon's last point is also critical: 'With only 22% of Indonesians accessing the internet, e-diplomacy is no solution in itself to the decline of Australia's broader public diplomacy capabilities — it is simply a necessary supplement.'

There seems to be a perception in some areas that social media is a replacement for public diplomacy, and a related view that just having a Facebook page or Twitter feed means you're all done and dusted, no strategy or work needed. Anyone who holds those views is likely to be very disappointed. Murrow's emphasis on the 'last three feet' is as relevant today as it was back in the pre-social media world. But I am afraid I don't share Shannon’s analysis of the US Embassy Facebook strategy or its utility.

Read More

Shannon seems to dismiss the US Embassy's 485,000 Facebook fans because they represent only 0.21% of the Indonesian population and because Indonesian celebrities have so many more fans. That is a bit simplistic to me. Because Kim Kardashian has a zillion more Twitter followers than Mitt Romney, does that mean it's a useless tool for him in his election campaign and he should stop using it? Or because The Australian newspaper reaches less than 2% of the total Australian population (according to Roy Morgan data) and people who buy it self-select, does that mean it has no influence?

Shannon also argues that 'social media can only do so much and reach so many. Social media only reaches the influential few, and reinforces their positive notions towards Australia.'

I'm a bit more uncertain about these claims. Social media can certainly help reach the influential, but it is also one of the best tools embassies have ever had to speak directly and daily to a wider audience. Social media certainly has its limits, but the reaction of governments around the world to the Arab uprisings, particularly the sharp ramp-up in filtering and monitoring of these tools, suggests they at least see them as powerful platforms.

And while not everyone uses social media, reach through these platforms is pretty staggering. There are now over 900 million active monthly users on Facebook. And while most of the world does not yet have smart phones, that is rapidly changing as costs decline.

What I assume Shannon means is that the audience for foreign ministry tweets is probably pretty small and will soon be saturated. That's entirely possible, but it remains a largely untested proposition. The State Department's Facebook and Twitter audience reach continues to grow as it modifies and grows its content. Australia might choose not to allocate resources to competing seriously in this space, but that doesn't mean the audiences aren't there to be reached.

But Shannon's wider point is the most important: these tools are only a supplement, not a replacement for diplomacy.

Photo by Flickr user veo_.


The 8th annual Lowy Institute Poll was released this morning. As usual, it covers a large number of foreign policy issues, but one fascinating set of findings dealt with the perennially controversial issue of migration.

There's been a stink over the granting of some 1700 skilled migrant visas for Gina Rinehart's Roy Hill iron ore project, but the Lowy Poll found that most Australians (62%) are in favour of the Government allowing in extra workers from foreign countries when there are shortages of workers in Australia and companies in Australia cannot find enough skilled workers.

The White Australia Policy is all but a distant memory. Presented with six hypothetical criteria for determining which migrants should be allowed to come to Australia to live, practical preferences prevailed. Work skills is the criterion most (65%) say is very important, followed by English language skills (60%), having similar values to Australians (57%) and education (47%). Just 15% say religion is very important and only 10% nominate race.

There are some intriguing generational differences. Australians 60 years or older are three times more likely than Australians 18 to 29 years old to say race is a very important criterion (15% compared with 5%). They are also twice as likely to say having similar values is a very important criterion (72% compared with 36%).

There are too many results to cover here, but here are a few of the most interesting:

Read More
  • Results relating to the US: we prefer Barack Obama to Mitt Romney to become the next US president, by 80% to 9%. Meanwhile, 74% are in favour of up to 2500 US soldiers being based in Darwin. Across a range of questions, younger Australians were slightly less supportive towards the US.
  • Australians believe it is important to be liked by our neighbours. Two-thirds (68%) say it is very important for Australia to be seen in a positive light by people from countries in our region, with another 26% saying it is somewhat important. 
  • 82% of Australians say they are in favour of the Australian Government funding broadcast services or other programs to communicate with people from countries in our region, with the aim of improving relations with those countries. 
  • Some Australians appear blasé about democracy. Just 60% of Australians say democracy is preferable to any other kind of government, and only 39% of 18 to 29 year olds.
  • One of our longest-running questions, on global warming, this year revealed a remarkable long-term shift in Australian opinion. Presented with three options for dealing with the issue, those favouring an intermediate response to global warming for the first time outnumber those favouring the most aggressive form of action. Put another way, since 2006 we've gone from a situation where two-thirds (68%) of Australians wanted the most aggressive form of action to a point today where just over a third (36%) of us do.

There's a lot more. You can read on here.