兰德公司在澳大利亚探索网络安全策略选项20178715页

SUMMARY■InDecember2016,RANDandtheNationalSecurityCollegeatTheAustralianNationalUniversitypartneredtofacilitateacybersecurity–focused360ºDiscoveryExerciseinCanberra.Theexerciseusedplausiblescenariostoexplorethechal-lengesAustraliafacesinsecuringcyberspacebyplacingpres-sureongovernmentauthorities,industrycapabilities,users’toleranceformaliciouscyberactivity,andtheabilitytodevelopinterdisciplinarysolutionstopressingcybersecuritychallenges.ThescenariosconsideredthesecurityoftheInternetofThingsandintellectualpropertytheftagainstabackdropofevolvinginternationalnormsofbehaviourincyberspace.ThiswasthethirdinaseriesofcybersecurityexercisesdevelopedbyRAND.ThetwopriorexerciseswereconductedintheUnitedStates—inWashington,D.C.,andattheUniversityofCalifornia,Berkeley,nearSiliconValley.1Likethesepriorevents,theAustralianexerciseprovidedarichsetofobservationsandoptionstostrengthencybersecurityandenforcementwhileprotectingthebenefitsaffordedbyafreeandopenInternet.However,thesolutionsproposedbyexerciseparticipantsanddiscussedinthisreportneedfurtherdevelop-ment.Forexample,thesolutionsdonotyetassignclearrolesandresponsibilities,mayrequirenewauthoritiesforgovern-mentagencies,andhavenotbeensubjecttoadetailedanalysisoftheireffectsandchallengestoimplementation.Participantsrepresentedthepublicandprivatesectors,aca-demiaandthinktanks,industryassociations,andthemedia.TheexercisewasconductedundertheChathamHouseRule,allowingustoquoteparticipantswithoutattributingquotestoindividualsortheirorganisations.TheexerciseprovidedspecificinsightsforAustraliancybersecuritypolicy—specifically,howtobuildonAustralia’sCORPORATIONExploringCyberSecurityPolicyOptionsinAustraliaIgorMikolic-Torreira,DonSnyder,MichellePrice,DavidShlapak,SinaBeaghley,MeganBishop,SarahHarting,JennyOberholtzer,StaciePettyjohn,CortneyWeinbaum,andEmmaWesterman•Aninterdisciplinaryexercisegeneratedthreeover-archingpolicyrecommendationstoimprovecybersecurityinAustralia:Createandenforcetechnologysecuritystandards,craftinternationalagreementstoaddresscybersecuritychallenges,andimproveriskawarenesstokeepuserssafeonline.•Therewasbroadconsensusthatthepolicydomainwillcontinuetostruggletokeeppacewithtechnologicalchange.Therefore,ideasandsolutionsdeemedmostdesirableallowedinnovationtoflourishwhilesettingstandardsforsecurityandcreatingmechanismsforrespondingtoattacks.•Debateamongexerciseparticipantsindicatedanunderlyingtensionbetweenrisk-basedapproachesandcompliance-basedinterventionstoimprovecybersecurity.•Thesolutionsidentifiedarenotimmediatelyexecutable.Futureexercisescouldconsidertheirsecondaryandter-tiaryeffects,andthistypeofanalysisisessentialbeforesolutionscanbeimplemented.•Futureexercisescouldconsiderhowpolicydevelop-ment,includingtheAustralianGovernment’snextCyberSecurityStrategy,shouldchallengeassumptionsaboutgovernmentroles,responsibilities,andauthoritiesandincentiviseabroaderrangeofgovernmentandnon-governmentalstakeholderstoparticipateinbuild-ingandimplementingcybersecuritysolutions.KeyfindingscurrentCyberSecurityStrategyreleasedbyPrimeMinisterMalcolmTurnbullinApril2016.Thestrategywasdesignedtoaddresscyberthreatsaffectingnationalsecurity,includingcriminalactivity,espionage,sabotage,andunfaireconomiccompetition.ItcallsforAustraliatoworkwithalliestopro-moteinternationalnormsofbehaviourconsistentwithafree,open,andsecureInternetandtofosterpublic-privatepartner-ships.Figure1showshowtheCyberSecurityStrategypresentsthecurrentstateofcyberconnectednessandrelianceinAus-tralia.Thestrategyalsoissuedacalltoactionfordevelopingandstrengtheningpartnershipsandcyberdefences,assertingSOURCE:CommonwealthofAustralia,DepartmentofthePrimeMinisterandCabinet,Australia’sCyberSecurityStrategy,Canberra,2016,p.14,(CCBY4.0).RANDRR2008-184%ofAustraliansmallandmediumbusinessesareonlineMostAustraliansspendalmost1dayonlineperweek2in3Australianshavesocialmediaaccounts90%ofAustralianswillbeonlineby20171in2AustraliansmallandmediumbusinessesreceivepaymentsonlineThemarketforconnectedhomedevicesisexpectedtogrow11-foldby2019By2019,theaverageAustralianhouseholdwillhave24devicesconnectedonlineFigure1.AustraliansarebecomingincreasinglyconnectedonlineAustralia’spositionasachampionforresponsibleactivityincyberspace,promotinggrowthandinnovation,andbuildingthecountry’scyberexpertise.Inhisopeningremarksattheexercise,theHon.DanTehan,MP,MinisterAssistingthePrimeMinisterforCyberSecurity,statedthatmaliciouscyberactivitycostsAustralia’seconomyAU$1billionperyear,withadditionalnon-financialcostsassociatedwithactivecyberespionageagainsttheAustra-lianGovernmentandeconomy.Hechallengedexercisepartici-pantstothinknotintermsofawhole-of-governmentapproachbutamuchwiderwhole-of-communityapproach.Australia’sCyberSecurityStrategywasdesignedtoaddresscyberthreatsaffectingnationalsecurity,includingcriminalactivity,espionage,sabotage,andunfaireconomiccompetition.2INSIGHTSFROMTHEEXERCISEParticipantsfromoutsidetheAustralianGovernmentexpressedageneraldesireforthegovernmenttotakeresponsibilityforthechallengesofc