Gaming policy in cyberspace

Exercise reveals policy gaps

Michelle Price
Igor Mikolic-Torreira

National security, Science and technology | Australia, Asia, East Asia, South Asia, Southeast Asia, The Pacific, The World

22 August 2017

Hacked devices and intellectual property theft are a rich hunting ground for policy development, write Michelle Price and Igor Mikolic-Torreira.

In December 2016, RAND Australia and the ANU National Security College partnered to facilitate a cybersecurity-focused exercise. This ‘cyber game’ used two separate scenarios set in the year 2022: navigating the security of Internet-connected devices without losing their societal benefits; and intellectual property theft against a backdrop of evolving international norms of behaviour in cyberspace.

In the first scenario, hackers extort businesses, government agencies, and community organisations by disabling or slowing Internet of Things-enabled devices (e.g. factory machinery, restaurant refrigerators) and hold them for ransom. These attacks eventually affect implanted medical pacemakers and cause the deaths of 12 elderly patients. A hack against a driverless car goes awry, causing it to veer onto a crowded sidewalk.

In the second scenario, hackers access a mining company’s internal systems, including contract data, bidding histories and all corporate communications; but this is only discovered when the company goes bankrupt after losing one bid after another. Meanwhile, an Australian green energy innovator reveals that the design for its next-generation solar panel, reputed to be the most advanced in the world, has been stolen. The firm has state-of-the-art cyber defences and has tracked the theft to a foreign government’s military cyber unit.

Citizens and companies are demanding action from the government. What should it do?

More on this: The real cyberespionage rule: don’t get caught

The challenge posed by Internet-connect devices is only getting worse as the number of online devices is projected to grow from about seven billion today to over 20 billion by 2020. The number of attempted attacks on such devices nearly doubled in the past year and shows no sign of abating. And Internet-connected devices are often the weak link that criminals exploit to get to their actual target: in one case criminals attempted to steal from a North American casino by compromising a fish tank connected to the internet.

Intellectual property theft causes significant losses. A study estimated that a theft can cost a small business AU$140,000. Larger organisations can suffer losses in the tens or even hundreds of millions of dollars. And there are other costs to consider: the information stolen can include the private information of customers, employees and partners, creating an additional liability.

Last week the outcomes of the exercise were released in a report launched by Dan Tehan, MP, Minister Assisting the Prime Minister for Cyber Security.

The report gives three overarching policy recommendations from the exercise to improve cybersecurity in Australia: create and enforce technology security standards, craft international agreements to address cybersecurity challenges, and improve risk awareness to keep users safe online.

There was broad consensus that the policy domain will continue to be challenged by the pace of technological change and by both the anticipated and unforeseen impacts of change on society. This highlights the need for continued public discourse on cyber policy development – and to reach widely across the economy and community to increase awareness and understanding of cyberspace.

The report says that future exercises of this nature could consider a range of areas, including how policy development should challenge assumptions about government roles, responsibilities and authorities. They could also incentivise a broader range of government and non-governmental stakeholders to participate in building and implementing cybersecurity solutions.

The report can and should be used as a tool for organisations to consider how to leverage gaming methodologies to develop and exercise their internal policies and cybersecurity. It also adds to the seriousness through which organisations –public and private, large and small – should be considering cyber risks. But it additionally emphasises the opportunities presented to them by investing in cybersecurity as an enabler to assure and grow customers and citizens.

More on this: Welcome to the 'managed' Internet

The 360º Discovery Exercise employed gaming methodology developed by RAND and involved around 90 participants from Australia’s public and private sectors, academia and think-tanks, industry associations and the media. It was the first time a policy-focused cybersecurity exercise involving a cross-section of stakeholders had been held in Australia and the first time RAND’s gaming methodology had been applied outside the United States. The exercise provided specific insights for Australian cybersecurity policy – especially how to build on Australia’s current Cyber Security Strategy released by Prime Minister Turnbull in April 2016.

Interestingly, since the game was convened, variations of the scenario around internet-connected devices have played out in numerous ways in 2017. These include a technician who unwittingly introduced a computer virus into speed cameras used in Victoria and baby monitors that allowed strangers to view the video feed. International debates and efforts to embed norms of behaviour in cyberspace have also progressed, including most recently Australia and the United Kingdom reaffirming their commitment to work together on these areas of mutual pursuit.

When it comes to cybersecurity, the rules of the game are constantly changing – and we have many games left to play.

Back to Top
Join the APP Society

Leave your Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Press Ctrl+C to copy

Republish

Close