17 November 2021





I acknowledge the Wurundjeri Woi Wurrung people as the traditional owners of the lands that I am joining you from today, and pay my respects to their elders, past present and emerging.

It’s great to be back at another AISA Cyber Conference.

It’s been a massive year for everyone in infosec – here and around the world.

An epidemic of ransomware attacks against targets ranging from local small businesses to major critical infrastructure owners, a new wave of supply chain attacks targeting service providers and cyber security companies being mounted by APTs and criminal groups alike, as well as a series of incidents across the Middle East that’s seen petrol stations, train networks and ports shut down and prison surveillance networks popped.

There’s been a bit going on.

So a shout out to the incident responders, I know it’s been a slog out there in the trenches!

Given all this, it’s no wonder that infosec issues have hit the top of the agendas of meetings of international leaders this year.

In this context, I want to talk to you today about the evolving relationship between democracy, autocracy and technology policy we are seeing around the world – and what we should be doing about it here in Australia.

In his first press conference as US President, Joe Biden declared that the world is in the midst of “a battle between the utility of democracies in the 21st century and autocracies” and that the current generation of democratic leaders must “prove democracy works.”

This wasn’t just a throwaway line - the contest between democratic and autocratic values was a consistent theme of his campaign for the Presidency.

President Biden wasn’t talking about the kind of great power conflicts of the 20th century in which some states sought to impose an ideology or system of government on other nations.

Instead, he was talking about a contest between democrats and a new breed of autocrats – leaders and citizens alike – whose individual decisions are shaping the way societies around the world operate.

A contest that is as much within nations as between them.

A contest between a democratic model whose institutions and norms were largely developed in the 19th century, and a new model of authoritarianism utilising technologies developed in the 21st century to exercise control over their societies.

A contest between those who believe that democracies – while often messier and more frustrating – can still deliver the best opportunity for human flourishing in the long-term, and those turning to simpler, more immediate authoritarian responses to governing.

President Biden wants democrats around the world to be up for this contest and next month he will bring together the world’s democracies – including Australia - in a “Summit for Democracy” to “renew the spirit and shared purpose of the nations of the free world”, and to “strengthen our democratic institutions, honestly confront nations that are backsliding, and forge a common agenda”.

There is nowhere that a renewed agenda to strengthen democracy is needed more than in the way democratic governments around the world engage with the internet and technology policy.

The contest between democratic and authoritarian values is now utterly pervasive in the technology sector.

Where globally integrated technology supply chains and transnational social media platforms once brought people and organisations from around the world together, today these sites of cross border interaction are the front lines of a contest of values marked by decoupling and balkanisation.

We see this trend most clearly in autocratic states.

Over the past 20 years authoritarian nations have developed a coherent philosophy of state control over the internet – ‘internet sovereignty’ – and have been both implementing it domestically and expanding its influence within international internet governance forums.

While in 2000, President Clinton jokingly wished authoritarian nations ‘good luck’ in their attempts to control the internet and likened the exercise to ‘nailing jello to the wall’, over the past 20 years authoritarian nations have shown how state control of underlying infrastructure, data localisation requirements on over-the-top providers and aggressive promotion of domestic technology champions can effectively impose autocratic values on the technologies their people use.

Authoritarian states have leveraged state power throughout the technology stack to implement pervasive surveillance and information control strategies – a combination of censorship and propaganda - to entrench their power.

Take just a few examples from this year.

Russia has gone so far as to build its own national DNS and trial disconnecting ‘RUnet’ from the global internet altogether, routing all traffic solely through government-controlled infrastructure.

It also set about exercising total control over the services operating on this infrastructure by threatening specific local staff of Apple and Google with arrest if they did not remove a mobile app developed by jailed opposition leader Alexei Navalny from their app stores.

China’s recently released 14th five-year plan declared its intention to deepen state control over the data of private sector technology firms.

As a measure of the state’s seriousness in this exercise, in the first six months of this year a series of interventions by Chinese regulators wiped out more than $800 billion in market value from companies like Didi, Ant, Alibaba, Tencent, Bytedance and Baidu.

Most recently, the Cyberspace Administration of China has imposed a series of regulations on technology companies, requiring them to ‘promote socialist core values’ in ‘internet information service algorithm recommendation activities’.

In response to these interventions, Yahoo, Linkedin and Epic games became the latest US tech companies to exit the country.

As a result, while the underlying protocols of the internet remain interoperable around the world – for now - a series of parallel national technology ecosystems have been emerging.

While 20 years ago, the experience of using the internet in Sydney, St Petersburg, and Shanghai was broadly similar, over the last 20 years parallel internet infrastructures and app ecosystems have emerged around the world, each governed by the differing values of the nations within which the user resides. 

We shouldn’t exaggerate.

Some parts of the technology stack have so far proved too resource intensive to duplicate.

For example, we’re years of heavy investment away from new operating systems reaching a level of maturity needed to reliably and securely support a national technology ecosystem.

But the trend is clear: the digital global village is being divided and enclosed.

In barely a decade, we’ve moved a long way from what then Secretary of State Hillary Clinton once championed as the ideal of “one internet, one global community, and a common body of knowledge that benefits and unites us all” in a landmark 2010 speech on internet freedom.    

While it’s tempting to reach for a hackneyed metaphor at this point and declare that a silicon curtain has descended across the internet, the reality is complicated by a similar trend that has emerged within democratic states.

In parallel to the increasing exercise of state power over the internet in authoritarian countries, the vision of an internet free from government intervention and control championed by its early trailblazers in the United States has also reached the end of its useful life in democratic states.

John Perry Barlow’s 1991 “Declaration of the Independence of Cyberspace”, famously declared to the “Governments of the Industrial World” that

You are not welcome among us. You have no sovereignty where we gather…. the global social space we are building (is) naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear."

But in the two decades since, it’s become increasingly clear that these cyberpunk, libertarian values don’t have much of a constituency in 21st century democratic nations.

We’ve seen a cyber space without democratic government and it’s a dark place.

No voting public will tolerate an online space where paedophiles, terrorists and Nazis are given free reign and ransomware crews are allowed to menace schools, hospitals and critical infrastructure with impunity.

Responding to these public sentiments, democratic governments around the world have increasingly sought to expand state powers cyberspace in response to legitimate online threats like child abuse, terrorism, hate speech, foreign interference, cybersecurity and copyright infringement.

The trend has been gathering pace in the last 12 months.

Australia, the UK and Canada have all either passed or are debating the passage of online safety bills regulating harmful content online.

India’s new internet intermediary rules impose a range of content takedown obligations not only on social media platforms, but on ‘digital media’ more broadly including online news outlets and streaming services.

The application of these rules has been broad enough to trigger takedowns of tweets by opposition members critical of government leaders.

At the same time, we’ve also seen regional internet shutdowns and dozens of foreign mobile apps banned from the country in response to local conflicts.

Regulation of technology supply chains to exclude suppliers that represent security risks are becoming the norm.

Many of these interventions by democratic states to expand state powers over the internet will strike the majority of people living in democratic societies as unproblematic.

I certainly don’t regard myself as a friend of the major social media platforms and believe that governments need to intervene to protect both individuals and our democracy from their harmful effects.

What is concerning though is that while the libertarian vision of the early internet has now been universally rejected by democratic nations, nothing has emerged to replace it as a practical philosophical framework to guide the exercise of democratic sovereignty over the internet.

Yes, the diplomats of democratic nations who work on these issues will assert that their state supports a “Free and Open” internet or maybe a “Free, Open and Secure” internet.

But in practical terms, beyond interoperability of the underlying protocols of the internet, we are a long way from a consensus about what this actually means.

Many academics and multi-stakeholder NGOs have tried to articulate democratic principles for internet regulation, but many of the ways that democratic nations are expanding state power over the internet in recent times show that these principles haven’t gained broad traction.

A ‘free and open’ internet really is in the eye of the beholder at the moment, for both citizens and democratic governments alike.

To date, the principles underpinning a “Free and Open” internet has been discussed far more in international forums than it has been in domestic legislatures debating new internet regulations.

As a result, even some of the best-intentioned democratic governments around the world have been incrementally and unwittingly backsliding on the application of democratic values in technology policy, particularly in key areas of surveillance, encryption, law enforcement and content regulation.

Leaders in democratic nations with authoritarian tendencies have been backsliding even faster as companies that enable techno-authoritarian states have sought to export tools of state control to new markets.

So what’s the big picture here?

Over the past decade, authoritarian nations have been pursuing coordinated, well-resourced strategies to impose their values on technology and the internet, developing domestic technology champions to help them do so.

Meanwhile, democratic nations have engaged with these challenges on an ad-hoc basis at best and, in doing so, have lacked both ideological coherence and resource commitment.

It’s time democracies got in the game in the contest for the future of the internet.

This is a political and rhetorical contest.

To win it, political leaders and citizens alike need to be able to make the case for a coherent and rhetorically persuasive set of democratic values in technology policy.

We need to be able to clearly articulate how intervention and regulation of the internet by democratic governments should differ from the interventions of authoritarian nations.

We need to make it clear that democracies assert their values on the internet not through the absence of sovereign power over the internet, but through the constraints they impose on the use of state power over the internet.

That when democratic states exercise state power over the internet, they do so in a way that entrenches democratic norms of transparency, accountability, and the rule of law.

That instead of imposing solutions from on high, we draw on the strengths of our open societies and harness multi-stakeholder policy development processes and governance models.

Crucially, we need to show how an internet underpinned by democratic values isn’t just worthy, but also produces better outcomes than the authoritarian alternative.

That democratic values are better for growing economic prosperity, better for generating innovation and better for building a more secure technology ecosystem.

We’ve seen the beginnings of efforts to do this in recent times.

After its leaders’ summit in September of this year, the Quad countries – Australia, India, Japan and the United States of America - issued a statement of “Principles on technology design, development, governance and use” that asserts that “the ways in which technology is designed, developed, governed, and used should be shaped by our shared democratic values and respect for universal human rights”.

This is all well and good, but the statement doesn’t do much to articulate what these ‘shared democratic values’ are in the context of the internet, nor why they are better than the alternatives.

The statement does include a broad statement of support for a ‘multi-stakeholder approach’ that aligns with ‘universal values’ like ‘respect for freedom of expression and privacy’ and ‘autonomy, agency and dignity of individuals’ as well as a statement opposing ‘unfair discriminatory action’.

But a lot is left unsaid.

The statement asserts that “Technology should not be misused or abused for malicious activities such as authoritarian surveillance and oppression, for terrorist purposes, or to disseminate disinformation.”

But what is it that makes surveillance “authoritarian” in the eyes of the member states?

Similarly, the statement expects technology suppliers to be “transparent and accountable” but makes no commitment on the part of government interventions in technology governance.

I don’t mean to be overly harsh here.

This statement from Quad member states was an important step forward.

But we’ve got plenty more to do.

So it’s welcome that one of the early reported proposals for discussion at President Biden’s Summit for Democracy is the establishment of an “Alliance for the Future of the Internet” to:
 “develop and promote a new and better vision of an open, trusted, and secure internet that promotes core democratic values and respect for human rights.”

Media reports suggest the US will propose that members agree to develop a charter of “operational principles and commitments” over the coming two years and that in the short term, a core group of like-minded countries commit to a call to action on issues like data privacy, cooperation on tech platform regulation, interoperability, non-discrimination, data localisation and technical cooperation on cybersecurity standards and incident response. 

There’s lots to like in this idea.

Australia should be working closely and constructively with our allies to advance this agenda.

We have a real stake in the success of these efforts to forge a new vision for an open internet where state intervention embeds democratic values.

Australia has always thrived in a world of open societies and open economies and we’ve helped build this world in the past through creative diplomacy in vehicles like the Cairns group.

Our national interest would be best served by a world in which as many other states as possible embrace an open internet underpinned by democratic values.   

So we can’t afford to be a recalcitrant in these future shaping discussions in the same way that we have been on climate change.

While there’s a lot that Australia could achieve with other like-minded nations at this summit, the most important contribution we could make to these efforts to push back against techno-authoritarianism is in our own backyard.

International efforts are all well and good, but democracy begins at home.

There are three areas that we have work to do in this respect – living our democratic values in our technology policy, building the resilience of our democratic institutions and investing in our domestic critical technology capabilities.

We should start by ensuring that our leaders and diplomats are not simply paying lip service to the importance of democratic values in internet and technology regulation and that the actions of our governments at home match our words in international fora.

Some members of the current government like to talk about the importance of teaching democratic values to our kids in school, but need remedial classes as legislators about their fundamental importance in the global contest with authoritarianism.

The Parliamentary Joint Committee on Intelligence and Security has been a model of democratic accountability in technology regulation in recent years.

Under the current government, the executive has proposed a series of necessary expansions of the powers of state agencies over the internet, and each time members of both major political parties have worked constructively together on a bipartisan basis to add in important accountability mechanisms and checks and balances on the exercise of these powers that were neglected by the government.

The executive should take the hint from recent PJCIS reports about the fundamental importance of these democratic accountability mechanisms as constraints on state power in the development of any future technology regulations.  

It should also listen to the consistent calls of Labor PJCIS members in reviews of bills like TOLA and SOCI that these new state powers be subject to independent authorisation and judicial review mechanisms.

The PJCIS’s own oversight role over the Australian intelligence community itself should similarly be expanded commensurate to the creation of these new state powers.

My colleague Senator McAllister has previously introduced a Private Senator’s Bill to implement the recommendations of the 2017 Independent Intelligence Review regarding the oversight of the Australian intelligence community, namely by expanding the PJCIS’s oversight role to all ten agencies within the National Intelligence Community, including the intelligence functions of AFP and Home Affairs.

Importantly, the Bill also creates an own-motion power for the PJCIS, empowering it to initiate its own inquiries into issues of concern.

These powers are particularly important as we’ve already seen some troubling examples in which the internal culture of some agencies has failed to understand the fundamental importance of democratic accountability on the exercise of these powers.

A recent Commonwealth Ombudsman report on the AFP’s use and administration of telecommunications data access powers when accessing location-based services is a good example in this respect, as were incidents of AFP access to the meta data of a journalist without the necessary journalist information warrant.

Our security agencies are on the frontlines of the contest between democratic and autocratic values within Australia and abroad.

It is crucial then that they embrace their obligation to be seen as exemplars of our democratic values and they are held to account as such.

The next area that Australia has work to do in the fight against techno-authoritarianism is in building the resilience of our democratic institutions.

Increasingly, authoritarian states have begun using tools they have developed to exert control over their own information environment to project into the information systems of democratic states through a range of cyber-enabled foreign interference tactics methods, including coordinated disinformation campaigns, hack and leak campaigns, targeted online harassment and intimidation campaigns, and even covert censorship on transnational social platforms controlled by authoritarian states.

When YouTube recently removed RT's German-language channels from its platform for distributing vaccine misinformation earlier this year, RT's editor-in-chief Margarita Simonyan made clear the terms on which Russia understood the decision when she declared: "In modern wars, YouTube is a weapon. It is much more effective than any other weapons."

This year also saw the revelation of the use of the Pegasus spyware, developed by Israeli technology company NSO group, by authoritarian countries to project coercion, control and fear beyond their borders by targeting dissidents, journalists and diaspora communities.

Taken together, these tools of cyber enabled foreign interference threaten to undermine Australia’s sovereignty- our ability to decide for ourselves what to do as a nation.

Indeed, ASIO’s annual report warned this year that foreign interference and espionage will surpass terrorism as the biggest threat to Australia’s security in the next five years.

In this new environment of cyber enabled foreign interference, the resilience of our democracy is now a national security imperative.

The days in which some saw a trade-off between democratic values and national security are long gone – in the modern information environment they are intrinsically interlinked.

There are some specific steps we need to take in response to this threat.

At the moment, there are half a dozen Commonwealth entities who share the job of responding to cyber enabled foreign interference.

But when everyone is in charge, no one has responsibility.

We need a single entity in government to have lead responsibility and accountability to combatting this threat.

Similarly, we need to have established, robust and well-understood institutional arrangements in place for when an instance of cyber-enabled foreign interference occurs during an Australian election campaign.

Informed by firsthand experience of managing incidents of this kind in the United States, the former head of the US CyberSecurity and Infrastructure Security Agency, Chris Krebs, told a recent PJCIS hearing that it is crucial that non-partisan public officials are responsible for making any public notifications regarding cyber and disinformation threats during election campaigns.

These issues aren’t theoretical for Australia.

In the lead up to the 2019 election the Prime Minister held a press conference to announce that our political parties were under attack by an unnamed sophisticated state actor. 

In response to Mr Krebs’ evidence, the PJCIS recommended that the government review its processes for dealing with serious cyber-incidents during the caretaker period and “consider the best practice principles for any public announcement about those incidents”.

The Prime Minister should consider himself on notice in this regard. 

If he fails to establish appropriate non-political institutional mechanisms for publicising cyber-enabled foreign interference in our election and if he then announces such an incident during the next Federal election, the public should be entitled to view these actions with some cynicism.

Beyond these specific steps, we also need to stop neglecting our democratic institutions more generally.

The success or failure of most cyber enabled foreign interference will turn on the health of the democratic institutions in the nation being targeted.

If we imagine this foreign interference as a virus seeking to infect and spread through our body politic, our immune system is comprised of the democratic institutions that can credibly identify and counter it – our media, our civil society and the institutions of our representative democracy.

These institutions will only be effective as antibodies to this virus in the body politic if there is sufficient public trust and confidence in them.

On this front we have a lot of work to do.

Decades of complacency have led many democracies, including Australia, to neglect the institutions of their democracy.

We’re currently paying the price in the form of depressingly low levels of public trust and confidence in our democracy.

We need a new agenda to renew our democracy in the face of this challenge.
Labor has outlined a number of practical measures in this regard:

  • A national anti-corruption commission;
  • Political donations and disclosure reform, including caps on campaign spending;
  • Defending the free press and backing the Your Right to Know campaign by making it clear that journalists in Australia should not be raided by the police just for doing their job; and
  • Properly funding our public broadcasters – an island of public trust in a sea of institutional suspicion.  

None of these initiatives are silver bullets, but they are much needed practical steps we can take on the road to restoring public trust and confidence in our democratic institutions.

The final area that Australia needs to engage in the fight against techno-authoritarianism is in our innovation system.

Some authoritarian states have coupled their domestic information control agendas with coordinated, well-resourced innovation strategies.

Strategies to develop national capabilities in the critical technologies like artificial intelligence and quantum computing needed to exercise state control over their societies now, and into the future.

A prominent example is “Made in China 2025”, which is directing many billions of dollars into the development of domestic industries for critical technologies in China.

These initiatives have only been spurred on by the imposition of US export controls on trade with a series of Chinese technology companies that have highlighted gaps in China’s technology self-sufficiency.

Overall, China’s success in this regard has been uneven, but in some strategically important technology fields like AI and quantum technologies, the country is now home to a number of world leading companies.

This strategy has caused the development of many of these technologies to be as much state-led as market-led.

In contrast, over the past two decades the innovation systems of most democratic states have stagnated.

We’ve seen a strikingly different innovation system in democratic nations in recent years compared to the post-war system which coupled heavy state investment in basic research and partnerships with private sector contractors.

In addition to putting a man on the moon, this innovation system produced many of the innovative technologies upon which some of the most profitable companies in the world now rest – the internet, GPS, micro-processors, voice recognition and touch-screens to name just a few.

But since the 90s democratic states, including Australia, have fallen behind on investment in research and development in critical technologies, driven by an ideological view that the state is the enemy of enterprise and a pathological avoidance of public sector leadership for fear of being seen to ‘pick winners’.

This contest between the innovation systems of democracies and techno-authoritarian states matters because it will shape the rules of the future internet.

A world in which the next Google or Facebook is developed in an authoritarian state is a world in which that platform is imbued with the values of the system that birthed it.

That’s not in Australia’s interests.

Democratic nations, including Australia, need a renewed focus on state investment in critical technology.

Not just general public investment in basic research, but direction-setting, strategic investments in the critical technologies that will underpin our future economic prosperity and national security.

Other democratic nations are waking up to this imperative.

This year’s US National Security Commission report on AI chaired by Eric Schmidt was a landmark in this respect.

We’ve similarly seen a series of nations make billion-dollar investments in their domestic quantum technologies industries as part of the post-covid economic recovery strategies.

But Australia remains asleep at the wheel.

We can’t go on as the only country in strategic groupings like AUKUS and the Quad without a national strategy to develop domestic industries in critical technologies like quantum.

When these groupings are negotiating important technology development and sharing agreements, we can’t be in the corner declaring that “we are really good at digging stuff up in Australia”, as Scott Morrison did after the recent Quad Leaders’ Summit.

If we do, we’ll be signing up for a future as a technology taker, not a technology maker.

The theme of this year’s AISA conference is ‘possibilities’.

Every four years, the US National Intelligence Council produces a Global Trends report.

It’s a major analytical exercise that draws on multi-disciplinary expertise to produce assessment of the trends and uncertainties that will shape the global strategic environment over the coming decades.

Its intent is to lay out a range of possible futures and to show policy makers how their individual responses to the major global trends and structural dynamics will determine what kind of world we will live in 20 years from now.

The point of the exercise isn’t to predict, but to show where we have agency to shape our own future.  

It’s striking when reading the potential scenarios for alternative worlds in 2040 that the recently released 2021 report outlines, just how grim most of the possible scenarios are.

The report considers ‘A world adrift’ in which the international system has broken down, global challenges like climate change remain unaddressed and great power conflict looms.

The report also considers a world of ‘Separate silos’ where the world breaks down into a series of separate economic and security blocks, undermining collective prosperity and leaving global challenges unaddressed.

These aren’t good worlds for Australia.

But the report also contemplates one decidedly hopeful scenario.

A world in which we see a ‘Renaissance of Democracies’ where ‘renewed public trust in democratic institutions’ and ‘rapid technological advancements fostered by public-private partnerships’ in open democratic societies reenergise the global economy, raising incomes and underpinning the cooperation needed to tackle global challenges.

At the same time, the limitations of the authoritarian model begin to manifest themselves, and those citizens and leaders around the world alike turn away from autocracy and towards democracy.

This is a possible future that we should be trying to make a reality.  

It often feels like there’s too much going on in infosec.

That we’re buffeted by structural forces of geo-politics and the rapidly changing dynamics of technology change.

But it will be the decisions that we make and the actions we take in the face of these structural forces and dynamics that will shape the future and the technologies it is built on.

The actions we take working alongside like-minded countries in forums like the Quad, AUKUS and the Summit of Democracy.

But most importantly of all, in the actions we take closer to home.