ASPI’s Principal Analyst Liam Nevill shares his conclusions after taking part in the III Australian Leaders Programme
The Australian Leaders Programme 2017 included four representatives of prominent Australian think tanks. The Council Foundation, as part of its active communications policy, is publishing interviews with them.
Principal Analyst at ASPI's (Australian Strategic Policy Institute) International Cyber Policy Centre and an expert in cybersecurity, Liam has participated in bilateral cybersecurity meetings with the US, China and Spain. He is in charge of ICPC’s annual report “Cyber Maturity in the Asia-Pacific Region”, which analyses the cyber maturity of 25 countries within the region.
Liam previously worked at the Australian Department of Defence in the area of cybersecurity, among others. He has a degree in History, Politics and International Relations and a Master’s in Strategy and Security.
In May 2016 SACF and ASPI organised the seminar “How Australia and Spain face cybersecurity challenges” in Canberra, which you attended. What do the two countries have in common in this area?
Countries all over the world can have cybersecurity issues, so it doesn’t really matter that Spain and Australia are so distant geographically speaking. There are quite a few shared interests on which we can cooperate, such as exchanging information on new threats to lead the charge against cybercrime in Australia and the rest of the world.
Critical infrastructure such as energy and water are another crucial issue. Spain manufactures a lot of equipment, and it is important for Australia to work with Spain and share information.
The last aspect has to do with working jointly on international cyberspace security issues: behaviour standards, conflict reduction, building online trust in the government… There is an interesting debate underway around how we manage cyberspace and the standards that all states should apply. As Spain and Australia have very similar value systems, we can work together in the international arena to help build a code around these shared values.
Spain and Australia are among the top 10 countries with the most online industrial control systems (Spain is 5th and Australia 10th). Which policies are (or should be) a priority in terms of protecting critical infrastructure in technologically advanced countries like ours?
I believe it’s important to adopt a holistic approach when analysing the security of critical infrastructure. You can’t have a cybersecurity guy who doesn’t talk to the person in charge of physical security; you need to look at the security of the infrastructure as a whole. There is no point in implementing protection against all sorts of IT threats if someone can just turn up and unplug everything.
From a technology point of view, it is also crucial that Spain, Australia and other countries work together to understand all sorts of threats and come up with solutions to tackle them. Increasingly more things are going to be connected to the internet; not just critical infrastructure, but every single aspect of our daily lives. Cooperating to mutually protect one another will be crucial for many countries, particularly those which develop their own sub-systems. It is crucial to understand what’s going on to increase the resilience of structures so that, if one should fail, the rest will keep working.
Given that it is a relatively new area, how does cybersecurity coordinate with other areas of a country’s security?
Some aspects belong to a field of their own, and some are different applications of the lessons learned in other aspects of security which also apply to cyberspace. The main feature of cybersecurity is scale: the problems can impact millions of people all over the world. However, lessons learned in other areas can be applied here and the other way around: cyberspace can teach a lesson or two to other aspects of security.
The main thing is that security needs to be coordinated. It is crucial for all departments to exchange information so we know, for instance, how IT threats are related to terrorism, and can work jointly on both areas.
ASPI’s report, ‘Cyber Maturity in the Asia-Pacific Region 2016’, situates Australia as the region’s 4th most developed country in this regard after the US, South Korea and Japan. There is also a huge gap between the top and bottom countries on the list. Do you think the differences are similar among European countries?
It is hard to say without carrying out similar research, but I would say there is less of a gap, even between the first and the tenth on the list. The Asia-Pacific region includes countries with significantly different government models and economies. There is not much of a regional architecture in place to allow for the development of standards, as is the case with the European Union and other organisations. I would say that, generally speaking, European countries could be closer to one another.
The first EU-Australia Leadership Forum took place in June and included industry debates around security and terrorism among other issues. Do you think these initiatives can have positive outcomes?
This kind of events are important to allow us to understand the perspectives of others. In events of this scale, crowds are always broken up into smaller groups to analyse specific aspects. It is important to be aware of the threats we are all facing and the shared problems, but also of the differences, as we might react differently on many occasions.
Conversation is always positive, but I believe that at these kinds of debates there must be a clear objective to implement a plan of action. The sessions must be very specific to prevent them from becoming flat and must seek to come up with practical solutions.
What is your opinion about initiatives like this Leaders Programme and meetings between different institutions, such as the one held last year between ASPI and the Foundation?
I had never been to Spain before, this was my first visit. Until now, my impressions and understanding of the country were based, even after working with the Foundation on the Cybersecurity Forum in 2016, on isolated issues, but I didn’t have a general idea of what Spain is like: its economy, industry, politics and security, for example. It has been great to be able to come and analyse those aspects for a week to get an idea of what’s going on and be able to discuss what’s happening in Australia at the same time.
I think we are entering a more uncertain era in both regions, with several countries causing increasing instability. Therefore, it is crucial for countries like Spain and Australia, which have shared interests and values and could work well together even if they do not immediately think of one another when looking for a partner, to have interdisciplinary teams that understand how they can cooperate and forge a path forwards.
Which aspects of the Leaders Programme would you highlight?
Well, I would have loved to try high-speed trains (laughs). I think the range of topics has been great, as have the visits to factories to observe the industrial process both in shipyards and in the textile industry. Travelling and getting to know different parts of the country instead of just one city has also been very interesting.
I think the best thing has been the range of topics we have covered and the range of people we have met in terms of hierarchy and expertise. That has been really useful to gain a better understanding.