The Definitive Dialogue Diary
By Ravi Nayyar
I had the good fortune of being invited by the Australian Strategic Policy Institute to attend The Sydney Dialogue, a flagship international forum on all things geopolitics x geoeconomics x technology.
It was awesome to be among delegates from government, industry, academia and civil society — hailing from the Indo-Pacific and beyond — for a packed two days of debate and discussion.
In this piece, I reflect on some of those sessions (all on the record), interrogating the broader policy and strategic issues thrown up by them. There’s a mix of cyber, geopolitics, economics, military capability, innovation, infrastructure (digital and physical), minilateralism v multilateralism, human capital, telecom and, of course, AI.
This piece was previewed by my earlier meditation on the larger takeaways from the summit.
Now, back to the Dialogue Diary.
And let’s get AI out of the way by going through the first two sessions together.
Strap in.
A Global Tech Industry Leader’s Outlook to 2030; AI’s Well that Ends Well? Expert Perspectives on What’s Next
Coming right after the ASPI chief, Justin Bassi’s, excellent opening remarks, these two sessions were bizarrely alarmist. They seemed to focus a lot on the catastrophic (inter)national security risks from AI and other emerging technologies. Indeed, most of us in the audience — certainly when one spoke with delegates afterwards — believed that the discussions would have benefited from nuance on the nature of relevant risks, and our positive responses and partnerships to manage these risks.
The comments — especially from Connor Leahy and Dr Eric Schmidt — about the likelihood of us creating an artificial general intelligence system, which chooses to get rid of us, seemed fantastical at best, certainly for those of us having to deal with more pressing issues.
Like a lot of small critical infrastructure (‘CNI’) asset operators not having the money to do basic cyber resilience. Hostile Chinese activity towards Japan, Taiwan and the Philippines. The degradation of Western defence industrial bases since the Wall came down (especially shipbuilding), or human capital management issues in our militaries.
The chat about Silicon Valley folk worshipping AI as a proto-deity and being willing to continue aggressive innovation in AI perhaps wasn’t ideal; including the bit about how tech folk believed a 20% chance that this stuff could kill us was worth risking because of the 80% chance that they could live for centuries.
I note that Connor rightly said that Silicon Valley folk should not be making such calls on behalf of us, but yeah, it just sounded off on a Monday morning in front of people who aren’t AI (governance) experts.
Sometimes, the remarks just seemed uncritical.
For instance, the comments from Dr Schmidt about enemies using swarming drones against us should have been caveated by how our offensive cyber operators could pop just the right part of their software supply chain to severely undermine their capability. And that’s on the off-chance they are immune to conventional EW and other C-UAS measures that are themselves getting better — see the Ukraine War.
Dr Schmidt’s points about the paucity in software updates on large platforms like aircraft carriers did not sufficiently acknowledge, if at all, the efforts of his own military on the software front. Such as those to:
- modernise its software acquisition pathway;
- enable organisations to roll out DevSecOps methodologies through resources like Platform One;
- develop more software in-house through factories (with CYBERCOM moving to consolidate them under the Joint Cyber Warfighting Architecture); and
- rapidly field updates: to key platforms (having successfully tested this for Fat Amy, F-22 and F-16); to EW software; and during an exercise (Exercise Digital Falcon Oasis) with devs, military and intelligence folk working together in the one tent.
Of course, such efforts have been far from perfect and haven’t yielded a necessary level of progress. But come on, they should have at least been acknowledged as a positive to counter the doomtalk.
All in all, the tone and tenor of both sessions, unfortunately, reminded me of the alarmist and irresponsible rhetoric about how the baddies can nix all of our critical infrastructure (‘CNI’) in one cyber attack with ‘the cyber weapons’ [pew, pew, pew] and ‘send us back to the Stone Age with a few keystrokes’. (Prof Ciaran Martin wrote an excellent takedown of this rhetoric just after the Russian invasion of Ukraine.)
As with IT and OT, we have been using AI directly and indirectly (such as through commercial and government services enabled by AI) for years now.
The language of fear on AI engenders disengagement from productive discussion by a largely non-expert audience who is genuinely interested in practical solutions. I certainly found it a source of derision, if not a turn-off.
Indeed, I was hoping for more practical discussion from ticketed AI experts on tackling software supply chain and other cyber risks to AI systems, given the umpteen threats like:
- malicious ML models;
- LLMs ‘hallucinating’ open source software (‘OSS’) packages that can be subsequently poisoned by baddies;
- bugs in OSS packages that are dependencies for scores of models;
- GenAI writing and poorly vetting hilariously insecure code, having itself been trained on insecure OSS; and
- major model and data hosting platforms like GitHub and Hugging Face allowing API tokens to lie exposed in public repositories.
In that vein, I asked Connor Leahy and Navrina Singh whether massive AI coding or hosting platforms like Hugging Face should be encouraged (by government) to roll out controls equivalent to GitHub’s MFA for user accounts and secret scanning, perhaps even drawing inspiration from the CISA-OpenSSF Principles for Package Repository Security.
After all, those principles are transferable to platforms like Hugging Face. And the implications of baddies being able to easily commandeer massively popular repositories — and thus poison AI systems reliant on their models — through just stealing or buying creds for user accounts are not pretty as we rely more and more on AI.
While Navrina, to her credit, spoke to ‘responsible use licences’ being attached to publicly available models, I would have liked more specific chat about how said chokepointy AI platforms are ticking time bombs of software supply chain →(inter)national security risk as more and more AI is built using models hosted on these platforms.
To reiterate, we would have appreciated more balanced and nuanced remarks from the AI people. As I said at the top, ‘Strap in’.
Even speakers in subsequent sessions on hard power topics like hybrid threats were relishing that they weren’t the Debby Downers for a change.
The Future of Cybersecurity: Capabilities, Strategy, Preparedness
This was the session I was most looking forward to: our National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, CSC, interviewing the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technologies for the US, the Anne Neuberger, a legend of our discipline.
There were some great comments from both speakers on the multi-faceted nature of the ransomware threat and how to impose cost. This included chat on:
- the role of economic sanctions against criminals and other actors involved in the ecosystem;
- threat response work against these actors and their infrastructure, including Deputy NSA Neuberger’s reflection on the momentous LockBit disruption and how police engage in psychological warfare against the crims by seeking to undermine their trust in their operations and each other; and
- the next meeting of the multilateral Counter-Ransomware Initiative (‘CRI’) — which will happen in the coming weeks — including growth in its agenda and forthcoming joint statements from member countries on stuff like cyber insurance.
It was also good that the interview dealt with the domestic, workaday side of counter-ransomware, including how:
- multifaceted it is with informational regulation (like incident reporting) being a stick versus payouts from cyber insurers (who make coverage conditional on cyber hygiene) as carrots; and
- the overall cyber resilience of firms showing an improvement, which makes it easier for them to recover from an incident and, crucially, refuse to pay a ransom.
The session also dealt with US and Australian approaches to cyber policy, especially in relation to CNI.
As part of this, there was some chat on how both governments responded to the CrowdStrike incident-non-incident of July 2024.
Lt Gen McGuinness highlighted how this disruptive event contrasted with the data breaches her office dealt with more often, and its bringing into sharp relief the concentration of technological dependencies — especially when a very tiny portion of machines were directly affected by the bad update.
Deputy NSA Neuberger referred to her 4 am call from the White House Situation Room, learning what her Australian colleagues were seeing (we were among the first jurisdictions affected by the infamous Channel File 291).
Apart from highlighting the importance of software end-users testing patches before popping ’em into prod (operators of US National Security Systems were exemplars here), she foreshadowed the second Biden executive order on cyber, coming this fall, to include principles on vendors testing their patches and having rollback procedures for problematic patches. Noice!
[Clears throat.]
Taking this opportunity to plug my own series of essays on the CrowdStrike saga.
Now, back to the sesh.
The speakers looked at the US voluntary IoT cybersecurity labelling framework, Cyber Trust Mark (see 47 CFR §§ 8.201–8.222). Deputy NSA Neuberger pointed out how this is not just an informational regulation piece to make it easier for consumers to identify what the safest option is for them, but also a national security piece.
After all, if consumers are informed about the hygiene of wares and vote with their wallets to buy securer wares, there will be less of the usual cheap garbage in circulation that would otherwise represent a resource for bad actors (eg Mirai, Volt Typhoon, Fancy Bear, Sandworm) to weaponise as straight-up offensive botnets and/or C2 infrastructure to confuse attribution (when targeting our CNI).
The positive externalities of this framework’s shaping of demand and supply curves for IoT gear around security, not functionality or price, include substantial national security benefits.
Obviously, the labelling scheme is voluntary, like the Singaporean Cybersecurity Labelling Scheme. Our 2023–2030 Cyber Security Strategy similarly commits us to creating a voluntary labelling scheme for consumer IoT.
That said, our cyber strategy also commits us to developing a mandatory consumer IoT security standard. Per Home Affairs’ response to a question on notice from Senator James Paterson, development of the mandatory standard had ‘Substantially progressed’ by the end of June 2024 (our voluntary labelling scheme shall be developed after the mandatory product security standard is enacted).
The Europeans have something very interesting cooking with the proposed Cyber Resilience Act which is making its way through their supranational legislative procedure.
Note also the UK’s mandatory regimes for IoT security under the:
- Product Security and Telecommunications Infrastructure Act 2022 (UK) ss 8, 13, 14, 21, 79(2) → The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (UK) regs 1(2), 3, 6, schs 1, 3, regs 2–5 + The Product Security and Telecommunications Infrastructure Act 2022 (Commencement №1) Regulations 2023 (UK) reg 3 — for consumer IoT bar charge points for electric vehicles, medical devices, smart meters, and desktop, laptop and tablet computers; and
- Communications Act 2003 (UK) s 105F(6) → The Electronic Communications (Security Measures) Regulations 2022 (UK) regs 1(2), 4(4)© + Telecommunications Security Code of Practice [0.12], [2.88], [3.37]-[3.39], [M9.01]-[M9.06] — which covers stuff including ‘customer premises equipment’ (like edge devices) supplied by UK telcos to their customers.
We’re hardly breaking any new ground in acknowledging that voluntary labelling regimes — in the absence of mandatory product security standards — are not even half a solution.
Consumers do not look at the security of the IoT they buy, be it to replace old stuff like routers (if they do) or as a gift for someone.
Informational regulation tends to work only when customers of the intelligence act on it.
I suspect waiting for consumers to prioritise security over price, especially in a deteriorating economic climate, is a fool’s errand. Just look at the declining support among US adults for a TikTok ban. It’s also analogous to relying on ‘peer pressure’ and reputational sanction for major software vendors — via CISA’s Secure by Design Pledge — to not market insecure wares.
Now, yes, I understand that the political economy of mandatory public-facing product security regulation, let alone enacting a federal data privacy law, in the US is fraught. So, good on the Yanks, via the FCC, for having a go.
It’s like my immense respect for Jen Easterly and her merry band at CISA for pressing on while confined to jawboning.
And yes, I recall that the USG is using the procurement lever with the Internet of Things Cybersecurity Improvement Act of 2020 (see 15 USC §§ 278g–3a-278g-3e) in lieu of a mandatory security standard for consumer IoT. 15 USC § 278g–3e(a)(1) bans federal agencies from procuring IoT which doesn’t meet minimum security standards developed by NIST, subject to a waiver process under subsection 15 USC § 278g–3e(b).
The procurement lever was given a fillip in December last year by the White House Office of Management and Budget (‘OMB’) devoting a section of its Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements (M-24–04) to IoT procurement and secure deployment by federal agencies. Signalling which hopefully trickles down to the acquisition pathway.
That’s the need of the hour, given a 2023 OMB survey of ‘a diverse set of agencies’ finding that ‘relatively few formal agency policies address the selection of cybersecurity requirements specifically for IoT devices’. Having a ban on buying garbage is great but procuring agencies not even having robust policies in place to procure secure IoT and deploy it safely is just not cricket
That all said, how cool that an IoT labelling regime was being discussed by very senior cyber officials from two FVEY governments at a foreign policy x security summit!
It would have been even more fun if Lt Gen McGuinness and Deputy NSA Neuberger spoke about software supply chain risks to national security as a general topic. (This stuff’s right in my wheelhouse.)
Or on OSS, given the xz utils almost-snafu earlier this year or the generally sorry state of the ecosystem. (Also in my wheelhouse.)
I’d have loved to hear the Deputy NSA talk about how US allies and partners respond to the USG’s fabulous Open-Source Software Security Initiative.
Then again, a real privilege to attend this session.
Back to the Future: Building Resilient Economies in the ‘Era of New Competition’
This was another cool sesh, save the ASEAN Deputy-SG for Political-Security Community’s really having it in for the Quad (more on that later).
Admiral Mike Rogers (Ret’d and former DIRNSA), as expected, dropped the hammer when it came to the importance of us baking cybersecurity into everything we do, be it operationally or in the policy process. He also helpfully distinguished between cybersecurity and how states (via proxies) use cyber to project power.
It was a fanboy moment for me to ask Admiral Rogers a question on how we tackle risks from concentrations in markets for technology services, given the examples of Change Healthcare and CrowdStrike. His response defined the problem in first principles terms, that is, as a function of governments’ tolerance of national security risks (from such concentrations). He referred to the greater regulatory interventions by governments like ours in CNI.
With the session being on resilience, Admiral Rogers’ answer built on his earlier comments on the need for greater redundancies in our CNI, using the Colonial Pipeline incident as a case study (where the operators proactively shut down around half of the US east coast’s fuel pipeline capacity because their billing system was bricked).
In response to a separate question of whether it was the subsistence of the WTO-centric international trading order or our minilateral diplomacy, such as through the Quad, which primarily got us through Chinese economic coercion (that arguably hit said trading order for six) in the early 2020s, Admiral Rogers pointed out that it was our friends (including our Quad partners) who enabled us, as sources of demand, to diversify away from the Chinese market.
The trade data agrees: our Asian friends in the region picked up the slack (though, the Americans and British didn’t).
To speak generally, my two cents is that international law and norms, such as the WTO-centric trading order, are meaningless if you don’t have a coalition of allies and partners working with you to uphold them. Such as by trading with you in a compliant fashion while your largest trading partner thumbs its nose at said law and norms. And thumbing its nose at the international system in more contexts than just trade.
On the other hand, what I found wanting for novelty and logic was the outright condemnation of the Quad by the ASEAN Deputy-SG. How ASEAN members feel ‘encircled’ by the Quad (sure, cartographically, but come on), that sort of stuff. Her Excellency even stated that the ASEAN membership — apparently seen by the Quad as irrelevant (never mind the umpteen joint statements championing ‘ASEAN centrality’ and the public goods in the agenda) — will have to deal with the ‘fallout’ (yikes) from this example of problematic minilateralism. The Quad is a body which will force ASEANers to ‘choose’ their friends (please workshop some new material, ASEAN).
Never mind the Chinese ramming Coast Guard ships into Filipino vessels and refusing to abide by the 2016 arbitral tribunal ruling. That leaves Manila with plenty of choice, of course.
What made Her Excellency’s comments even more curious was how, when pressed to compare the Quad with BRICS, she didn’t provide a concrete answer. The ASEAN position couldn’t possibly be influenced by China being a founding member of the BRICS, right?
Certainly, an interesting session.
Defence in the Digital Age: Whole-of-Nation Preparedness
This was an excellent panel, fielding heavy-hitters from government and SECDEF’s former point man on AUKUS.
It was good to hear that NATO not only supports a large VC fund/accelerator, ‘DIANA’, for promising DIB/dual-use startups to grow and commercialise their wares, but is also working to establish a rapid acquisition/adoption pathway to ensure that NATO militaries actually leverage innovations (such as those supported by NATO’s accelerator) before they are rendered obsolete by Moore’s Law et al. An end-to-end approach.
I liked the example from the NATO Deputy Assistant Secretary General for Innovation, Hybrid and Cyber, James Appathurai, of militaries leveraging innovation: the ‘Artillery Tinder’ application, which drove a circa sixfold decrease in time lag between troops calling in fires and shells flying at the enemy.
The need for cooperative innovation was underlined by the Australian Department of Defence’s Deputy Secretary Strategy, Policy, and Industry, Hugh Jeffrey. If I recall correctly, he gave an example of how target detection algorithms co-developed by AUKUS countries for P-8A multi-mission maritime patrol and reconnaissance aircraft performed better in testing than respective nationally-developed algorithms.
That all said, as someone who doesn’t follow export controls or military procurement, I found it a bit disheartening that it’s 2024 and (former) very senior defence bureaucrats are still bemoaning their own governmental labyrinths of provisions and procedures that contradict the imperative of agile procurement of critical and emerging technologies. (Read this report from the United States Studies Centre on AUKUS export control reform, by the way.)
The metaphor of the ‘hands of dead colonels reach[ing] out from the grave and clutch[ing] the defence planning process to their dead hearts’ to prevent NATO planning targets for all allies being taken out of ‘the Jurassic Park era of innovation’ wasn’t encouraging.
That NATO had to set up DIANA to be run outside of NATO in order to depoliticise the facility and ensure it is actually agile says it all.
= NATO seeking to protect NATO from NATO. Yes, Minister.
On a brighter note, I loved the enthusiasm of the Lithuanian Vice-Minister for National Defence in calling for AUKUS Pillar 2 to serve as a model for governments to work together on innovative military capabilities.
Tangentially, over lunch, I was asked by some overseas defence officials about whether I saw the membership of Pillar 2 being expanded to include smaller countries. I spoke on the fact that AUKUS countries would be or are already working on high-stakes dual-use technologies with friends like India, Republic of Korea and Japan, such that labelling the latter countries as ‘Pillar 2 peeps’ could be an exercise in semantics.
And a few days later, the joint statement from the Australia-Japan 2+2 dropped, featuring this bit:
Continue to consult with AUKUS partners and Japan on opportunities for cooperation on AUKUS Pillar II Projects.
So, official and unofficial Pillar 2 cooperation on the cards, eh?
Side note: it would have been nice to see some chat on securing the software supply chains underpinning the fancy capabilities being developed by allies and partners, as well as the tools used to build them.
After all, what use is the ‘small yard, high fence’ to protect our innovations →capabilities if determined threat actors like China, Russia or the DPRK can merely pop the right CI/CD box (which doesn’t check if an OSS package’s author has changed before pulling another completely different piece of code happening to have the same name) at the right subcontractor, to grossly oversimplify?
Or take after Jia Tan?
Another thought-provoking session, this one.
Digital Public Infrastructure in the Indo-Pacific: Security, Privacy and Accessibility
As an aspiring DPI nerd, this was a really insightful session with practical insights and case studies from the region, namely India, Papua New Guinea and the Philippines.
For folks who don’t know what DPI is, here’s the definition agreed by the G20 Digital Ministers in 2023:
… a set of shared digital systems that should be secure and interoperable, and can be built on open standards and specifications to deliver and provide equitable access to public and / or private services at societal scale and are governed by applicable legal frameworks and enabling rules to drive development, inclusion, innovation, trust, and competition and respect human rights and fundamental freedoms.
Not only was it cool to hear what PNG and the Philippines are up to with DPI, but it was very refreshing to hear the Secretary for the PNG Department of Information Communication Technology call for greater focus from development partners on supporting the design and implementation of locally-tailored DPI products. If development assistance recipients do not have political will →create demand for DPI projects, DPI won’t become the force for achieving the Sustainable Development Goals which it must in the Global South.
Referring to his country’s MoU with New Delhi on DPI cooperation, the Secretary said PNG looked at India as an example of how to develop and run DPI (especially India’s Aadhaar and DigiLocker solutions), as well as Singapore and Australia for accessing government services online.
I also appreciated the Secretary explicitly calling for investment screening for DPI projects because DPI comprises, essentially, CNI. If you wouldn’t allow a hostile country into your telecom network, why would you allow them (via their vendors) in as a supplier for or operator of your national digital identity network?
I asked Kanishk Gaur and the moderator, the awesome Dr Rajeswari Pillai Rajagopalan, about the role of DPI in India’s (new) economic statecraft, especially as a means to counter Chinese influence in the Global South. Their responses spoke to the role of both minilateralism (eg the Quad) and multilateralism (eg UN/G20) in ‘exporting’ the Indian approach to DPI, as well as fora like the CRI in assuring the cyber resilience of DPI solutions around the joint. But, of course, the absence/dysfunction of UN standardisation processes (for DPI) or the UN generally don’t help.
After the session, it was interesting to learn about how senior Indian diplomats are aggressively promoting DPI as part of Indian economic statecraft, as well as the contrasting approaches to state-centricity in DPI between Europe (as a regulator) and India (as a creator, platform operator, ecosystem facilitator and regulator).
Countering Hybrid Threats: National Resilience and Collective Action
Some great, practical points in here from NATO, CEE (Latvian) and Indian perspectives on defining and addressing hybrid threats, including in partnership with industry.
I absolutely agree with Lt Gen Rajesh Pant (Ret’d) when he said that an Indian perspective is vital in any discussion on irregular warfare. He pointed out that New Delhi has had to tackle the complete spectrum of irregular warfare by China and Pakistan. Stuff like currency counterfeiting, sponsorship of terrorism, FIMI (by China and Pakistan), cartographic aggression and flat-out refusal to peacefully settle land borders (with fatal consequences).
(And that’s in addition to the conventional wars started by both countries against India since 1947.)
The General stressed that, as we seek to counter irregular warfare from the likes of Russia, which has an actual hybrid threats C2 centre, and China, our governments must approach the mission in an holistic way. Like the Russians themselves do in defining cyber operations (what they call ‘information-technological warfare’) as just a cog in their holistic idea of ‘information confrontation’.
Lt Gen Pant thus called for friendly governments to set up hybrid threats-focused C2 infrastructure at the national, sectoral, etc levels. He nailed it when referring to this as a governance problem: the counter-hybrid threats mission requires us to break down departmental and capability siloes to throw everything at the problem (like our adversaries do).
Besides, the session featured some pointed, welcome comments from NATO’s James Appathurai about the need for the private sector to lean into partnering with government in order to drive greater national cyber resilience and thus ensure the very markets and societies — that industry needs to operate — actually continue to exist.
Yes, government needs industry because the latter operates most of our CNI and has access to tons of telemetry, but industry also needs government (eg convening power, signals intelligence, military and law enforcement powers) to ensure the various contexts that it requires to actually exist are maintained per agreed standards.
Oh, and the example of a European port being actually targeted by baddies seeking to drop a warship berthed there certainly focused the mind.
(Sub)sea to Sky: The Future of Digital Connectivity in the Indo-Pacific
A wide-ranging session on telecoms in the region, ranging from cables to space-based connectivity. It was moderated quite well by our Assistant Minister for Foreign Affairs, Tim Watts MP, a former technology lawyer and telecom executive who worked on submarine cable matters back in the day.
The Speaker of the Tongan Parliament had some sobering remarks about the dependence of Pacific countries on a few submarine cables that have actually been damaged since the volcanic eruption of January 2022. Good thing Australia is working with the United States, Japan, and through the Quad on submarine cable resilience projects in the Indo-Pacific, including with the Pacific countries.
But I still am not quite sure why some Pacific countries — like Tonga — are holding out on providing SpaceX a licence to provide satellite-based Internet services (though SpaceX has been expanding its coverage in the region). These countries are more likely to face serious connectivity issues from their few submarine cables being damaged by negligent mariners, natural disasters or saboteurs than problems with Starlink infrastructure.
Indeed, Starlink not only provides a cheaper, faster connectivity option relative to submarine cables →terrestrial telecom, but it also provides a more stable one. Customers merely rely on portable terminals pointed at the sky, not, eg, towers that can be toppled by cyclonic winds. Let’s also not forget the value of a space-based solution for people in remote areas whom it is uneconomical or otherwise difficult to serve with cables and towers.
Hence, one wonders whether the hold-outs are more concerned about their investments in national cable operators and other telcos dropping in value if their citizens use a more competitive Internet provider.
[Clears throat.]
I take this opportunity to plug my series of essays on submarine cables in the Indo-Pacific, focusing on Australia-India cooperation on this front.
Overseeing the Ties that Bind
Holding the Indo-Pacific Together: Part II
atechnolegalupdate.medium.com
Continental Drift: Enabling Tech and Talent Transfer between the Euro-Atlantic and Indo-Pacific
Though this panel was an interesting one, I would have liked it to interrogate the reticence of companies, certainly in Western markets, to hire entry-level cyber people as well as experienced practitioners who may not have the usual list of certifications, based on what I’ve heard from industry and read.
Now, yes, Cambodia’s Senior Minister in Charge of Special Missions (Multilateral Trade and Economic Affairs), Dr Siphana Sok, pointed out that his country’s ‘ICT Academy’ (the Cambodia Academy of Digital Technology, I presume) trains a number of people each year in cyber resilience, who can be hired by Cambodian industry. His Excellency highlighted the imperative of building the cyber capacity of youth, regardless of whether they work in industry, government or academia.
Dr Sok indeed pointed to the primacy of market forces in shaping the cybersecurity jobs market: young people with cyber qualifications just want jobs; while industry, cyber people.
It would have been good, however, for Dr Sok and his Filipino counterpart to interrogate rebuttals to this market forces argument. To speak on whether the actual business and regulatory incentives are there for firms in ASEAN countries (like advanced economies) to hire or continue hiring cyber-qualified people, be they graduates or experienced professionals.
And how it is long past time for ASEAN governments, including Cambodia, to proactively tackle the corporate cyber resilience problem.
In general, if a government does not execute a zero tolerance approach to moral hazard with respect to poor corporate cyber hygiene — combined with shareholders not meaningfully punishing control failures — can it be assumed that firms, regardless of geography, will keep hiring cyber-qualified people to assure their cyber resilience?
Or will they instead regard DFIR costs as merely costs of doing business, condemning their cyber resilience (and product security) teams as handbrakes for their competitiveness, and thus failing to provide CISOs the budgets which they need to hire and train new people (like cyber grads)?
Tangentially, it is dangerous to assume that a worsening cyber threat environment (for Southeast Asian economies) per se will make companies care about their cyber resilience and having the right people in place. Southeast Asian businesses certainly have work to do like all of us.
Dr Sok should have caveated his remarks on market forces and acknowledged the role of government as a regulator, beyond just an education provider or facilitator, to shift the needle in cyber governance and thus human capital management by industry.
Especially when there is quite a bit government can do in shaping the aforementioned market forces and incentives through making corporate bigwigs liable for particularly egregious stuff-ups.
Designing Technology for Democracy
How cool that the wonderful Brendan Dowling, our Ambassador for Cyber Affairs & Critical Technology, publicly interviewed a very senior Taiwanese national security official on tech and democracy.
It was great to hear Dr Yuh-Jye Lee, Senior Advisor to the National Security Council of Taiwan, on his country’s experience in how tech can enable democracies to flourish but also undermine them, as well as how Taiwan seeks to tackle the issue of Chinese information warfare (defined broadly) against its polity.
The larger symbolism of the panel was the cherry on top, even if there is no restriction on our officials meeting their Taiwanese colleagues. Good on ASPI for making this happen.
Conclusion
A huge thank you to the good folk at ASPI for inviting me to join the fun. Having usually attended industry-/academia-focused conferences on cyber policy, it was marvellous to be a part of one on all things geopolitics x technology where Track 1 was very well-represented.
For my big picture meditation on The Sydney Dialogue, check out my earlier piece.
Do tell me what you make of my takeaways and the summit itself, especially if you were a fellow delegate.
Folks, as I said in that piece, technology is a fantastic enabler for our collective betterment.
But it is a two-edged sword, perhaps even a shuriken.
The ASPI chief, Justin Bassi, put it quite well to get the ball rolling on Day 1:
As the power of technology grows — and everyone in this room knows that’s the course we’re on — the stakes are getting higher and the conversations more vital. That’s why we’re all here.
Fora like The Sydney Dialogue are critical, especially as anything and everything is weaponised against us.
We have to make sense of our evermore fluid technological →threat and geopolitical landscapes.
Together.
