Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Joint Standing Committee on Trade and Investment Growth
Australia's trade system and the digital economy

FEAKIN, Dr Tobias, Ambassador for Cyber Affairs, Department of Foreign Affairs and Trade

Committee met at 09:03

CHAIR ( Mr O'Dowd ): I declare open this public hearing of the Joint Standing Committee on Trade and Investment Growth inquiry into the trade system in the digital economy. I now call on the Ambassador for Cyber Affairs. Although we do not require you to give evidence under oath, this hearing is a formal proceeding of parliament. Giving false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. I now invite you to make an opening statement.

Dr Feakin : Firstly, thank you very much for the invitation to talk to you today and to talk about a really fascinating part of the work that I conduct through this position and also that my team work on. There is no doubting that the digital economy, which many now say just is the economy, still provides significant potential for Australia. It is growing significantly, and I think over the next decade it is going to become one of the absolutely central parts of our economy. I work through this position with the relevant experts. I would not for the record say that I am the digital trade expert at DFAT, but what I do in this position is coordinate across the Australian governments in order that we have a coherent international representation of what we do in the digital space. I engage also across the private sector. I am trying to ensure that we are encapsulating as closely as possible the opportunities that exist but also trying to manage some of the risks and address some of the risks that, if we do not address them, will undermine the economic benefits that we stand to gain online.

In terms of the position itself, just to give a bit of background, it was announced in April 2016 with the Cyber Security Strategy launch, but I only took up my appointment in January last year. So I have been in the job for just over 12 months now. As I said, the aim of the job is to have a senior representative from government who coordinates across the whole of the Australian system—the private sector and civil society—to ensure that we have the appropriate level of representation in the international system. It was born out of the reasoning that the digital space is not only important for trade but also becoming an increasingly important part of all of our foreign interactions. That is represented in the way that DFAT looks at this issue across its geographic desks and also its specialist areas.

The first order of business I had when I landed into the position was to publish an International Cyber Engagement Strategy, which I will happily give everyone a copy of now or whenever you would like to have it. The strategy itself was launched on 4 October last year by the foreign minister. It sets a pretty ambitious agenda for Australia across the whole spectrum of what we term 'cyber affairs'. There are seven key themes within it. The first one, where we kick off the entire strategy, is around digital trade and maximising the opportunities for economic growth. We then looked at how we foster sound cybersecurity practices. Thirdly, we looked at the risks of cybercrime and how we could address those internationally. Both of those issues, which I will talk about in a moment, have the ability to undermine the digital space and some of the economic benefits that we were looking to benefit from. The fourth area that we looked at was trying to promote peace and stability in cyberspace, addressing the state-on-state issues that increasingly you are seeing in the newspapers for the last 18 months. We also look at internet governance issues—what is the future of the internet going to look like, which actually has a direct impact as well on how we trade and communicate online. We also promote respect for human rights and democratic principles. Finally, we look at how we can use digital technologies to enhance our development assistance programs.

To meet those commitments we had a considerable uplift in terms of the money that we had available to support capacity building around the region, which includes capacity building for digital economic development around the region. That was expanded from $4 million over the course of four years to $14 million over four years. It is an optimistic approach that we have taken but a very pragmatic approach through this piece of work. It is a world first in terms of the breadth of what it covers and the way it states what we as Australia feel are the key elements of what we stand for across all of those different areas.

That is evident in the economic trade chapter as well. I will talk a bit about that chapter because it is the one that is of most interest to you, obviously. We kicked off with that chapter, and we have done that very deliberately. It reflects how the cybersecurity strategy was positioned, which is saying it is all very well and good—there is definitely a national security interest that we have in the cyber domain, but actually the bigger issue here is about our economic prosperity in the future. We felt that to centre it in that was the absolute logical approach, not just for us but also for the international community. We have been completely committed to trying to deliver the outcomes in that chapter to date. You will hear later on from the experts who are, if you like, on the front lines of delivering our free trade agreements and shaping the international environment on a day-to-day basis. But what this does is, if you like, provide that strategic picture of what we are trying to achieve.

Our goal for digital trade is to maximise opportunities for economic growth and prosperity through digital trade. The way in which we hope to achieve that is, first, through shaping an enabling environment for digital trade, including through our trade agreements, harmonisation of standards and also implementation of trade facilitation measures; and then, secondly, promoting trade and investment opportunities for Australian digital goods and services. So, if you like, it is first creating the enabling environment and then secondly promoting all that we do well here in Australia into the international environment as well. We are as a nation actively involved in trying to shape that global picture and the rule making that goes on in the digital trade space. We are trying to reduce barriers to international trade and advocating for those global rules that build trust and confidence in the online environment.

Our experts from the Australian Government have been actively involved in trade liberalisation and facilitation in a whole range of organisations, through WTO, OECD, APEC and the G20. Through our bilateral trade negotiations we seek to address all of the challenges that we may face or that may face Australian businesses engaged in digital trade. Our trade agreements now facilitate trade and promote consumer protection and flexibility in the way that businesses manage their data. Secondly, e-commerce and digital trade provisions are included in many of our trade agreements now, including the current negotiations that are ongoing. Actually, in the first chapter here, we have laid out some of the basic premises on which we will open up our negotiating position in digital trade. There are not too many countries that actually do that. We feel it is a sound practice. That is not to say that we tie ourselves entirely to all of those provisions, but at least it gives anyone going into a negotiation with us that initial understanding of what Australia stands for and what it would require for the initial stage of a negotiation. We do place a huge amount of importance on those agreements being living agreements. They cannot stand still, certainly not when you are dealing with a technology space like the online environment. It shifts so quickly that we do need to be able to review those. An example of where we have had to do that was in 2016 with the FTA with Singapore. We agreed to significant modifications on our e-commerce arrangements. So it is a good example of where we are doing that.

In terms of the trade harmonisation standards, we are funding various pieces of work, actually, to try to improve the picture in the region. We are funding a Standards Australia activity that is trying to promote the harmonisation of digital standards in the Indo-Pacific. We feel that builds trust and confidence in digital trade and then the consequence will be the economic benefit and development that it will bring as a consequence.

Those are some of, if you like, the strategic objectives we have in the online space and trying to promote digital trade. But I will talk a bit, and then I am happy to have a conversation, around cyber-resilience because, as far as we are concerned, that is great—we want to achieve the best economic benefit for Australia—but unless we are looking at cybersecurity and uplifting cybersecurity in the international community and also looking at how we address cybercriminal activity then, to be frank, it will begin to unravel all of those aims we have. A lot of this comes down to consumer confidence and also businesses' trust in cyberspace. If those two things go then we are in a problematic position.

Our cyber-resilience is obviously operationally a very key focus of our Department of Home Affairs, the Australian Cyber Security Centre and the Australian Signals Directorate—those key bodies that look after the operational side. But cyberspace is a network. We certainly feel it is only as strong as our weakest link. That is why DFAT and through this position we work proactively internationally to ensure that we are raising the bar around the region and beyond. We feel that, through building additional cybersecurity ability of our partners, that is a common good. It increases our own cyber-resilience and creates a better market opportunity for our companies to go and invest in them. I am naming no names, but I think that, with some of the countries that our companies are brave enough to go and invest in in the digital economy, I can only imagine what the risk profile must be like. If there are things that we can do through DFAT to assist in lowering that profile then, again, we think that is a commonsense measure that we can assist with.

We engage internationally to try to mitigate the impacts of cybercrime. Most of the cybercrime that Australia suffers at the hands of originates overseas. We are seeing an upshift in our region—in the Indo-Pacific—and we think that is problematic. Again, I guess it is commonsense. Business opportunities are something that criminals look for. The market opportunities in the region are ever-increasing and the digital economy space is booming in this region, so criminals are actively looking to capitalise on that. Most cyber instances that we see and suffer at the hands of are things that are a shared experience now. You may or may not have had a look at the WannaCry incident, but it was a piece of ransomware and it affected 150 countries. So, again, where we sit is with the idea that we have to address these issues internationally because we are all getting hit by these things and if we are more resilient abroad then that then reflects back into our own security picture.

The funding that I mentioned earlier on is basically invested in a cyber cooperation program. We had a significant increase in our funding. The way that works is that we look to assist countries in the region and to develop their institutional capacity to address cybersecurity threats and combat cybercrime. The grants are usually around £100,000 per year—not enormous amounts of money in comparison to some of our other aid programs—but actually we find that you can have quite a large impact with a relatively small investment in this area. We also fund projects that are co-funded by another country. We would ask of any of our project delivery partners that they are also talking to governments in country as well. Also, we have begun—and this is where I have returned from—one of our private sector partnership pieces of work. So we have a range now of public private capacity building projects that do, I think, assist in that regional economic picture. I am happy to talk about those if you find it useful.

There is a whole range of other programs that we have assisted with. We do a lot of work with computer response teams, which are often, if you like, the frontline conduit between the government and private sector, sharing threats and understanding. Again, that is very important for keeping a good, stable economic picture. We are supporting a whole range of programs across the region that are assisting in that. We have supported a range of regional cybercrime initiatives and we have been very active in the region in looking at digital forensics training for police forces and conducting crypto-currency workshops in various countries around the region. We are also promoting regional cooperation on these issues. Often, if we want to catch the bad guys, what we really need are good plug and play legislative measures in order that we can gather data and make arrests as quickly as possible. That is not always a straightforward issue, because the legislation that you look for is something called the Budapest Convention on Cybercrime. There are a number of countries that have a reasonable ideological problem with it because it was debated and agreed in Europe. I think that was a good opening statement. Hopefully that was not too long. Apologies if it was. I am happy to have a discussion on anything and everything.

CHAIR: You opened up a can of worms.

Dr Feakin : Whoops.

Mr RICK WILSON: We could spend the rest of the day talking about some of the issues that this raises. Just getting away a bit from trade initially, just to set the scene, as the internet has evolved we have gone from hackers, as they were termed back in the day—a nerd sitting in their bedroom at mum and dad's house—to where, obviously, international security agencies are going hammer and tongs. I have grave fears. At the moment, we are seeing it play out in the US. You made a passing reference to that. From a commercial point of view, I think some of our large northern neighbours have a propensity for appropriating copyright on designs and so on. How are we going to combat that? When the resources of very large countries, security agencies and networks are being put into trying to stay one step ahead of—we try to stay one step ahead of them, but the resources they are throwing at it are enormous. What does the world look like in 10 years' time in cyberspace?

CHAIR: The criminals you refer to are not the ones with the balaclavas down the street, are they.


CHAIR: Are they backed by other countries?


CHAIR: That is just in addition to what Mr Wilson is saying.

Dr Feakin : Would you like me to talk to some of those points?

CHAIR: Yes, please.

Dr Feakin : It is prime time. I enjoy these conversations. The central part of this job is trying to address some of these issues. First, I think you raise a really important point. It used to be perceived as the bedroom nerd who was the hacker. There is still that spirit of wanting to get into networks and systems almost for the fun of it—to challenge yourself and see what you can get away with. But it is now becoming mainstream. As much as it is now mainstream in the political world, in the bureaucracy and in the private sector, it is now becoming mainstream in civil society. One of the concerns in the criminal space is that the bar is now being lowered. It is not as if you have to be that high-grade technical whizz-kid to be able to do it. There are concerns now that you have toolkits for hire or, for a reasonably low payment, you can download pieces of malware from the dark net that are pretty easy to utilise, and you can utilise those and potentially be able to make money. I think that is one of the problems—the level of entry into this game is now lower and the level of technology available to any would-be hacker is lower as well. That is not to say that you can limit the access to technology. Of course, we all need access to this technology. If you like, the benefits from it far outweigh, I think still, the dangers that we are now seeing emerge from the criminal space.

To take that up a level and talk to your point about the international security picture, this is something we stated very clearly here: I was very keen that we make some strong statements—and we did as a government—about what we stand for as Australia in the international security space. Something we said very directly was the fact that we are increasingly now concerned by the blurring of state and non-state activity and the fact that certain states have for a long time used third parties—serious organised criminal groups—to mask their activity. Indeed, some states now use criminal activity to actually put money in their own coffers. You will have seen that through the attribution of WannaCry to North Korea. That was exactly what that was perceived to have been. So we do reach a point where we see increasingly worrying sets of behaviours from states, and that means that it is tough to be able to create responses. That is something we are thinking about very actively within government—how we do respond. There is a very current discussion, when we take it up to that absolute state level stretching of the boundaries, about what is acceptable and about the issues you referred to in the US and beyond and thinking about whether it is possible or plausible to get to a point of thinking around cyber deterrents—are there ways that groups of states can push back on some of this behaviour in a way that means that states will think twice, because currently states do not tend to think twice. It is 'What can we get away with? We are getting away with that. Perhaps we will push the boundary that bit further'. So, again, it is a very active area of work.

Finally, before you ask more questions, I have not answered about what 10 years forward will look like. On the China front, again, that is something that has been a pet area of mine for a long time. When I arrived in this position, certainly something that I felt was that we needed to engage directly with China. Just before Christmas I was in Beijing for our officials-level cyberdialogue that we hold with the Chinese system. You are absolutely right: it is clearly evident that the investments, both politically—and President Xi has taken control of this issue. He chairs the standing committee that coordinates cyber issues and broader digital economic issues within China. There is a lot of money going strategically into their government system for this as well. They are very active on the international stage on that front. One of the first pieces of progression that we managed with the Chinese was getting them signed to a non-IP-theft—a cyber-enabled IP theft norm, which is basically saying that Australia and China agree that we will not steal intellectual property by cyber means from one another. We got some other language into that agreement as well, which was pretty significant and beyond what the US and UK have managed previously. It is interesting because I have been asked a number of questions like 'Okay, what are your metrics of success with this?' Actually, the importance of this is that you then have a measure, so we can go back and push harder if we see those kinds of trends continue. We know that pieces of paper are incredibly important for shaping ideas and strategic directions of governments, but the proof will be in some of the evidence we will gather over the next six months to see what impact that has had. Then, if we need to talk more, we will certainly take that forward.

Mr HART: I am particularly interested in your advocacy role and, in particular, where both you and DFAT see that role—whether it starts at the border of Australia and goes out or whether there is a role within Australia's borders. The reason I ask that is that the DFAT submission has indicated that the International Cyber Engagement Strategy is not directly relevant to this inquiry. Of course, we very much dispute that. The other thing—and it is a matter of the most profound disappointment—is that Austrade has produced a one and a half page submission to this inquiry, and the briefest review of Austrade's website shows a disproportionate emphasis on the trade in physical goods, less reference or engagement with services and almost nothing with respect to digital. That is certainly of significant concern to me. I know it is of concern to the committee. I am just wondering where somehow the whole-of-government message is not getting through to Austrade and/or your host department.

Dr Feakin : In terms of the advocacy role I play—and, again, that is a great question—I would see it as twofold. One is the internal coordination within Australia, absolutely.

Mr HART: That is the correct answer as far as I am concerned.

Dr Feakin : Yes, 100 per cent—absolutely. It is about—I or we as a team are never going to create a coherent picture unless we are coordinating internally. Every three months we have the complete collection of departments that have a hand in cyber issues, including Austrade—we meet as a group and I chair that. We discuss, clearly, what is coming up on the agenda and some of the prioritisation. We talk about the implementation of this strategy itself. That is one of the means through which we do that. Are there things we can do better and should we always be thinking about how we recalibrate that and improve that coordination: absolutely. That is something we are thinking very hard about at the moment. I should leave it for Austrade to comment on their website and why perhaps—they could answer that question, I think, better for you. But what I could say, actually, is that something I have seen Austrade being very good at is getting the job done on the ground very proactively. I have actually participated and played that advocacy role in a number of places. Actually, we will be with them again at the Munich Security Conference next week. They have organised trade-specific side meetings and events and hosting Australian start-ups or small to medium enterprises. Obviously, most of our economy is made up of small to medium enterprises. But taking trade missions into different countries—the most recent one was in India last year. There were about seven or eight different companies that had already done a trade mission around India and then ended up in Delhi at a big conference that I was speaking at. We carried out a side event there. One thing I did find was that a number of those companies seemed incredibly positive about the opportunities they had managed to find. So, on the ground, they are making progress. I do not think I would want to answer on Austrade's behalf in terms of their website. Certainly, that is one for them. But I think all of us admit there is more we can do. We need to be more proactive.

Mr HART: In your opening statement—and it is repeated time after time in the submissions that have come from umbrella organisations—there is the acknowledgment that digital trade is all trade now and we should be imagining a trade future which encompasses digital trade as the norm, whether it is in physical goods plus services or whether there is a mixture. But it just seems to me to be an observation that there are parts of government that are still fixed in what has occurred before, and they are not yet reimagining the way that things are done—that is, business processes or whole of government processes—from a digital perspective. I know that the OECD Going Digital policy project suggested that all government policy and regulatory frameworks need to be completely rebuilt from the ground up. I know that some companies, when they have been early entrants into the digital space, have attempted to bolt on, but, of course, you have new entrants that start from the ground up with a digital framework. That is where I see the future going—that is, we need to actually change the way that government looks at business and government processes and the like. Would you like to make any comments with respect to that?

Dr Feakin : Sure. I was with the DTA last week on one of the trips I was on. They would be in the prime seat to tell you how the whole-of-government initiatives are going in terms of transforming the way we do our own business. Let me reflect. It is not to excuse government, but it is sometimes just getting all of us as a machine to work fast enough to change fast enough. I hear your point, and that is something that I certainly will take away and see how I can do better to make sure I am pushing ever more on that door. Certainly, in the time I have been in government, I have actually found a genuine spirit of wanting to change as much as possible, trying to be as ambitious as possible and not sitting so much in the past, if you like, in terms of just resting on our laurels and relying on things that we have already done to put forward as actions in a strategy. I spent 10 years of my life in think tanks, and they are essentially about passing that critical eye over anything that comes out of government and critiquing it. I thought long and hard about that in terms of the strategy so that all of the things that we put in there are new and emerging things that we want to promote to take Australia that step forward.

I think you make a valid point about the broader economy and how, if we are not at the forefront of placing digital at the centre of the transformation, if you like, of the Australian economy, we are going to lose out. That is one thing I see clearly evident from the ambitions of regional partners in terms of their e-commerce targets and their objectives to completely transform not only their physical infrastructure but also where they are targeting their business direction, and it is very much into the digital space. I was part of a digital forum in Indonesia last week. They are championing the point that they have—now, this is where I should be careful. I could give you a number and if it proves to be incorrect then I could be contravening the rules you gave me at the beginning. They have somewhere in the region of five unicorns of the region's seven, I think it is. Please excuse me if I have got—it is about that number. They are charging on the economic opportunity at a rate of knots.

We are doing well, I think, in some areas. When I look at the cybersecurity area that we are trying to promote, that has grown considerably in the last 15 to 18 months, at least in terms of understanding how many companies we have that have offerings in that space. Again, that is part of the role I play: trying to open up doors and making sure that they are visible and that this position can add some profile when they are abroad. Is there more that we can do in government to make sure that we are on point with where that future goes: yes, of course—there is always more that—

Mr HART: The point I am making is that, for want of a description, you might have a set of analog processes that have existed and been refined from time immemorial. That is the way government works. We have always done it this way. Along comes digital. The first tentative steps are to produce a digital representation of the analog processes. But the very point of digital disruption is that some of those processes are no longer necessary. Data entry should be the same as—an entry of data triggers an order, which then triggers fulfilment, and there are a whole lot of steps that are done without intervening processes at a human level. That work is clearly already being done within government, but there must be opportunities in trade, for example, that evolve around the essence of what I am talking about—that is, completely reimagining the way we do things from a blank sheet of paper.

Dr Feakin : I absolutely would agree with you. I am not sure my position would be the one to do that reimagining. I am part of that, of course. I would say that is very much a question for the broader transformation of the economy. I would not say that sits quite so much with me.

Mr HART: But emerging economies have a greater opportunity because they are starting without that legacy.

Dr Feakin : That is an excellent point. Something we have certainly seen in the region is that—okay, we have quite a traditional infrastructure delivery system here in Australia. But what happens in a lot of the developing nations is that they are building some of that infrastructure. But what you see with the start-up communities is that they just leap-frog it. It is not happening quickly enough, so they say, 'What we will do is work with the infrastructure we've got'—most often mobile handsets and mobile access to the internet—'and we will develop our business approach through that'. Actually, in some ways, that gives you probably a higher percentage of failure but also those that then begin booming are at the head of the charge. That is not to say that is a model we can adopt in Australia right now, but I certainly have seen a change, if you like, in the cavalier spirit of start-ups here. They are a lot more willing to take risks.

Mr HART: And fail quickly.

Dr Feakin : Yes, that is part of the start-up world, isn't it. Having come back from various visits where you see different start-up ecosystems—it is often referred to in Israel as well. The percentages of failure are huge. But that is done so that those that do get through are the ones that are huge successes.

Mr HART: Jeff Bezos famously said that his advantage was that he failed quickly in his first enterprise, and he subsequently built Amazon.

Dr Feakin : Then again, that is a really good point to make about that failure concept. That is tough, isn't it, for government to deal with. My whole career I have spent looking at technology from a social sciences perspective—where does it fit and how do you absorb it into processes, procedures, training et cetera. Something that is always very difficult for government is for bureaucracies to accept failure and move on quickly from it. I think almost at the heart of any transformation from a government perspective is accepting that sometimes things will go wrong. But that is tough, isn't it, because you have a public that—would they be so accepting of that? I am not so sure. I see that as a difficult equation. If you are looking at it purely through an economic lens then it is 'Yes, let's go for it. If we fail, okay, let's move on to the next one'. It is the way that the big money is being made in the digital space. We would certainly see through that cybersecurity lens that there is a multibillion dollar market to be had in this region. That is attractive. If you have all of these developing economies online and developing businesses around the region, something we do have is a great trusted brand. That is something that has been very clear to me during the time that I have been outside of DFAT but now also inside—seeing that trusted brand of diplomacy and the trusted brand of Australia and what that brings. If you are bringing that brand to cybersecurity and securing the networks so that will underpin the economic growth in the region then that is a great opportunity we need to exploit more.

Mr HART: Do we have the skills within DFAT to enable us to exploit that potential?

Dr Feakin : Again, from an Austrade perspective, I would let them speak for themselves. I see that they are being incredibly active on the ground in promoting Australian companies. They are working very hard with a group call AustCyber, which is basically the cybersecurity growth network here in Australia. They are working furiously hard to make sure that they are promoting a broader set of companies from Australia and making sure that they are represented internationally so that they can take advantage of those opportunities.

CHAIR: Do you think there is any threat of us losing our expertise in this field because of not moving fast enough?

Dr Feakin : That is interesting. The Prime Minister himself has spoken about that before—about the concern. I think he had one business that was a software firm. This was obviously pre-politics. He ended up having to sell his software internationally because the marketplace here just was not ready to buy a new product that was not tried and tested. So I think something again where there has been a lot of work going on is about how you change—again, especially through the DTA. I know they have created all sorts of online portals so that our SME community can access contracts that are on offer far more easily and actually have far more chance of winning those. I think their percentage rates have been very impressive for that. Again, is there more you can do: absolutely. It is important that we retain and mature those skills here, but it is also useful that they then have experience in other marketplaces to learn and spread their wings.

Mr HART: At the trade negotiation level, obviously you have specialist expertise. Is some of that expertise or knowledge necessary to negotiate trade agreements and ensure that our trade agreements are digitally enabled with the infrastructure that is necessary within the trade agreement? Do you think that expertise is being delivered across DFAT?

Dr Feakin : I think that within our trade teams we do have those with the specialist knowledge. I think part of where that has come from has been the very protracted negotiation of the Trans-Pacific Partnership, which had at its core a great deal of digital provisions for that negotiation. I think it was the Digital 2 Dozen that it grew to. At one point it was the Digital Dozen and then it grew to the Digital 2 Dozen. Then obviously it got negotiated down over time. But, having been through that process, that did develop a level of capability, I think. I found in DFAT when I arrived that it was pretty impressive. Again, those guys can speak for themselves when they arrive, but I know that other countries lean on them as well for a bit of assistance. So I think we have good capability there, certainly in terms of the trade negotiation side and the development of what those requirements are.

Mr HART: I think there is a gap between what you have described—and I am not criticising—and perception. The perception is that, compared with industry, there is not the level of understanding. That would be inconsistent with, obviously, the negotiation of the free trade agreements. Again, there is this tension between the start-up culture, which is about getting ahead to the next best thing, failing quickly and moving onto the next idea—that is in commerce and industry—and then government, which obviously deals with policy and a whole range of things. Effectively, within the department, are there spotters for emerging areas within digital technology that affect policy?

Dr Feakin : Through the InnovationXchange—certainly, that is something they look to. Not only do they look at how we use innovative process and technology for delivery of aid and the like but they are also there as a hub for spotting new opportunities for the department to do business differently.

Mr HART: Blockchain, for example, is the current technology that everybody, belatedly, has got onto. But, obviously, blockchain has been around for a long time. When did you start seeing discussion about blockchain at a policy level within government or at a public policy level?

Dr Feakin : Within the government system itself I have not been present at discussions around blockchain technology. That is not to say that it is not happening, again, in other arenas outside of my jurisdiction. But, in a public policy setting, blockchain has been discussed, as you say, for quite some time. I guess probably for the last five years now it has been part of the discussion. There is a sense, though, that it is often held up as the holy grail of solutions for everything, but no-one has quite worked out how to integrate it.

Mr HART: The Stanley knife.

Dr Feakin : Yes, but no-one has quite worked out how to integrate it in a way that it does become that holy grail solution. That is something we should be turning our minds to. We have this great technology. How do we integrate it and use it in a way that it does transform process and trust—

Mr HART: Again, I think people focus on the product, whether it is bitcoin or whatever is the current expression. The underlying technology, of course, is blockchain and other representations of blockchain.

CHAIR: The financial assistance you give to other countries in this field—is that more related to people we have trade deals with or is it other emerging countries we want to deal with in the future?

Dr Feakin : It is a mixture of both. It all comes out of our overseas development assistance funds from DFAT. There are certain requirements placed upon it there. But the projects we have been running have all been in the Indo-Pacific so far. They have been in countries that we have current trade relationships and growing trade relationships with. We have projects running across the Pacific—in Indonesia and Thailand and across South-East Asia. What I have seen from those is that they provide a really good conduit into other conversations as well. So it is always practical base work: how do we advance either responses to cybercrime or increasing governments' understanding of cybersecurity and how they deal with these issues. But increasingly, through the work we are doing in these private sector partnerships, we are finding ways of accessing a far broader set of stakeholders, most prominently the private sector in the region. Again, I think that provides us with a good opportunity. Last week we were running a piece of work with the regional aviation industry group in Singapore and looking at cyber-resilience within the aviation industry. It was working with a whole range of private sector stakeholders. Next week we will be working with networks in Thailand. We will be working with a whole range of Thai private sector entities and looking at how they deliver cybersecurity within their own companies—also, how they access broader sets of stakeholders, like their customer base, too. That is providing us with useful opportunities. When I talked about the amounts of money that we provide, actually, they are tiny in comparison to the big aid delivery programs that we run. But I have found with those small amounts and the kind of access you get with those pieces of work and then perhaps, if I may be so bold, with my presence there or the position's presence, it does open up doors. It opens up very senior doors in these countries. That is something that we are trying to make sure is utilised for good purpose for Australia as well as for the common good of the region.

Mr HART: The secretary has brought to my attention that there is some work being done by Data61, which is CSIRO. They are looking at how to incorporate blockchain into government. So there is some working out, including reimagining regulation as an open platform using blockchain. So, when we look at the export of government services, that is probably an ideal place to start.

Dr Feakin : Absolutely. I must admit that I have not looked at those others who are going to come here. If Adrian Turner was able to come, he is quite an inspirational guy to listen to on this front. He is someone who has done so well from a personal business perspective. The kinds of influence he is now having on Data61 in terms of just thinking about some of these future challenges is quite remarkable.

Mr HART: In essence, the committee and the inquiry are trying to do the very work that you are doing in order to lift the profile of the digital trade environment to the front of the public consciousness.

Mr RICK WILSON: Can I just bring you back to the security issue. I know that is not necessarily your specific remit. Can I ask about the ability of other countries to interfere with commercial networks and inflict serious damage on an economy. Is that a likely scenario? What mechanisms as government can we put in place to protect our private sector and commerce? Obviously, our banking system is very vulnerable. You could kind of freeze a country's economy overnight. Is this the sort of stuff that you look at as part of your remit? Do you advise on how government should be taking measures to protect our commercial sector?

Dr Feakin : I can certainly talk to this. I would say that the person who has primary responsibility for dealing with those things within Australia would be Alastair MacGibbon, who is the head of the Australian Cyber Security Centre. But certainly, when you look at the ability to interfere with commercial networks, one of the biggest issues we face is that it is all based on the same infrastructure. Regardless of whether it is commercial networks or government networks, we are all running on similar infrastructure or the same infrastructure. So there is a common threat picture out there that we are all trying to deal with. That then leads into part of the answer to what we do with the private sector. It is that you have to be in the conversation with the private sector continually. That is something that the Australian Government has worked really hard at doing probably over the course of seven plus years now, initially doing board level briefings, sharing some threat data which is pretty classified and sharing a bit of the interesting network traffic so that the company can understand a bit of what goes on from the government view. That has actually benefited in terms of what the private sector then comes back with. So the work that has gone on in government, certainly with the transition of the Australian Cyber Security Centre to a more open space at Brindabella Park, is all about a broader set of private sector stakeholders to physically be able to come into the building. They do not require as many security clearances to actually get into the building, and it allows that freer flow of conversation and understanding of risks and how we respond to those. There are joint threat sharing centres now established in Brisbane, Sydney and Melbourne. Those, again, are meant to be a conduit between public and private sector in the same building so that they can physically co-locate, talk about the risks and work on different projects and how we respond together. I think something we understand as government is that the more we continue that conversation and work in partnership, we get so much back from it in terms of especially understanding what goes on in the criminal space. You referenced the banks. They obviously have a business imperative to understand what is going on. Certainly, the top tier of the banking networks is very sophisticated in the way it shares threat data. Increasingly, that is a rich relationship between us and the banks in understanding that.

Mr HART: One of the key aspects of cyber-resilience is assuming that at some stage there will be penetration—recovery and re-establishment of your systems after a disaster being the prime objective. Having an undue focus on preventing the attack overlooks the fact that there will be a disaster at some stage. Proper assessment of risk and risk management involves 'what happens if'. The message that we heard when I recently had a hearing on a different committee—the Joint Committee of Public Accounts and Audit—was that unless government enterprise is cyber resilient in all respects, including the ability to recover from disaster, we really still have this significant risk to our economy.

Dr Feakin : I agree. This struck a chord because that is exactly what we were talking about in Singapore over the last few days: what does the concept of cyber-resilience actually mean. It is very much a cyclical process of the whole preparation, pre-empting and understanding the risk picture and what it looks like, then appropriating what you think are the right responses but then also testing those, evaluating and simulating so that, when you get to the actual crunch time, you are well rehearsed and people know what their roles and responsibilities are. You have a good communications plan and then learn the lessons from that so that you do not just get back to business as usual; you can bounce forward rather than just bouncing back.

Mr HART: Is that a risk management implication—that is, coming from the evidence you have just given regarding the fact that most governments and enterprises are on a particular sort of system running particular operating systems and that is a risk associated with the ubiquity of the services and systems that we are using? In other words, there is a concentration of risk rather than a sharing of a load amongst different systems. Do you think that, as a matter of principle, the government should be promoting the fact that mitigation of risk might involve adopting open systems, adopting different systems—looking at, for example, open-source operating systems and a range of different systems so that, in layman's terms, the eggs are not all in the one basket? For example, with WannaCry, you had this being able to propagate across Microsoft systems. Recent threats have attacked particular code within Apple android Microsoft systems. In other words, as a matter of principle, if we move towards a more diverse IT landscape as opposed to a homogenous IT landscape, we would actually be reducing our risk level.

Dr Feakin : First, just for the record, I would say that those kinds of decisions are well outside of my job, so—

Mr HART: Yes, it is just a question of principle.

Dr Feakin : In that spirit of answering in principle, I do not think there is ever any harm in looking at how you can do business better and more effectively. If a model like that was proven to provide us with more resilience then why not. Government IT projects are a problematic thing. If there are other ways of doing it then I would encourage that to be looked at. Obviously, DTA do look at that. I know that would be a good question to ask Alastair MacGibbon as well. He very actively looks at whether there are new disruptive ways that we can do business and provide a more cyber-resilient infrastructure for government as well. So I think that question would be very well aimed at him and also any representation you get from DTA.

CHAIR: Thank you for coming in today, especially after your long trip from Singapore. You will be sent a transcript of the evidence. We look forward to reading your book.

Dr Feakin : Thank you for your time. It was really interesting.