Subscribe
Share
Share
Embed
Technology and Security (TS) explores the intersections of emerging technologies and security. It is hosted by Dr Miah Hammond-Errey. Each month, experts in technology and security join Miah to discuss pressing issues, policy debates, international developments, and share leadership and career advice.
Miah’s Twitter: https://twitter.com/Miah_HE
Contact Miah: https://miahhe.com
Transcript: please check against delivery
Dr Miah Hammond-Errey: [00:00:03] Welcome to Technology and Security. TS is a podcast exploring the intersections of emerging technologies and national security. I'm your host, Dr Miah Hammond-Errey. My guest today is Brendan Dowling. Brendan is the ambassador for cyber affairs and critical technology. He played a key role in developing Australia's recent cyber security strategy, and leads Australia's international engagement on cyber and critical technology. Brendan previously worked at the Department of Home Affairs, including as first assistant secretary of the Cyber and Critical Technology Coordination Centre, and worked in Australia's embassy in the United States and Jordan. We're thrilled to have you on the podcast, Brendan.
Brendan Dowling: [00:00:40] Thanks so much for having me, Miah.
Dr Miah Hammond-Errey: [00:00:42] We're coming to you today from the lands of the Gadigal people. We pay our respects to their elders, past, present and emerging. We acknowledge their continuing connection to land, sea and community and extend that respect to all Aboriginal and Torres Strait Islander people.
Dr Miah Hammond-Errey: [00:00:56] 2024 has already seen significant law enforcement action and government response to cybercrime, from the first use of autonomous cyber sanctions to joint announcements regarding living off the land, attacks on critical infrastructure to the takedown of Lockbit. Brendan, what else can we expect this year?
Brendan Dowling: [00:01:11] Well, hopefully more of the same, I think from our perspective in Australia, but from countries globally, we've had a gutful of how much impunity there is in the cybercrime world. It's extraordinary how lucrative that industry has become in just a few years. And I think for most cybercriminal operators, they've been operating with a sense of confidence, anonymity, impunity and without seeing costs imposed. So the sanctions are important. I think exposing Ermakov and what he did with the Medibank incident is hugely important and impactful. But the takedown of Lockbit, I mean more disruption. I think that's hugely effective to breaking what otherwise I think will just continue to grow because it's easy money. We need to find ways to actually say we're going to make your lives harder.
Dr Miah Hammond-Errey: [00:02:02] Absolutely. As someone that's worked in this space for a long time, it's really exciting to see these big announcements we had planned to record a few weeks ago, but on the day you were involved in a multi nation announcement about a cyber-attack, can you tell me what happened?
Brendan Dowling: [00:02:15] So we, with our partners in the Five Eyes, issued an advisory around a group called Vault Typhoon, who is a Chinese backed group operating out of China targeting critical infrastructure. So the importance of that advisory was saying this group is utilising the living off the land technique, which essentially means that you can get onto someone's network and behave like you belong and are much harder to detect. And we're seeing that type of activity on US critical infrastructure. We think there's a risk that it's targeting a bunch of other nations, including Australia. And the key thing with an advisory like that is saying, here's what's going on, here's the information you need. If you're a critical infrastructure operator to hunt, detect, mitigate, putting it out there, naming the source and saying this is a problem because the targeting of critical infrastructure means it's not necessarily for information gathering or espionage purposes. The potential is there for disruption. And that's kind of the nightmare scenario in the cyber world, that a malicious actor can actually disrupt our essential services and stop our economies, societies, communities from functioning.
Dr Miah Hammond-Errey: [00:03:25] In late January, the government announced the first ever use of autonomous cyber sanctions, that is, sanctions imposed on an individual because of their activities in cyberspace. Russian citizen Alexander Ermakov was sanctioned for his role in the breach of the Medibank Private network. As you mentioned earlier, we've recently heard that Ermakov has been detained. Do you have any more information for us?
Brendan Dowling: [00:03:45] We've consistently called on the Russian government to better enforce laws against cybercrime. We do see that Russia provides a permissive operating environment for cybercriminal groups. And when you're operating from a safe haven, you're operating, you know, with with sophisticated digital tools, it's easy for a cybercriminal to operate. So we have consistently called on states, including Russia, to take it more seriously, to stop criminal groups operating from their jurisdiction. We would love law enforcement action like that. Sanctions are a good tool, particularly when we do them. In partnership with the US and UK imposed limitations on travel, financial assets. Law enforcement is a better outcome. Actually seeing criminals brought to justice is a better outcome. So wherever we see that happen, that's a good thing.
Dr Miah Hammond-Errey: [00:04:34] What happened behind the scenes from when the breach was made public to when these sanctions were announced? What does the timeline look like?
Brendan Dowling: [00:04:41] So it was about an 18 month timeline. The Federal Police and our Australian Signals Directorate, as soon as the Medibank incident happened, were on the case, were basically looking for who the perpetrators were. The initial focus, which I was heavily involved in at the time, included looking to disrupt the availability of people's information that had been exfiltrated from Medibank are being made available on dark web forums, so looking to stop that from happening, but then quickly pivoted to investigating, well, who was behind this and how do we, uh, pursue actions against them? It's a pretty long process. I think it demonstrates how effective obfuscation and anonymizing techniques that are used. That means it's really difficult to get to that level of evidence. You need to say, we know who that person was. We've isolated their bio data, their identity information, and we know that they were complicit in performing that act, which means linking them to the actual exfiltration or access to the Medibank network. Um, putting that information together involves a huge amount of intensive work, but it really involves intensive digital forensics work to piece together that picture, to get us to the point where we can say we have enough evidence to impose a sanction. The story is not over. Investigations will continue. Cybercriminal groups often operate as an ecosystem. I hope we see further either law enforcement action or further sanctions are employed. But actually finding Ermakov, pinning him with this crime and then outing him and sanctioning him is a big deal which shows to other cybercriminal actors. You're not just going to get away with it with no costs.
Dr Miah Hammond-Errey: [00:06:27] This is the first time Australia has used autonomous cyber sanctions. Can you set out the process to have someone added to that list?
Brendan Dowling: [00:06:34] So essentially you have to demonstrate to the satisfaction of the foreign minister and the attorney general who sign a sanctions instrument, that we are confident that this person did this crime. So that involves essentially a brief of evidence, but not to the same sort of level you'd need in a in a prosecution that satisfies those ministers that we can we can be confident that that's the right person and then lays out in a fair amount of detail what the crime involved and what this person's role in the crime was. So once we have that evidence that then goes through a government process where the Attorney-General and the foreign minister consider that information in detail, consult with the Prime Minister, the Deputy Prime Minister, the Minister for Cyber Security. And this all happens in a relatively quick period of time. I'm talking in a couple of weeks. And essentially the foreign minister takes the decision, lists this person on a sanctions instrument which provides that information to banks and anyone else to say this person is subject to these sanctions. Under these laws, you cannot deal with their assets. That is a crime. Uh, travel to Australia is a crime, and the US and the UK have analogous sanctions regime. So they basically do the same on the basis of the information we share. We hope that other countries will put in place similar sanctions regimes in time so that we can essentially close the net around these type of actors. But at this stage, it's those three countries who really look to use that as a measure against cybercriminals.
Dr Miah Hammond-Errey: [00:08:13] The DFAT guidance notes that cyber sanctions are to be used against an individual or entity that has been involved in a significant cyber incident. Can you outline what sort of cybercrime or incident would constitute use of the framework, and what exactly does the test look like?
Brendan Dowling: [00:08:28] So the word significant is in the legislation. So it does need to be a significant incident. It doesn't necessarily have to be in or against Australians. We can use the sanctions regime, uh, in relation to a cyber incident that hits a partner. I think with the Medibank incident, there was no doubt in anyone's mind that that reached that threshold of significant. There will be other incidents where there is a conversation within government that says, does this hit that threshold and are sanctions the right tool? If we think there's a law enforcement outcome that can be pursued, that will come first. There are other circumstances where a political attribution against a group might be another option that's on the table. I think you will see us use sanctions more, so this will become more of a live question for me. If it's a disruption of what we would consider critical infrastructure in Australia, that immediately puts it into that significance. If there is a threat or danger to, uh, lives in Australia, think, uh, attack against a hospital, clearly significant if it hits a multitude of actors, if it has a serious effect on the lives of Australians, then we will consider that significant. And I would expect through the course of this year, you'll see us use that regime a few more times.
Dr Miah Hammond-Errey: [00:09:47] And no doubt it'll get more robust with a bit more use.
Brendan Dowling: [00:09:49] Exactly.
Dr Miah Hammond-Errey: [00:09:50] Your role and obviously Dfat's role is really focused on building a resilient region and global leadership in cybersecurity. So how is the region responded to the strategy.
Brendan Dowling: [00:09:59] Really positively, so. I think our focus for a lot of our work is on the Pacific and South East Asia. In all my engagements in the Pacific, in my sort of first period in this role, there's a really strong sense in the Pacific that they have digitalised at a great rate, whether it's government services, whether it's small businesses, whether it's people, individuals, communities having access to the internet, and they're now seeing huge benefits from that, but also seeing the downsides. There's a lot of governments in the Pacific who are realising that their communities are vulnerable, and they want to do something about it. We basically want to say we're here to help. We have a strong track record on doing that. When we've seen major incidents in the region, we've deployed people to help with the recovery from a cyber incident. We intend to do more of that. So I think there's been super positive feedback from the Pacific. I think in South East Asia, it's it's a slightly different context in that digitalisation has happened a little bit earlier. Some countries have high degrees of cyber maturity. The conversations we have with South East Asia are more about critical infrastructure protections. There's a huge amount of interest in Australia helping them do exercises. So one of the initiatives is giving us a capacity to do exercises in South East Asia. For me, exercises are one of the most effective ways to figure out whether you're ready for a cyber incident and you're ready to recover from a cyber incident. So I'm a real advocate for that type of activity, which over the course of the next sort of 12 months, we'll be doing a lot more of in South East Asia.
Dr Miah Hammond-Errey: [00:11:36] The strategy plans to build regional cyber crisis response teams and work with industry on pilots for technology that can protect the region at scale. How are those progressing?
Brendan Dowling: [00:11:47] Sure. So we're pretty close to standing up our regional crisis response teams. I think by the beginning of the second quarter of this year, we should have those teams in place. And effectively, what that will mean is we will have Australian government officials and private sector incident response companies available to respond to any incident anywhere in the Pacific. So put people on the first flight out to wherever location to help with that remediation and recovery. Those incidents could happen at any time. So if it happened today, we would turn on that assistance regardless of of kind of our broader arrangements. But within a sort of month or two, we'll have in place a kind of standing arrangement with private sector partners that is available for the Pacific to to respond to incidents.
Dr Miah Hammond-Errey: [00:12:35] And so are you anticipating largely private sector or also uniformed, government officials, like who is actually going to get on that plane.
Brendan Dowling: [00:12:43] Well, it'll be a mix. And so when we look at the responses that we did in Vanuatu and Tonga, it was officials from a couple of different Australian government agencies plus private sector partners. So you had a team of about sort of six people getting on a plane and going to that country to help out, sitting side by side with the teams in that country under their direction, operating according to what their needs were. We're actually training up a cadre of people within the Australian government which will draw on DFAT, Cyber Security Centre, Federal Police, Home Affairs to basically say when the phone rings, who is available to be part of that particular response.
Dr Miah Hammond-Errey: [00:13:23] Four months into the strategy. Do you have any highlights so far?
Brendan Dowling: [00:13:27] I think the fact that we are taking the model of the crisis response and turning it into a standing capability is exciting for me because it's tangible and it'll have a meaningful impact in terms of how we're assisting and getting access to more secure technology in the region. We spent the last couple of months talking to countries in the Pacific about what their needs are, and it varies. For some countries, they're still using pirated software, or they're using servers that haven't been upgraded in 20 years. So for some countries, it's about how can we help you get better access to that technology. For other countries, it's about looking at cloud migration options and getting them onto secure cloud options that are going to help with not only security, but also with redundancy in case of a cyclone or a natural disaster. A positive for me is that we have been talking to the private sector extensively over the last couple of months, and our message has been, we need you to come to the party here, because some of the most secure tech and the best tech available globally is out of the price range of some of these Pacific countries. So yes, the Australian government is here to help, but actually we need sustainable solutions. And the response from the private sector has been really positive. They recognise that there's an important strategic and development agenda here and they're willing to work with us. So we want to turn that into projects relatively quickly. As an example, we want to work with the private sector partner and a few countries in the Pacific on cloud migration options, where we shift some of their services to the cloud and demonstrate the proof of concept there. So where everyone is saying the right thing, but we want to turn that into actual projects within months.
Dr Miah Hammond-Errey: [00:15:16] Great news! We've seen some significant public private partnerships announced already in relation to cyber. How important will those private public partnerships be in improving cyber resilience, and are there any risks?
Brendan Dowling: [00:15:28] I think it's super important because private companies that are operating enterprise software or other products have eyes on the cyber threat environment. There is no way to do this effectively without the private sector. We also need really sophisticated tools that are out there that help improve cyber security. To be more broadly available, we need companies to embed security throughout their product. Cybersecurity is often described as a team sport, which sounds a bit naff, but is kind of true in that the government cannot fix this problem. The private sector needs us to working with them as well, but it's kind of got to be a unified effort. I think there is always a risk of market consolidation. I think in when you're talking about enterprise software or big hyperscale technology like the cloud, we need to find ways to make sure we're working with the best class of private sector partners in the world, but we're also supporting Australian businesses, Australian start ups to crack into that market. So we're not just seeing a consolidation. I think there is always the risk where we're dealing with national security scenarios in the cyber sector, that the information and the situation of the government is different from companies that have a commercial imperative. And balancing the two of those and finding the common ground that's respectful, that kind of is mindful of each other's situation. Is is crucial and not always easy to strike.
Dr Miah Hammond-Errey: [00:17:04] Let's move to alliances. We talked a little about sanctions earlier, and as you said, sanction frameworks between countries vary greatly.
Brendan Dowling: [00:17:12] Yeah, I think there's really patchy approaches to cybercrime in our region. And that's something we've been trying to work on for a while. We have helped countries in the Pacific and South East Asia build up legal regimes that start them on the process of criminalising cybercrime, making clear that they have offences on their books. We've seen good results from that. I think the more countries that do this, the better. Recently I've travelled to Vietnam and Japan. There's a lot of interest from those countries in being far more aggressive and active on these types of risks. In Australia, I think we're a few steps ahead of lots of countries, not not everyone. There's other countries in the world who are, you know, same sort of position to us. But we have been we are fortunate to have a pretty agile regulatory environment in Australia where we see an issue, the Parliament acts to address it and we implement it from the public service side of things. I think we can see in other countries there's quite a longer process to get there. We would love every country in the region to find ways to ensure that cybercrime statutes are on their book, that they consider the use of measures like sanctions, but they also join with us on making clear that safe havens for cybercriminals is not acceptable, and that we also use that coalition of interests to exert pressure on countries that aren't taking this seriously. What do you.
Dr Miah Hammond-Errey: [00:18:41] See as the role of alliance building and technology policy?
Brendan Dowling: [00:18:44] I think it's huge, particularly for a country like Australia, where we're a relatively important and big market, but we're not at the scale of some of the biggest economies in the world. I think there's a couple of areas that really stand out for me with alliances. One, if we want to drive improvements to technology security globally, we need to do that in step with other countries. Internet of things device security is a really good example. We are all exposed because IoT devices are not secure as a sort of rule. We just haven't shifted that market effectively. We're working with the UK and Singapore to try and raise that standard. We could act alone in Australia, but it's much better if we act in concert, if we set consistent rules and baseline standards with other countries because of the size of our market, I think we'll want to do similar. When it comes to software, there's big hyperscale companies like Microsoft, Oracle and others. If we can come as a coalition of countries and say, look, here's what we expect you to do to lift your baseline security, that's much more powerful than doing it alone. Similarly,
Dr Miah Hammond-Errey: [00:19:52] ...Spoken like a true diplomat...
Brendan Dowling: [00:19:54] Right? I think Australia standing up and saying, here's this type of activity in cyberspace, which we think is out of bounds. Inappropriate. Unlawful is one thing. Doing that with five countries in the five eyes is better. Doing that with 20 countries throughout the Indo-Pacific is even more powerful. So it's really about broadening and deepening that voice so that it's not just us kind of standing on a mountain and yelling. It's a whole bunch of countries that are changing the nature of how we govern cyberspace.
Dr Miah Hammond-Errey: [00:20:29] So you haven't mentioned the quad yet. What sort of role of groups like the quad played in your engagement thus far?
Brendan Dowling: [00:20:35] Yeah, the quad is super important. Um, I think, um, the quad countries represent a bit more than a third of global GDP. So it's a hugely influential and powerful, uh, grouping. Japan and India are obviously major regional players. When you look at technology security, telecommunications security, which the quad has focused on, coming to that conversation with India, Japan and the US is huge. You know, these are market shifting economies. When you look at cyber sending a message that this is not just about Europe or the US or the Five Eyes, this is about really big Indo-Pacific economies taking action to improve cyber security for the region. I think it's a really powerful message. So I think one thing we get out of, say, the Five Eyes grouping, is that intimacy and depth of relationships. We're building that depth with countries like India and Japan. But what the quad brings is such great heft and a focus on this region, and this region is where the global economy is going to be the heart of the global economy for decades to come.
Dr Miah Hammond-Errey: [00:21:48] You've mentioned there India, Vietnam, Japan. And I just want to quickly touch on other forums like ASEAN and in particular Indonesia. How are you focusing and prioritising in those forums and what work is happening in the cyber security strategy?
Brendan Dowling: [00:22:02] The conversation, I think, with the country. Indonesia is a bit about information sharing, understanding the threats that they're seeing in a cyber sense, um, sharing information about what we're seeing and improving both of our awareness of how to mitigate those threats. I think it's also there's a lot of interest from the Indonesian government about our critical infrastructure protection. I think they're focusing on how they achieve the same thing in their system, whether it's similar to our reforms or something different is up to them. But learning the lessons of the risk management approach, identifying your most critical assets, that's something that I think Indonesia is keen to talk with us about. Indonesia is also keen to work with us on on regional exercises. So working through scenarios that say, well, what if we're all hit by a similar malicious cyber-attack at the same time? It sort of doesn't matter who the threat actor is. How do we respond to that? How have we got those lines of communication open? Have we got the ability to help us out in that sort of situation? So I think we'll have quite a sort of broad ranging engagement with Indonesia over the next little while. And I will say we do work with a range of other institutions on that sort of capacity building.
Dr Miah Hammond-Errey: [00:23:13] With more than 50% of the world's population heading to cast a ballot in 2024, mis and disinformation will continue to be a huge challenge. On one hand, how can we collaboratively combat AI enabled mis and disinformation over the next year? On the other hand, how do we start to understand PRC influence, particularly in the tech space in in our region? So as an example, in Indonesia, TikTok acquired a majority stake in Gotek recently [amendment: in Tokopedia). The acquisition came through earlier this year, which enables it back into payments in Indonesia, and TikTok played a significant role in the recent Indonesian election. What are some of the challenges here? From a security perspective?
Brendan Dowling: [00:23:52] I think one of the first challenges is that we see these incredibly dominant platforms, whether it's TikTok or Facebook, we see that large portions of the population are drawing information from single sources. So our first challenge is ensuring that those platforms are taking seriously the risks of interference disinformation. We need platforms to take seriously this risk and adopt their own measures that then they're not being abused or exploited. We need them to be more effective at knowing that when they see it. It's not something that governments should always try and sort of intervene in too much. We need platforms to figure out their own techniques. Tiktok, such an enormous platform in this region, it has such enormous reach that creates a huge responsibility on them for these type of safety measures and mitigations. We have concerns about some of the data security issues relating to TikTok. Our message in Australia, but also in the region, is thinking about technology, security policies and laws that prioritise sovereignty, that prioritise security and transparency so that it's not a tick tock issue, it's not a 5G issue. It's about how do you take a principled approach to saying, with this type of technology where our people's lives, data's and businesses are exposed, what are the measures that we should be expecting so that we can have some confidence that when you're using these types of platforms, you're not prone to seeing disinformation, that your data is not just being onsold to any manner of actors globally. And I think we've still got some way to go, not just in the region, but in Australia as well.
Dr Miah Hammond-Errey: [00:25:35] I want to move to a segment, a new segment. What are some of the interdependencies and vulnerabilities in technology that you wish were better understood?
Brendan Dowling: [00:25:42] We're in a global market, so firstly, our dependency is largely on software and hardware that's being developed outside of Australia. So finding the right way to use our levers to shape a global market and to work in concert with other countries to shape that market, um, is super important. I think we probably underestimate how much in each of our lives or our businesses, how much information presence we have across a range of platforms, or a range of technologies that are relatively sort of easy to aggregate or where the risk is actually networked. So a couple of examples. There are if we lose access to our payments system that we use to buy coffee or to shop as a result of a cyber-attack, imagine how much shuts down. Imagine how much of our daily lives shuts down at once. We've tried to come at that issue through the idea of systems of national significance. So rather than saying, well, the grid is critical infrastructure and that bank is critical infrastructure, saying, what are the interconnections between those things that mean we could be vulnerable?
Dr Miah Hammond-Errey: [00:26:53] In your role as ambassador for cyber affairs and critical technology, you're also focused on other critical technologies, as though you don't have quite enough to do. What are your current non-cyber priorities?
Brendan Dowling: [00:27:04] I'm contractually obliged to talk about artificial intelligence at the moment, because it's such a dominant kind of conversation in government circles. There's a really important cyber security nexus with AI in terms of how AI can be used to generate code, the actual cyber security of the models themselves. But more broadly, I think the conversation is about we will see a proliferation in coming years of AI tools or AI enabled tools, but I think getting a big conversation in policy circles is getting the guardrails right. I think as an overarching comment, the rush to market, I think, is problematic. I think we're seeing models rolled out without some guardrails. We're seeing open source models that are relatively easy to repurpose and exploit. The proliferation of child abuse material that is being generated by AI tools is huge and is already unprecedented. Usually what we need to do is apply the same principles that we've applied in earlier problems, even pre kind of digital age problems, to the new technology.
Dr Miah Hammond-Errey: [00:28:15] I want to go to a segment called Eyes and Ears. What have you been reading, listening to, or watching lately that might be of interest to our audience?
Brendan Dowling: [00:28:22] So last night I finished a book called Our Man by George Packer. It's about the life of Richard Holbrooke, who was a diplomat in the American system. He was what we would think of as a sort of senior mid-level bureaucrat who was involved in major foreign policy issues from Vietnam up to Afghanistan. In Australia, we don't tell enough stories about the inner workings of the bureaucracy and the sometimes really impactful, important decisions that are made below the political level. But the public service plays a really important, impactful role. I love that in America, you can have a great writer delve into the life of a bureaucrat and actually expose some foreign policy developments through that story. So Our Man by George Packer recommend it. The other book I'm reading at the moment is Gerald Murnane’s Border Districts.
Dr Miah Hammond-Errey: [00:29:21] We'll go to a segment called Emerging Tech for Emerging Leaders. Your career to date has spanned diplomacy, technical policy and now a mix between the two. What skills have you found most beneficial working across the different areas?
Brendan Dowling: [00:29:33] I spent several years now with a focus on technology and cybersecurity, but the abiding lesson for me is that doesn't require people should not think they need deep technical knowledge to work in these types of roles. You need to understand the technology to a degree. But actually we need to consider these from a overall policy and strategy perspective and apply the principles that we hold dear in a liberal democracy to these new forms of problems. I think sometimes in government we have bought into the myth that technology moves too fast or that government couldn't possibly understand this technology, so how could you regulate it? And actually, people within government should have confidence about their ability to engage in these issues, apply these types of principles, and not buy into that myth that we couldn't possibly touch this and develop policies because we don't understand it.
Dr Miah Hammond-Errey: [00:30:26] And I'd add to that, that it's so integral to our lives that we have to we actually have to engage with it. What other technologies do you rely on?
Brendan Dowling: [00:30:34] In my daily life, I a little bit of an analogue type person. I listen to vinyl, but I also, you know, use Spotify, which is dominated by Taylor Swift. I do love her, but I also have two daughters who are just obsessed with her. Um, I travel a lot, so I have to use a Kindle. There is no other way to operate.
Dr Miah Hammond-Errey: [00:30:57] Onto another segment. What do you do in your downtime to keep sane?
Brendan Dowling: [00:31:01] I have two children, so my downtime is nearly always with them. They do not care about what I do at work. They're not interested, they just want to read or play games. And so I actually find that really important in terms of disconnecting and de-stressing. Um, I find for my mental health, going for a long run really helps me process things. And then I tend to kind of spend weekends in a pretty sort of boring way, kind of reading, hanging out with the kids, watching some TV, listening to music. Um, I do love to cook, and I find as someone who uses their brain a lot at work, actually the physical act of cooking I find quite relaxing.
Dr Miah Hammond-Errey: [00:31:42] You mentioned a little bit before there about about monopolies, and we are seeing the concentration of data, computational and informational power geopolitically as well as with industry. Sometimes I call this the architecture of AI. You've spent a lot of time in the US, including in Silicon Valley, and now you engage with some of those players in relation to that architectural infrastructure that underpins AI, where is a balance between being reliant on them and actually engaging with them in a way that builds Australia?
Brendan Dowling: [00:32:12] Yeah, I think that's a really tricky question because as, as you sort of saying the way technology like that works, it kind of necessarily drives aggregation. It necessarily drives consolidation. There's networks, effects, effects throughout it. So for the technology to kind of work and evolve, um, access to massive amounts of data is kind of crucial. So in some respects, that's the way the market and the technology will evolve. And that's okay. But I always to take an example from another technology, that's what we saw happen in the market for 5G hardware. And we sort of stepped back and said, well, that's market dynamics, let it play out. Then we found ourselves in a situation where there was an incredibly small number of providers that were making that hardware. Um, one, if those providers don't, uh, adhere to the sort of standards that we want to impose, then we're in big trouble. And two, if any one of them falls over, we're also in big trouble. And the tech world is not, you know, immune to those sort of, uh, issues. So I think there is that risk when you're applying to AI technology that you lead to extraordinary dominance. That means it's difficult for other companies to break into the market because of that dominance begets dominance sort of thing, which creates that risk of concentration, which is never good in a free market.
Brendan Dowling: [00:33:50] I also think we'll see a big problem in this region where if the computational power, which is of limited supply, which might sort of evolve over time, is concentrated in a relatively few geographic locations. And for a lot of countries in this region, they're not going to have access to the computational power. I think, um, the data is also concentrated. There are lots of populations in the world that aren't don't have big digital data. Footprints will see AI tools that effectively aren't designed very well for them because their data isn't available. So I think without if we let those dynamics play out, we risk over concentration and concentration that is favourable to the already connected to the developed world. Um, and it risks leaving a lot of countries behind for Australia. It's an interesting dilemma because we're a smaller market, we don't have that huge compute in Australia yet. We don't want to be reliant on our friends in America and in Silicon Valley. So finding ways where we can, um, get our foothold, uh, contribute niche capability, but also shape the direction of, uh, those market dynamics in a way that doesn't sort of leave us behind. I think that's a really tricky sort of policy question for us.
Dr Miah Hammond-Errey: [00:35:09] In my Tech Wrap of 2023, I highlighted the role of the big tech players in the architecture of AI and kind of forecast some potential, I guess, for governance of tech. And you've hit on a really important point here, and that is the ongoing conversation about developing sovereign capability in Australia. What are some of the policy levers here to stimulate that growth and development? But how do we develop that capability so that small companies aren't actually cannibalised in that market?
Brendan Dowling: [00:35:35] Yeah, that's a huge problem and a huge focus, uh, for the government at the moment, uh, we see that cannibalisation happening. We see that some industry players, some small players in Australia will say to us that they have better prospects in the US market than they do here. In terms of commercialisation. We need to find ways to better support that access to venture capital in Australia, that partly means working with those partnerships. So under a program like Aukus, where we've seen the US open up some of its provisions to for better access for Australian companies, that's a big deal. That can be a huge game changer for Australian companies. I think the US has quite effectively used its government procurement levers to support its Start-Up industry. There's been a few programs this government has looked at, including the Buy Australia program, the Department of Finance run that are expressly trying to use the lever of government procurement to sort those, uh, to support those types of Start-Ups. There's huge, really impressive capability in Australia in terms of research, in terms of the people that we have. It's about actually turning that into, uh, something that that is able to be commercialised. Uh, for me, in my role, we do run, uh, a number of programs which involve procuring services, um, finding ways to, uh, meet all our kind of procurement and probity requirements while also ensuring that we're supporting that Australian sector, I think is really crucial. And I think for, um, public servants in my position, that's something that we are mindful of. How do we make sure that we're not just. Going the easy route of an American hyperscaler, but finding ways to support that ecosystem in Australia, it's not something that I think is easily solved, but we do all need to be thinking about it in our work.
Dr Miah Hammond-Errey: [00:37:24] Absolutely. We have an imperative to build that domestically. In the final segment, need to know is there anything I didn't ask that would have been great to cover?
Brendan Dowling: [00:37:31] Ooh good question. Look, I think I'm pessimistic about the threat environment over the next couple of years. I think malicious cyber actors are taking advantage of our technologies in ways that will become more challenging for us in the next couple of years. But where I'm optimistic is that we chose the technology future that we have, and it's brought huge benefits for us. But along the way we did some things which I think if we had our time again, we'd do better. As a basic example, the proliferation of enterprise software through the late 90s and early 2000 was done. So without a mind to security, and we've got a heap of vulnerabilities that are still being exploited because of some of those decisions taken back then. That was a choice. We can remake that choice now and we can fix those. It's not out of the range of our power to do that better, and that's a co-led effort from government and industry. So while I think we're in a tough position because of the vulnerabilities that are in every piece of hardware and every piece of software that we use in all our daily lives, we'll see. I complicate that picture as that makes things like at scale malware at scale, disinformation more easy. We also know what the tools to fix it are. It's really about the commitment to fixing it and the implementation of fixing it. And that's something that I feel quite optimistic that we're taking far more seriously than we were even two years ago.
Dr Miah Hammond-Errey: [00:39:01] That's really wonderful to hear. And what you're saying is the threats manifested, but that you're really optimistic about our capacity to legislate and regulate. Brendan, thank you so much for joining me today. It's been a real pleasure.
Brendan Dowling: [00:39:12] Thanks so much for having me.
Dr Miah Hammond-Errey: [00:39:13] Thanks for listening to Technology and Security. I've been your host, Dr Miah Hammond-Errey. If there was a moment you enjoyed today or a question you have about the show, feel free to tweet me at Miah_HE or send an email to the address in the show notes. You can find out more about the work we do on our website, also linked in the show notes. We hope you enjoy this episode and we'll see you soon.