Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Law Enforcement
29/03/2018
Impact of new and emerging information and communications technology

IRVINE, Mr David, Chair, Cyber Security Research Institute

[11:31]

CHAIR: Welcome. Thank you for appearing before us today. The committee has received your submission as submission No. 8. Do you wish to make any corrections to your submission?

Mr Irvine : No.

CHAIR: Firstly, thank you for your expertise in this area. We greatly appreciate you coming here today. In a previous life, what are some of the other areas you've been involved in?

Mr Irvine : Previously I've had a career in diplomacy and in the intelligence services.

CHAIR: I invite you to make a few comments on your submission and then we can go to questions.

Mr Irvine : For the benefit of the committee, let me just explain that, in the work that this newly created Cyber Security Research Institute is doing, a number of our members who are universities do quite a bit of work with police and law enforcement in terms of cyberforensic activities and so on. That is the link, if you like, to the paper that we've put to you. In fact, what I have put to you here is basically a concept paper. It's an idea. In the work that I've done previously, and in the work of our Cyber Security Research Centre, we're seeing cybercrime or various efforts in malfeasance, if you like, on the rise. But we're also seeing a number of government agencies, mainly, struggling to come to terms with the speed, the technological change and the way in which the cyber world is just rushing, if you like, into new areas of criminal activity.

One of the things that we thought was really very important is to seek ways in which the national effort in fighting cybercrime could be better coordinated, operate more on a cooperative basis and so on. At the moment, it's fractionated, fragmented, between state police forces, numerous federal government agencies and so on, each operating under their own separate legislation, often, and some with really high-density pockets of expertise in one particular area that are not necessarily replicated in the state next door or whatever. So what we were thinking of was to try to develop a concept—and it is only a concept—of developing, if you like, a service arrangement, whereby you could concentrate elements of national cyber expertise and make it a support mechanism for law enforcement and other agencies that use cyber. It's not going to replace the cyber work that ASIO or law enforcements do, but it can assist and support them in their work, operating under their own respective pieces of legislation.

What we've therefore suggested is that people examine the concept of bringing together as much of your national cyber expertise as you can, and that that bringing together provides a service to this state police force in that investigation or that government agency in one of its particular investigations or whatever. It can have other benefits as well. One of the principal benefits is, if you concentrate your expertise, you have a much, much better chance of keeping up with the pace of technological change which is occurring in this sector. If we owe it to our law enforcement to have the best tools available, then this is one potential way of getting there—that is, approaching it on a national basis. Can I just make one other point, and that is simply, cybertools are important in fighting cybercrime. They are also extremely important, these days, as forensic tools in fighting every other form of crime and investigating every other form of crime. So, the more we can develop stronger expertise and capacity on a national basis, the more we can actually assist both in the fight of crime conducted by cyber means as well as crime conducted by any other means where cybertools will assist in the investigation.

That, essentially, is the bones of a proposal. We haven't widely consulted on it. We've very carefully kept away from the issue of, if you created such a body, where you would put it, because that will certainly provoke a considerable amount of discussion. Are we talking about a law enforcement function? Are we talking about a cyber function? One of the things I do believe is important is that, if you think about where the cyber expertise in this country lies, in a defensive, an investigative and an offensive sense, then you don't go any further than the Australian Signals Directorate, which has now been set up, or is being set up, I think, as a statutory body. At present, the capacity of the Australian Signals Directorate to contribute to individual law enforcement investigations is quite limited by the terms of the Intelligence Services Act, under which it operates. If our idea were to take hold, then I think you would strengthen it immensely if you could find ways to bring the expertise of the Australian Signals Directorate into the equation, perhaps through the Australian Cyber Security Centre, which has been set up to outreach into business and the rest of the world on cybersecurity matters. But if you wanted to make it also cyber law enforcement matters, that also might be an option.

CHAIR: You said the current legislation would have some restrictions on the Signals Directorate working in this space; did I interpret that correctly?

Mr Irvine : I don't have the Intelligence Services Act in front of me, I'm sorry, so I'm just going from memory, and it's now three or four years since I retired. The legislation of the intelligence agencies—particularly the Australian Signals Directorate and the Australian Secret Intelligence Service—which is the Intelligence Services Act restricts their activities to collection of intelligence against certain forms of targets. It's mainly foreign, and it's for national security purposes or mainly for those sorts of purposes, rather than for detailed law enforcement issues.

CHAIR: So are you suggesting this would be a separate body that would sit within the Signals Directorate?

Mr Irvine : That's where I don't want to go—

CHAIR: Okay.

Mr Irvine : I don't want to get too much into where it sits because it opens up a whole series of arguments, which, if you take my idea seriously, you will have to go into. There are three places, I think. If we're talking about law enforcement in cyber generally, then the policy issues related to this idea would naturally sit in the Department of Home Affairs somewhere, as it's been constituted. If you look at it solely from a law enforcement angle, then somewhere in the Australian Federal Police or the Australian criminal intelligence centre might be a home for it. Alternatively, the Australian Cyber Security Centre might also be a home for it, although that would require a slight change in its responsibilities. Alternatively, you could set up an entirely new body; if you've got the money and the will, that is a possibility as well. But overall, I would see it coming within the portfolio responsibility of the Department of Home Affairs.

CHAIR: You also mentioned in your opening statement that cybercrime is increasing. Is that increasing equally on a national basis or an international basis, especially where these crimes have no physical borders—

Mr Irvine : When I talk to boards and business about cybercrime and the cost, I'm quoting statistics that have been drawn from surveys and so on mainly by commercial companies whose desire it is to sell cybersecurity products. But, with that rider, the figures I quote are that, in 2015, the global cost of cybercrime was about $400 billion; next year, 2019, the estimate is that it will have reached $2.1 trillion; and, sometime in the early 2020s, we'll be up to $6 trillion. In Australia, I think the equivalent cost for 2015-16 was somewhere about $2.5 billion. It's not insignificant.

CHAIR: In the context of the $2.5 billion in Australia, is that significantly internal crime or is a lot of it external, using overseas addresses—

Mr Irvine : I imagine that a very substantial part of it will be external.

CHAIR: So we'll see money flowing out of Australia, where it's international crime—

Mr Irvine : International crime syndicates are very significant operators in this area.

CHAIR: In terms of setting up something like what you're talking about, won't its interaction with other equivalent international bodies be very important? And have other nations gone down this path of setting up—

Mr Irvine : Firstly, I'm not sure what other nations have gone down this particular path. Secondly, whatever you do, given the highly globalised nature of cybercrime, you would have to have relationships with law enforcement and so on. Some of these relationships, obviously, already exist. But this new body would have to have an international liaison dimension.

CHAIR: Also, just on the criminal incentives in this area, we can never underestimate the entrepreneurial skills of the criminal mind, but, to me, from a non-law-enforcement background, there seems to be a special type of criminal that would be involved in cybercrime. It isn't your typical villain that we've known for the last century?

Mr Irvine : It's a very special type of individual who conducts the crime. It's a quite ordinary organised criminal who actually coordinates and manages the process. In serious and organised crime now, one of the characteristics is that they get out there and they employ the people who can do this for them.

CHAIR: So is there recruitment like how a criminal syndicate out there may recruit a special chemist if they're manufacturing special precursors and drugs?

Mr Irvine : It seems to me it would be exactly the same principle, yes.

Senator SINGH: A number of submissions continue to talk about this issue of a shortage of expertise, whether it be in law enforcement or in a range of government agencies, and how the cybercriminals or whoever they employ are constantly ahead of the game. That's our ongoing challenge. Do you see that this idea of a centralised cybercrime service centre is a way to tackle some of that issue by ensuring we have that expertise coming in specifically focused? Or is it a case that we do have some expertise, but it's just not currently in the law enforcement space?

Mr Irvine : There are a number of answers to that question, Senator. We don't have enough expertise. One of the things that my particular Cybersecurity Research Centre is doing is trying to train PhDs and research people to assist in the creation of a much greater capability—a national capability—in this area. No, we don't have enough. We do have some very good concentrations of expertise. Some of the law enforcement agencies are very good, for example, on child porn or whatever. The Australian Signals Directorate has very substantial expertise—world class—but it and every other organisation that we talk to is looking for cyber expertise. If you really want to talk about poaching and become a poacher, get into the cyber expertise business. The banks want these people and so on. It is a significant issue.

The third part of the answer is that our proposal wouldn't of itself create new cyber experts—certainly not immediately, but maybe over time. What it would do is seek to concentrate, for the purposes of law enforcement, some of that cyber expertise into one place. I would envisage, for example, the way it would work on an investigation. A state police force—let's say the New South Wales Police—have an investigation going where they need high-end cyber investigative skills. They have a person seconded into this centre and they operate under their own New South Wales warrant processes and so on, so all of the safeguards are still there. That person is tasked to use the resources of the centre, which may involve technology or people, to assist in that investigation. Then, within the centre itself, you've got a concentration of various cyber skill sets that could then be used to assist in that particular investigation. That's one example.

Senator SINGH: Is there any merit in government agencies seeking to employ ICT specialists working in this field that have worked for criminals? Does it occur?

Mr Irvine : I suspect that has certainly happened. I don't know if it's happened in Australia. I'm aware of it having happened elsewhere. An 18-year-old hacker has been prosecuted, and the people who are prosecuting him and the agencies are so utterly amazed at the skills that this person has developed that they offer him a job afterwards. And perhaps it's a good thing—criminal activity turning into good.

Senator SINGH: Yes, exactly.

Mr Irvine : Not that I would encourage that as a way of getting a job!

Senator SINGH: No, but I suppose if we're employing them—poaching these individuals—it provides some intelligence into how organised crime is working and what their game plan is about.

Mr Irvine : You're quite right, and that is one way of doing it. One thing I didn't mention that might come within the scope of this organisation is for it to have the ability to actually see what is happening on the darknet. Because it's working in that milieu the whole time, it's often better equipped than, say, an agency like ASIO, which jumps in and out of it, to be able to advise people on what they're seeing, where the trends are and so on and so forth. It may also have that function, although that function properly belongs elsewhere.

Senator COLBECK: I'm looking to follow on from where Senator Singh was and to build on the interrogation of the concept that you're putting forward. As I interpret it, you're looking at some sort of cooperative arrangement rather than some formal structural arrangement; is that right?

Mr Irvine : I think you need a structure initially. You need to have an organisation that is clearly more than a nameplate, and it needs to live somewhere; it's got to be administered. What I would envisage is that it would have the right to take on its own cyber experts, but it would also have cyber experts—and, if you like, cyber liaison officers as well—seconded in from the various customers of this service.

Senator COLBECK: One of the things that we've heard today is the varying capacity of states—not just in Australia, in this jurisdiction, but also in others—to manage particular issues that they have before them. I'm trying to conceptualise how this helps to resolve that as an issue, because it creates the obvious capacity of cybercrime to operate through one of those jurisdictions but still be operating in others, if you like. I'm also concerned at the possibility of that actually stifling innovation in the management of combat against cybercrime by it developing some form of groupthink, if you like.

Mr Irvine : On your first point, my sense—in fact the basis of the concept—is that there is very great unevenness in broad skill levels and in specific topical skill levels. Some states do some things better than others. This would help to provide, if you like, the national capability for a state which didn't have the skills in that particular area, and I think that's a real advantage.

I'd actually take entirely the opposite point of view to yours in saying that, rather than groupthink destroying innovation, my sense and my experience are, particularly with computer people, that you put them together and you get innovation. Of course, it depends on the way—

Senator COLBECK: It depends on the circumstance, though. If they're continuously in the same environment, I would be more inclined to agree with my perspective. But, if they're exposed to other environments on a continuous basis and then you bring them together, that's when you get the innovation.

Mr Irvine : I don't think we disagree all that much, actually.

Senator COLBECK: Okay.

Mr Irvine : You certainly have to manage the concept in order to get innovation. I think that's a very important part of it. You also get innovation through international liaison.

Senator COLBECK: I think that's a fair comment. This is such a fast-moving area of technology. We don't even need to limit it to cybercrime; it's such a fast-moving area of technology. One of the things that we've talked about today is the cycle of information and knowledge concepts. It's almost a half-life of employment. We had some evidence this morning that, every five years, you're effectively needing to turn over the people who are working within that space because the whole thing moves on. Senator Singh and you talked about an 18-year-old who'd been pinged for something and then became a useful tool in the system. But, in a few years time, there's going to be another 18-year-old who's a few light years ahead of them on technology. So you've got this continuous turnover. How do you see that being incorporated?

Mr Irvine : That's a problem that agencies, fragmented or not, currently face.

Senator COLBECK: I agree. So how do we deal with that? That is my question. I was going to go to the public and civilian types of partnerships and utilisation of those services, not necessarily people who've been picked up for breaching the law. But innovation in that sector—

Mr Irvine : When it comes to cybercrime, I won't call it a failing but one of the issues with law enforcement is you only gear yourself up to fight a crime after it's been committed and you know what you're dealing with. And that's similar in the cyber world, too. You can anticipate all sorts of new forms of attack, for example, but it's very, very hard to combat them until they occur and you can identify them.

Senator COLBECK: It's only when someone's created a form of attack that you can start to deal with it.

Mr Irvine : I was hoping with this concept that there would be a much greater pooling of attack information to enable people within to develop antidotes and develop new investigative techniques or whatever. I entirely agree with you that the more you can have a public-private partnership in this area the better. That, in a sense, would argue for this sort of organisation being put with the Australian Cyber Security Centre, which has an outreach into business and elsewhere. But it wouldn't simply be outreach into business—and by that I mean Google, Microsoft, McAfee and all those people who are dealing with cybersecurity. There are hundreds of them now. It would certainly be outreach to those sorts of people. Public-private cooperation in the cyber area is, I believe, going to become more important in law enforcement. Look at the arguments going on with Google at the moment and whether they will disclose their encrypted messages in order to assist law enforcement. That's going to continue. But also—and I'm sort of putting my Cyber Security Research Centre hat back on here—we shouldn't forget the universities. In my group we have six of what I believe are the best cybersecurity schools in the country. A number of them actually are currently working with law enforcement. So you're absolutely right: this isn't a closed law enforcement cybergeek shop.

Senator COLBECK: What about the development of disruptive tools in this space? The conversation's been that encryption, for example, is an issue on both sides of the argument. It's a tool for good and for bad. Where do you see something like that in the context of it being a tool for disruption?

Mr Irvine : If it becomes a tool for disruption, that disruptive activity will have to be carried out under an appropriate authority from one of the contributing agencies who have that authority and that might require them gaining warrants or whatever. But I do not rule out this organisation becoming a tool of disruption. If you can disorganise those people who are organising, say, kiddy porn nets, and you can get them in there and you can actually turn them off or disrupt their activities in some way or other then that, to me, is a public good. A lot of disruptive activity is conducted by nation states against other nation states, as you know. But that same concept and a lot of those same tools can be used to disrupt criminal activity as well.

Ms O'NEIL: Thanks for your submission, Mr Irvine. I don't have any questions. It's quite comprehensive what you've got here but could you just tell me a bit more about who you are making this submission on behalf of? Are you chair of the board of this organisation advocating for the establishment of this?

Mr Irvine : Yes.

Ms O'NEIL: And who is involved in this proposal?

Mr Irvine : I did it on behalf of the organisation. The cybersecurity research centre was set up under a slightly different name about three years ago, and the objective of it is to promote industry investment into cybersecurity research on the basis that, with the changing of the Australian economy, we certainly need to develop an entirely new industry, and cybersecurity is one of the ones that could take off in Australia in providing employment.

The objective then under that broad heading is to essentially do a lot of training of the trainers—in other words, to conduct research at the PhD, MA and the honours graduate level into cybersecurity, building up your body, if you like, of academic expertise in the country which can then go out and work with industry. So if you're, for example, doing a one-year research honours degree, we would take you, we would embed you with one of industry partners, give you access to our industry partner's data system—suitably anonymised and all the rest of it to protect them—and you would conduct your research in that way. Any intellectual property that came out would be owned by the company. It is a not-for-profit company, by the way—all the profits are turned back in if there are any. The IP would be used by the company or maybe with the Australian Cyber Security Growth Centre to commercialise it and so on. So that's one set of objectives.

The second set of objectives is, as I say, to build up the people going out into the industry—research leading to IP, leading to commercialisation, leading to new start-ups and so on. National cyber capability increased by virtue of the fact that we, with a program we have, would be approximately 50 or 60 PhDs over the period, probably double that number of MAs and honours students going out. And also we would be involving a lot of post-doctoral fellows. The partners in this exercise are quite extensive and getting them all together is like herding cats. We have industry partners, we have some major, big companies involved—10 or 12 companies in all—and we have smaller, niche companies, some working in the cyber area, some working close to it, some working on bits of it and so on. So that's our industry participation, and we aim to increase our industry participation.

We also have government participation. A lot of the agencies that we think of as being associated with cyber are actual participants in our venture. For example, we have ASD, we have the Australian Cybersecurity Centre and we have AUSTRAC, the ATO, the AFP and organisations like that. And then we have universities. At the moment, we have the cyberschools of six universities. They're not necessarily top eight universities. What we went for—those invited to participate—were the best cyberschools in the country. They are Edith Cowan University in Western Australia, the University of New South Wales' engineering and cyberschool, the Queensland University of Technology, Deakin University, the University of Adelaide and Charles Sturt University. We're very keen to keep it as a national body rather than have it dominated by any one university in any one state.

Ms O'NEIL: Okay, thank you.

CHAIR: There is just one final thing you might like to comment on. In your submission you said that what we're actually looking at is really no different to traditional crimes of abuse, revenge, extortion, theft, sabotage and espionage, which are nothing particularly new.

Mr Irvine : No. Look, the crimes are the same. The way they're being conducted and the tools used to conduct them are different. Law enforcement and counterintelligence agencies and so on are having to adapt to the new tools of crime. In the old days you took a sledgehammer or explosive to open a safe. Now you can do it with little electronic interests. The safe is still being opened, it's just that the tools to do it are different and they're the ones we have to adapt to.

CHAIR: Any other questions, senators and members? No? Mr Irvine thank you for your time today. It was most appreciated and informative. And thank you for your submissions as well.

Mr Irvine : Not at all. Thank you very much.

CHAIR: We may just suspend for a few minutes before our next witnesses appear.

Proceedings suspended from 12 : 07 to 13 : 49