Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Joint Standing Committee on Trade and Investment Growth
Australia's trade system and the digital economy

HORNER, Dr Jed, Policy Manager, Standards Australia

MEGUERDITCHIAN, Mr Varant, General Manager, Stakeholder Engagement, Standards Australia

CHAIR: I now call representatives of Standards Australia. Although we do not require you to give evidence under oath, this hearing is a formal proceeding of parliament. Giving false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. I now invite you to make an opening statement.

Mr Meguerditchian : Thank you for the opportunity to appear. Standards Australia is recognised by the Commonwealth government of Australia as Australia's national standards body. We are Australia's member of the ISO and IEC, which are two of the three international standards development organisations. We have a catalogue of some 6,000-plus Australian standards, of which more than half are referenced in legislation by various jurisdictions in Australia. As is relevant to the digital economy, most recently, in 2016, we submitted and won on behalf of Australia the opportunity to lead the world in the development of blockchain standards. Blockchain is a technology that allows the efficient, safe and secure movement of data very quickly in near real time. Some 30 countries have participated in the development of that work. Under the leadership of Australia, the United States, France, Germany, China and other such countries are contributing to creating a framework for safe, interoperable standards for blockchain technology.

We also led a harmonisation effort within APEC for the movement of data across borders, seeing the movement of data as a key enabler for trade across the region. The conference was hosted in 2015, inviting 16 economies from the APEC region and identifying the relevant technical standards that would be required for those countries to adopt to enable trade, particularly for SMEs which are unable to establish residence in those countries. Effectively, I would suggest to you that the standards are critical components of the regulatory system. They provide, effectively, a platform for safe and efficient movement of data and they secure trade. Through this they establish a level of market confidence. That is really the critical benefit of standards as a framework to support regulation. Moreover, where Australia actually leads standards development efforts internationally, they position Australia as a world leader and give Australian businesses an opportunity to demonstrate their leadership and create a competitive advantage in the digital economy moving forward. As it relates to cybersecurity, I will now pass to my colleague, Dr Horner, to elaborate.

Dr Horner : Thank you so much. As you will have seen, in our written submissions we did touch on the issue of cybersecurity. We view it, much like the Australian Government and other actors, as a critical enabler of digital trade. They are the key considerations: protection of IP, protection of personal information and securing the ability of Australian businesses—small, medium and large—to be able to trade effectively in a world marked by many risks. As the national voice to the ISO and the IEC—the two standard-setting bodies—we play a strong role in the maintenance of some of those international security standards. The ISO 27000 series comprises a strong focus on information security. Just to ground that for people, most of the risks we have seen emerge in recent years—and I understand you have heard evidence to that effect from industry groups too—come from what I would call classify as poor information security practices and where personal details have been leaked from within government departments and also large corporates, from phishing attacks and malware attacks such as the Petya virus, which actually crippled the IT services of a major Australian law firm for at least a few days. Those are major concerns for us. We see an ongoing role for standards at the coalface to play a role in protecting Australian businesses, Australian critical infrastructure and even government departments as they relate to digital trade. Our message there is that cybersecurity is a key enabler. Standards can play a critical role. Uptake to date, it is fair to say, in the Australian market has been pretty low, but we are obviously looking to increase that to protect Australian businesses.

Mr HART: I would like to congratulate you on the standard of your submission. We greatly appreciate that, because it has hit a couple of key areas that we see. Certainly, we think it is a very valuable contribution to the work of this inquiry, so thank you for that. One of the issues that really interests me, particularly coming from what you have just said with respect to adoption of standards, is really a communications role between Standards Australia and particularly small and medium enterprises as to not just the importance of adoption of standards and becoming certified but also how that process can enable and, without overstating the situation, supercharge business development. A lot of small and medium enterprises do not understand the power of standardisation systems. Rather than doing everything as a one-off transaction, standardised approaches to everything means that not only are your transaction costs reduced but also the cost of delivery to interstate or international markets becomes a lot easier. What are your views regarding that?

Dr Horner : I strongly support the point you have just made. The issue I think I outlined in my opening remarks was that we have different maturity horizons in Australia, which you alluded to. We have some of our large corporates that follow cybersecurity standards around protection of information and you by and large do not see many very significant and consequential issues in terms of the leaking of information there. But we know that there is a soft spot, if you will, for SMEs. They face a range of challenges. I am a former director of a small business, so I understand and relate to that. There are the day-to-day pressures that you have in your business. There are all of the compliance issues. This may be a second-order issue. But, as I have submitted, it is a major threat. In fact, to your point—and it is well backed up by evidence—there was that national study on cybersecurity awareness which was undertaken by the small business commissioners from across the states and territories and which actually produced some of the data to support your point, which was that cybercrime was rated as the third biggest risk to their business. They said that themselves.

Malware was a key concern. That is the malicious software that is out there. Phishing people looking for your information or your business information. Twenty per cent of those SMEs reported that they had suffered a cybercrime event. So we are cognisant of those real risks in the Australian community. As I said, small, medium or large, it affects them all every day. It equally affects government departments. That has been in the media recently too. Putting the 27000 series into policy but not executing it is a risk, the same as for small business. We certainly acknowledge that we could play a role in partnership with the federal government.

I am mindful that there is a digital economy strategy that the Department of Industry, Innovation and Science is developing as we speak. That potentially is one avenue to explore how we as a society and an economy can respond to the needs of small businesses. It could be through dynamic things like playbooks, which are more real and tangible. Whether you are running a small business or an agricultural business that is focused on export or you are running a small shop in a town, you will be able to pick that up and identify points of use and standards that are relevant, and case studies potentially could be a way to make that more relevant to people in everyday settings away from some of the language—and I acknowledge that, much like legislators, everyday people do not necessarily go through the lines with a fine-tooth comb, but that is a role we are happy and willing to play.

Mr HART: For my sins, I am a former lawyer, but I am recovering. The issues are, first, the laws of negligence, when you are looking at whether you have complied with the necessary standard of care; and, secondly, from a corporate governance perspective, the obligations that are imposed upon you either by work, health and safety or other obligations. You have a standard that is obviously not the be-all and end-all, but it is a very strong guide towards what community standards are or industry standards are with respect to the standard of care. I would like to see more work done, in cooperation, for example, with ASIC and other organisations, in ensuring that, when it comes to corporate governance, here are templates. I know that ASIC has done a lot of good work with respect to a range of issues, including cybersecurity and resilience and recovery from disaster. I think there is a golden opportunity for Standards Australia to work with government organisations like ASIC.

Mr Meguerditchian : We certainly see the same. I would echo my colleague's sentiments in as far as the economic rationale for small and medium enterprises to adopt and utilise standards is there. One of the things we were able to identify through the APEC exercise on the movement of data was that small and medium enterprises, while they potentially might be the greatest beneficiary, do not necessarily have the resources to participate in the standards development process. when they are not participating in the standards development process it becomes harder for them to actually adopt those standards. What we would like to see is a greater level of engagement from them in the standards development process, so they are actually shaping and influencing the actual standards that they are then likely to use. Doing that validates their use down the track. There is certainly an argument for that. More broadly, I think standards are already in place across a number of different sectors in the sense that we have some cybersecurity standards in the 27000 series. There is also the 35000 series on ICT governance that we actually led the world in developing. These are now providing guidance to universities and for procurement when making purchases of ICT software applications and so forth across the country. The challenge really has been in getting the small and medium enterprises to use and adopt these standards. The opportunity there lies in having them participate in the process first and create an opportunity to then utilise those standards.

CHAIR: How can the government give them those incentives to get there?

Mr Meguerditchian : The way that Standards Australia operates is that our technical committees constitute a balanced representation of stakeholder input. So we would include government, industry and other stakeholder groups. The two greatest participants from industry—general industry—include the Australian Industry Group and the Australian Chamber of Commerce and Industry. There is I guess an opportunity for small and medium industry bodies to have their representatives participate. We have some great input, in fact, from the Consumers' Federation of Australia. I think that is an often forgotten representative group. We actually fund their participation. Similarly, it would be possible or useful to have greater input from small and medium enterprises. The challenges are, first, as my colleague mentioned, resources for SMEs to have personnel to participate in the process; and, secondly, for that representative to be representative of the collective viewpoints of small and medium enterprises.

Mr HART: So, for professional bodies including, for example, QA, if somebody is seeking to be certified as compliant then there is clearly an opportunity there for that profession to go out and advocate for standards that apply to a particular industry or profession. There are also the professional bodies like the Law Council, engineers et cetera. There is a golden opportunity there both for input into the standards themselves and also in advocacy for people to be QA certified.

Mr Meguerditchian : One of the best ways to get compliance with Australian standards is for government or regulators to actually reference them. Independent of that, though, with the general notion that Australian standards are consensus based and developed with industry, government and other stakeholders around the table, getting stakeholders to use them is a benefit and there is probably an opportunity for us collectively to think about the messaging, particularly as it relates to small and medium enterprises. I think that is a question to take home and for us to work on.

Mr HART: You can regulate it in two ways. You can be prescriptive or you can be more, in a sense, offering guidance—saying, 'You must address the following issues'. How you actually mitigate risk, for example, might be by reference to a standard or it might be more granular for your particular organisation.

Dr Horner : That is right. Our process, to your point, also enables us to develop handbooks. We call those lower consensus documents. That is the illustrative material I was getting to earlier. If you are running a range of businesses, as I said, like a fish and chip shop, you may not want to spend your evenings—and you certainly will not—looking through a standards document necessarily. What you may want to do, though, is look through a document that actually speaks to you in your own language and explains the utility and benefit of these standards, how you can apply them in your business and how they have been applied. We actually enable our stakeholders to develop handbooks through our current process. We can also do so in partnership with government where it is resourced. Where there is a particular need that is identified or a particular sector of the economy and we need to target them in a way that works for them best, our door is also certainly open for those discussions and we are engaged in some of those.

Mr Meguerditchian : One of the areas we have been particularly effective in is working with some start-up organisations—working with FinTech Australia and inviting them to participate in the development of blockchain standards. We are talking about organisations that are effectively one or two person organisations. We invited their representation in the development of a world-leading standards initiative. In that regard, we have been able to hone in on a particular industry and get SME participation or input into our work that way. I think there has been a broader challenge with the general small and medium enterprise community and their participation, but with the emergence of new industry-specific organisations for small and medium enterprises there has definitely been a greater uptake. Certainly, the federal government's support for our blockchain initiative has been critical to us being able to reach out to those stakeholders and get their inputs as well.

Mr HART: How widely is blockchain being exploited? Is it one of those nascent technologies that you are still yet to see—

Mr Meguerditchian : I think there is certainly significant potential that has been identified. It is not the statement of Standards Australia—our views are the collective views of our stakeholders. Data61 has released two reports on that, the first of which was around a future world that might include blockchain and how that would fit with other technologies. The other one was about the practical implementation of the technology and what the obstacles were. Both of them seemed to suggest that blockchain is going to be part of the future. There will be some applications for blockchain. It may be marginally better in replacing some existing technologies. It may be substantially better in replacing some other technologies. What is the use and uptake of it: I think it is early days for us to be able to assess where that is, but there is a lot of interest in the technology and there certainly seems to be—even from the large banking institutions as well as the Australian Stock Exchange, for instance.

Dr Horner : I will make a comment there to give you some more clarity as to where that is going. Australia has taken a leading role in areas like smart contracts. If you think about the actual use of that, it is pretty exciting for us given our geographic location and the things we export. If you think about grain exports, from the farm gate to a dinner table, it is a great case study because smart contracts can potentially address some of those issues in the supply chain around delays that farmers experience in receiving payment. It is early days still, but I think we are doing justice to Australian businesses and, in that case, Australian farmers and people who work along the supply chain by actually saying, 'Is this applicable? If so, how will it work and how can we design standards or technical specifications that actually tell you how to build a smart contract?' Then in the real world hopefully that plays out down the path where you see large companies, small companies and fintech companies actually rolling those solutions out. That is an indication of where that participation has gone. The expertise that has helped contribute to that is academics—our committee comprises people from Data61, the RBA and a range of fairly high-powered, I would say, government agencies and significant voices from the business community and the community sector too.

Mr HART: How much of a challenge is data localisation to our preparation of and promulgation of standards which are intended to be of broad application?

Mr Meguerditchian : I think that there is probably an opportunity for standards to play a role in providing guidance in that space, but it may be more of a case of business itself or government making some decisions around I guess where data is stored and how it is transferred and so forth.

Mr HART: I am concerned about the fact that, in contrast to open data, which clearly can be manipulated in different ways, having particular local requirements, which might be regulatory requirements, which specify that data must go through a particular waypoint or fit a particular description, is that a challenge to the adoption of standards and promulgation of standards?

Mr Meguerditchian : We try to work at it in reverse, so what we ultimately say is that, when you are thinking about various jurisdictions and asking them why they would like the data to be localised and for data sovereignty to be in place within their jurisdiction, it always comes down to some key issues. They are security, privacy and identity. What we try to do through standards development is to develop standards that support privacy, security and identity as a basic framework and then create an opportunity for all of the countries to actually adopt those standards, thus creating a harmonised opportunity for the movement of data much more freely than is otherwise in place.

Mr HART: So if you looked at a Venn diagram you would be looking at the maximum area where everything coincides?

Mr Meguerditchian : Absolutely, and I think the greatest proponent for the use and uptake of standards is that, prior to the use and uptake, some of these countries actually need to participate in standards development exercises. If they are part of the international community participating in standards development, they are more likely then to use those standards. There is no need to create unique regulation in their own countries, and they effectively create a common market with Australia and some of the other countries in the economy.

Dr Horner : I will just chime in there as well, if I may. I am also mindful sometimes that the process of data localisation can be a stepwise process. I can give you a real example. I note today the release by the Treasurer of the banking report and the response to that and request for further comments. That is one example where, to be frank with you, the UK, for example, has led the way in having a regime established. As you well understand and appreciate, there is a local regime around privacy and your data protections that exist currently within the regulatory framework. Obviously, there is a reason that is being reviewed in terms of opening that up for consumers. But, in the framework in which we work, you could look at those models locally and then a discussion could happen down the path about harmonisation. So, if Australia follows a model that has been set by the UK, which is certainly the suggestion of the report released today, the next step for us to undertake, I would suggest, from a competitive advantage or harmonisation point of view would be to talk with other jurisdictions like the UK and say, 'We have these commonalities. We have developed a system. You have too. Where are our points of convergence?' There you can actually get a fairly good, harmonised international standard. What that does is open the world for Australian consumers and businesses to be able to participate in those markets, addressing the challenges you raised about different regulatory regimes. I acknowledge that is a timeless process and there are challenges there, but that presents a stepwise way that we can proceed with standardisation too, acknowledging that the EU is also adopting their own frameworks. So that is a consideration.

Mr HART: Are you happy that DFAT is moving in the right direction towards harmonisation and looking at interoperability and harmonisation?

Mr Meguerditchian : It certainly seems that way. Their use of standards now as a concept for the purposes of economic diplomacy seems to make a lot of sense. I think there is a great opportunity for us to use our influence in the region particularly to work towards harmonising standards in the Pacific region and more broadly in the Indo-Pacific region, certainly.

CHAIR: With regard to payment, I know the horse has bolted, but, with the wheat to Iraq our wheat farmers are still getting a percentage of what they are owed. It is going to take another several years before they get their full payment—if they get their full payment—considering Iraq was going through war. Our farmers are still waiting. But they are getting—I do not know if it refers to Western Australia, but it certainly does to the farmers we canvassed on the east coast.

Dr Horner : That was my point earlier too in talking about the potential application of blockchain, although I use the word 'potential' there because proof of concept is different from people's real livelihoods being tested and on the line, so real grain being shipped through a model of testing that system is obviously different from a theoretical thing. But that is where it provides promise. People I know who work in exactly that situation—mum and dad farmers in places like Wagga—do see the grain leave the gate and then there can be a delay. As you know, it can be 30 days; it can be three months. Sometimes people go bust and it is forever, and it is a loss. In areas like that, we are very mindful that work is underway. We are keeping a watchful eye on it. But, as Varant said, we are informed by our stakeholders who are those businesspeople who are consumers, federation and regulators too around how that can play out in practice.

Mr RICK WILSON: Obviously, compliance is a problem in international trade, whether it be just physical product being transported in normal supply chain logistics and in international jurisdictions. Do you see in the cyber space that it is just the same—it is just that you are not necessarily dealing with a physical product—or are there additional challenges in the cyber trade space?

Mr Meguerditchian : In cyber there is the known challenge that, unless you have had an attack, you will not know that it is necessarily a problem. I think there is a greater application where—in the earlier example that my colleague gave—you see the wheat leave the front door, you know it has gone and then you are waiting to be paid for it. Ultimately, there is a known quantity there. With cybersecurity, often people do not know when they are being attacked. Often there is the concern that they may have been attacked, but now they have a firewall that is sufficiently secure—but it may not be. I think in that regard there is always a certain level of measures that you can put in place, but there are no certainties or guarantees that you can necessarily have. Just generally trying to prop up small and medium enterprises in particular to have a base level of security or to aim towards a base level of security is a fundamental thing that we should all be working towards.

Dr Horner : I think that is the comment we make often. It is on Hansard before this. Standards are the floor, not the ceiling. We want them to be enablers and we do not want them to inhibit anything. I suppose there are two comments I would make to your point about, internationally, how do we align all of the challenges. One is around standardisation itself. We obviously have a relationship with ISO and IEC. We work with our colleagues from other countries, and Varant outlined a few of them. We would like those relationships to continue just to strongly—it helps us when we have one or two sets of key standards to follow and not a plethora, because it obviously creates uncertainty for everyday people and, frankly, for large businesses too. That is something we keep a watchful eye on. We are participating in those fora and having liaisons with other standard-setting bodies like the ITU, which delve into telecommunications, which we see as important, and we have done that in the blockchain arena.

The other point I would make—and it goes to some of my earlier comments—is that there are also differences in our jurisdiction. I talk about the great federation we live in—between that and our Five Eyes partners. If you are talking about cybersecurity, a lot of those countries have baseline capabilities which reach beyond critical infrastructure and government protection to the private sector, providing them with a level of certainty and security that, to be frank with members of this committee, in Australia we have not yet reached—an example being New Zealand, where there is the broad protection provided by the CORTEX project under the auspices of the government communications security bureau, which is the equivalent of the DSD, to protect large businesses and businesses which are critical to the nation's economic growth. So that is another consideration.

It is the standards that play a key role in information security in those areas and everyday practices of people. Beyond that is that infrastructure we all rely on and the people working hard to keep us safe day in and day out. We need to have regard to that as well so that we are not just asking the private sector to carry the can on their own—we have a mandatory data notification scheme, which is all about breaches once they have happened. They could reasonably ask questions—and I know they have of this committee—around what capabilities are being provided and what support is being provided to industry from that side as well.

Mr HART: For example, there was a recent bipartisan legislation dealing with telecom security with respect to telecom infrastructure, which, as you say, is essential national infrastructure.

Dr Horner : Absolutely.

Mr HART: With the work within the region and the opportunities for us to generate trade within our immediate region and closer to Asia and the APEC area, is there potential for Australia to leverage off its standards-based work in this area and generate more—

Mr Meguerditchian : Absolutely. It is actually quite timely that you put that question to us. We are working very closely with the Department of Foreign Affairs and Trade to work with some of our neighbours in more developing countries to build their cybersecurity networks and frameworks, to create an opportunity for them to actually participate and engage in the standards development processes globally and to adopt and implement those standards in their countries. It will do two things, we think. First, it will create a harmonised set of standards allowing us to do trade in those countries. Secondly, it will actually afford them an opportunity to do some trade back with Australia under a level of certainty and market confidence for their own economies. It will also position Australia, I guess, as a global leader in the region. I think that is also useful for us and for Australian businesses and their positioning economically. That is a piece of work that I think we will be doing over the next 18 months or so. We are looking to work with some economies in the Indo-Pacific region and some of the Pacific islands as well.

CHAIR: Did you attend the Vietnam APEC meeting last year?

Mr Meguerditchian : I was at the APEC SOM 3—the senior officials meeting 3—in August. There was some conversation there particularly around smart cities—the role that cybersecurity plays in the development of smart cities and the need to have a secure framework to be able to actually utilise technologies in different parts of the economy. I think the other area of interest was around the work we were doing on blockchain. We actually reported on that to the APEC SOM 3 officials.

CHAIR: Is Standards Australia working with the department of industry in our growth centres?

Dr Horner : We are certainly working with the department of industry. We have a very close working relationship across a few things. For the Prime Minister's Industry 4.0 Taskforce and advanced manufacturing, and where that will go, we are looking at the standards framework there, which certainly encompasses some of the focus on cybersecurity. We are also working more broadly and engaging from time to time with those growth centres. We see a strong role for the cybersecurity growth centre in particular, not just in encouraging business growth here but also providing incubation for a layer of cybersecurity protection in the future—so home-grown solutions where they are applicable. We are certainly, as I said before, very open to working with all of those actors and we have done so. As Varant just mentioned, we are working in concert with DFAT to further the aims of their International Cyber Engagement Strategy, which was launched by the foreign minister late last year.

Mr Meguerditchian : The general nature of standards development is one that requires us to work with government just as it requires us to work with industry. One of the other key projects that we will be undertaking very shortly is the development of a roadmap for standards on grid cybersecurity—looking at how we can protect our utilities in this country. I think there is a critical role that standards can play in providing a base framework for the protection of the energy grid moving forward, and certainly we will be working with the department of industry in that regard as well as Energy Networks Australia and some of the smaller suppliers of energy as well.

CHAIR: Thank you very much for coming in.

Dr Horner : Thank you for your time.

CHAIR: And thank you for your submission—it is very good. Congratulations on leading the world in blockchain. It is a moving target every day. Well done for keeping up with it. Thank you for coming in. You will be sent a transcript of the evidence that you have given today.

Mr Meguerditchian : Thank you.