In-Depth: Damien Manuel
Exploring cyber securities key concepts that we hear in the media yet don't know much about. As people around the world settle into the new normal of working from home and Zoom meetings, how vulnerable are we? The government is being proactive towards possible threats that may arise yet, what are the main focuses of these threats? Hear about the evolving changes occurring in the cybersecurity industry.
How can you protect yourself from state-based actors?
How much is the government to blame for cyber interference?
What does the future look like for Australia Security defences?
How important is investment into cybersecurity?
Why should you care about cybersecurity?
Genevieve 0:02
Welcome to Global Questions by YDS, the podcast breaking down global politics for young people who want to know more. I'm your host Genevieve Marcocci. For today's episode, I am joined with Damien Manuel, the chairman for the Executive Advisory Board for Cyber at Deakin University, as well as the chairman of the Australian Information Security Association.
Damien 0:24
It's about I guess, using a platform in the right way to get outreach and communicate with a large number of people without kind of going beyond those boundaries.
Genevieve 0:34
Today, we are discussing cyber security through exploring the current stance of the Australian Government on individual privacy data, what the future holds and how you can protect yourself. To start us off, I'm just going to ask you a few questions to clarify, for our listeners some terms that I think are commonly used, or we hear in the media. So first one is: what is cybersecurity?
Damien 0:59
So cybersecurity is really a field that deals with not just technology, but it's also dealing with human behavior, business processes, law, regulations, policies and standards. And it's got to do with protection of people from unauthorized access into networks or data leakage, for any kind of digital sort of technology. So, you know, cybersecurity could be as simple as ensuring somebody doesn't break into your home PC or Mac to as complex as protecting the Australian public from what they call state actors or, or foreign governments.
Genevieve 1:40
That leads me into the next question, what exactly is a state based actor?
Damien 1:45
Yep, so state based actors tend to be one of four typically, it's either a reference to China, North Korea, Iran, or Russia, at the end of the day, you'll often hear the language about, you know, nation states or state based actor, they'll often be referring to one of those four countries. That doesn't mean that they're the only countries that are involved in cyber attacks or cyber espionage. You've got Israel that's involved, U.S. is involved, Australia's involved. So just about every single country will have a team of people, which will be what they call an offensive force, who have the ability to attack other countries and disrupt criminal networks as well.
Genevieve 2:29
Why exactly is this term used?
Damien 2:33
So attribution is a really difficult thing. And what attribution means is calling out who the specific attacker actually is. And so a lot of governments shy away from calling out specific governments or specific attacks by certain governments. Because there is a chance that while we might think for example, an attack was from China, it could have actually been perpetrated by another group that was based in so for example, Russia. So they might have connected to some systems in China taking over those systems, and then continued from those devices that they now control to then attack Australia. And so when you've got that kind of scenario, it easily looks like you know, at a high level that it could be China attacking Australia. Whereas in fact, it could be a lot more complex than that. You've also got the challenge where criminal syndicates are now outsourcing their services to governments around the globe. So what could often happen is an attack could be, for example, purchased by a particular government, but a criminal syndicate at arm's reach is actually perpetrating the actual physical attack.
Genevieve 3:39
Is there a difference between cyber risk and cyber threat?
Damien 3:43
So cyber risk and a cyber threat...So think of a threat as the things that could happen to you, and think of cyber risk around what are the kinds of the consequences of something that could occur. So one's the threaten in terms of the action that could occur, think of it along the lines of disruption of services, disruption of data streams, maybe contamination of information and data, so you no longer trusted. That could be theft of intellectual property or data. So they're kind of your threats, and then you've got your threat actors, and there's different types of threat actors. And then cyber risks are the things that can happen to you, you as an individual or your organization, which might be you know, you lose money, you lose customers, because suddenly you've exposed all of their client information and things like that as well. So it's a bit of a fine line. But think of sort of risks as the things that could occur to your organization. And there are controls that you could put in place to either mitigate it or reduce the risk. Whereas the threats are really the things that could happen, or attack you or the threat actors that could put, you know, really sort of attack you in some shape or fashion to disrupt your organization or steal your identity, etc.
What happens during a cyber attack?
Yep. So depends on who the perpetrator is and what their motivation is, as well. So you've got different types of what you could call threat, personas or threat actors. They range from people that are just curious about a system. And so they'll attack a system to see how it functions, how it responds, is it something that they can take offline temporarily, it's really kind of understanding how they could break something. Then you've got your script kiddies who tend to be people that just find a tool that they've got on the internet, and they'll use that tool to attack another organization or an individual, then you've got hacktivism. Hacktivism is just like you've got advocates for preventing climate change disasters and sort of protecting natural environments, you've also got the equivalent from a hacking perspective. So rather than sort of barricading yourself in front of a building, a hacktivist group might target for example, a bank that lends money to a coal mine, and try and disrupt their systems and take them offline, then you've got a criminal syndicates, which are obviously trying to attack individuals and countries and things like that, for monetary gain. You've got insiders, often called trusted insiders. There's different motivations for them as a threat, they could either be dealing information from organizations, because they're under duress from, for example, another entity with a government activist group, etc. Or a criminal syndicate got people who release information because they have seen something that doesn't gel with their ethics. Bradley in the US Army, just trying to remember Bradley's name, Bradley Manning. So Bradley Manning, who's now become Chelsea Manning saw some atrocities being committed and released that information to the general public, because they didn't agree with what the US government was doing to civilians in another country. So that's kind of an example of a ethical insider, if you like, then you've got, you know, those that are doing it for greed, maybe they got passed over for a promotion, and believe that they should have been rewarded in some way. So they're, you know, inclined to kind of steal, then you've got those that have got challenges with alcoholism, gambling debts, and so they're looking for a way to kind of recharge cash. So you know, that they're another sort of aspect or motivation. And then you've got governments, and governments have got two aspects. One is governments that want to control their citizens, and governments that want to attack other countries for political gain, or they're attacking other organizations to steal intellectual property. Like a really good example of that would be if I was China, and I was in a trade negotiation over the cost of iron ore, it would be in my interest to attack a mining company to steal internal information that highlights how much it costs them to pull the iron ore out of the ground. And then that gives me now a negotiation advantage where I can say, I'm not willing to pay price A, I'm only willing to pay price B. So there's kind of different motivations in terms of why these attacks occur. Sometimes attacks occur for political reasons. It's just a way to kind of slap another country back to say, hey, we've got this capacity, you know, toe the line with us, or we're going to inflict some damage or pain. And then other aspects, it's really to steal intellectual property. If you look at North Korea, North Korea is involved in a lot of scams of Australians. And the main reason for that is because they're a country that's being sanctioned by the rest of the world. The only way that they can really generate an income is by attacking individuals in different countries to scam them out of money, and then sort of find mechanisms to launder that money so that it eventually gets to North Korea. So there's kind of different motivations for why you get cyber attacks, particularly from sort of nation states or criminal organizations as well.
Genevieve 9:23
Yeah, there seems to be a really large spectrum of reasons. Are there other any other terms you think are worth clarifying?
Damien 9:31
Probably understanding that cybersecurity is really not just about technology. A lot of people seem to think, you know, cybersecurity has got to do with the IT department. It has really nothing to do with the IT department, it's really got to do with the whole of an organization or you as an individual. For example, you know, if you're using some sort of device, you need to know the consequences of your actions using that device in terms of you know, who has access to that information, by clicking on something am I going to get phished? Phishing is probably another term that maybe some of your listeners have heard phishing is when somebody will send you an email and they pretend to be a particular individual with the view of trying to get you to click on a particular link. And when you click on that link, it'll either download malicious software to your device, or it'll trick you into what's called a social engineering attack, to convince you to provide, you know, credentials, whether that be your credit card information, date of birth, your address, passport numbers, many key numbers, anything that they could use to potentially steal your identity. Another form of phishing is called vishing. That's where you're doing a similar sort of thing where you're tricking people over the telephone. And then there's also shmishing, which is using SMS. So rather than using email, you send an SMS to somebody because it's very easy to fake who the sender is from. And so I could send an SMS that looks like it's from one of your, you know, your parents or a relative, saying, you know, something urgent has come up, I need you to click on this link to help me. And then you click on it. And then before you know it, you know, either your phone or your device is infected, or I've tricked you into giving me some additional information that I need to steal your identity.
Genevieve 11:15
Interesting. Yeah, I love that phishing, vishing and
Damien 11:17
Shmishing. Yep.
Genevieve 11:19
Easy to remember! What is your view of the current threat environment at the moment in Australia?
Damien 11:26
So I think threats from outside of Australia are always increasing. And I think with COVID-19, in the kind of issues that that's caused for society in general, both in Australia and sort of globally, you'll tend to find that in times of uncertainties, organizations will make mistakes, which will lead to huge monetary losses because they're being scammed or tricked into doing something. Criminal syndicates and other governments are always looking for ways to try and increase the amount of money that they bring in. People are trapped at home sort of in lockdown most of the time. So they're online more. So they're more susceptible, you could say spending more time online as well. It's a heightened time where criminals are starting to become more and more active, where they're using COVID-19 as a lure to try and trick people into clicking on things. And I think just in general, because you've got more and more kids that are being online as well around the globe, that that sort of an environment where I guess they're kind of ripe for exploitation, if that makes sense, particularly if they don't have the right sort of education sort of underpinnings.
Genevieve 12:35
So what do you think is Australia's biggest threat right now?
Damien 12:39
So I think our biggest threat is mainly from criminal syndicates, I put it into two, two sort of sections. One would be you've got your political, you know, national interest, sort of threat, where as different countries jostle for different sort of levels of dominance, both from a trade and a negotiation perspective, you've got a threat to Australia, where, you know, we're a fairly small nation, you know a bit over 25 million people, when you consider the amount of impact we might have on the rest of the world, it's fairly small. However, we are a country that's very rich in terms of resources. And we have a lot of people in this country that have got a high standard of living. So you know, if you compare Australians to say, for example, some of the poorer countries in Africa, you're more likely to try and scam people in Australia than you are people from Africa. I think the other thing from a societal perspective is we're using a lot more technology these days, and people really don't understand the risk of the technology that they're using. So it's estimated that there's about 1.2 million households in Australia that have a router on their internet service, which is actually vulnerable, which means that that router could be potentially hacked or compromised by a foreign government or a criminal syndicate, either based overseas or one based in Australia.
Genevieve 14:03
How often does politics actually come into this cybersecurity sphere?
Damien 14:08
Oh, huge. So if you look at Russia, Russia is a classic example. And they're really, really good at doing this. It's called information warfare, or information manipulation. So you think about the consequence for democratic societies to be manipulated by countries that don't necessarily have a democratic process. They can manipulate democratic societies quite easily by using social media. So you know, there are some interesting research out there where if you put an image with a statement on social media, people are more likely to believe that because it's got an image 60% of the time. So if you know if you're a country like Russia, you'd set up thousands of fake social media accounts. You'd get those social media accounts, you know, posting fake reviews, fake information. And then you get those other accounts promoting it. And then suddenly it becomes a conversation that other people start to pick up on. And then also start to echo as well. You know, we've gone from, you know, the World War One, World War Two of dropping sort of pamphlets of propaganda, to now moving to a digital version of propaganda and using social media networks as that mechanism to propagate it. What's really disturbing is that a lot of people no longer listen to trusted news sources. So say, for example, you know, listening to ABC News Radio in Australia, or watching ABC on, on TV. Instead, a lot of people are getting their news sources from social media networks. In the US, 68% of Americans get their social, or get their news from social media sources. So you can see how easy it is for, you know, a country like Russia to try and pollute the social media in terms of what's true, what's not true. And then for citizens to start believing that and then buying into that narrative, which then changes the whole political dynamics of who people will vote for.
Genevieve 16:05
Right. So that's purely just on the basis of changing people's votes and to gain, I don't know, like hinder their global reputation of another country, maybe?
Damien 16:14
Yeah, one hundred percent. Like, if you look at what's happened with the US, since Trump's gotten into power in the US, the reputation of the US by the rest of the world is quite low. You've got somebody in the White House, who is very damaging to things like the WHO, which, you know, we need more than ever, in sort of this pandemic time very damaging to NATO, you know, the damage to NATO is in favor, for example, for Russia, because Russia wants to push NATO back from used to be its territory, and make sure that there's no encroachment. So we have to always be very careful about things that we read on social media, particularly when we've got social media that doesn't flag things, you know, like Facebook, in terms of whether it's fake news, or actually something legitimate. And then you've got a President who's able to due to the huge Twitter following push more additional fake news into sort of social media to kind of help build their political base as well.
Genevieve 17:13
How has the Australian Government kind of addressed the threats you've described?
Damien 17:17
It hasn't really, information warfare is quite insidious. And you know, it could start with something being posted on social media that then gets picked up by mainstream media. And the next thing, you know, it's presented as fact, and there's no actual legislation in place to stop these social media sort of giants. From the perpetuation of that information, I think the biggest sort of change that's happened with social media sort of recently was the stuff that was introduced by New Zealand, after the Christchurch stuff where they were saying, portrayal of violent material from, you know, mass killings, and everything should be banned from social media. We need a similar sort of thing happening with misinformation on social media. It's one thing to have somebody, you know, posting something, which might be misinformation on an individual level. It's another thing when you've got thousands and thousands of accounts that are controlled by a government that are doing that on social media to change an election outcome or to sway popular opinion in one direction or another to sway policy. I'm really surprised that China in its issues with Australia over Huawei haven't really gone down that path of trying to dominate social media, and use that kind of as a way to force the Australian Government to allow Huawei into the 5G network. You know, we've seen Huawei change their marketing material, talking about how they've been in Australia for 25 years, and that they're part of the Australian ecosystem, and that they've been helping Australians, but we haven't really seen sort of the level of influence that Russia has from China. And I think that's probably something that China's going to start learning more of from Russia.
Genevieve 19:09
Do you see the responsibility of kind of mitigating these threats as solely borne through the government legislative power?
Damien 19:19
I think there's, there's going to be some aspects for social media giants, where you need to have, you know, some sort of legislation to kind of rein them in and actually put controls in place that can flag a highlight to people that you know, the content that they're reading is not from necessarily a trusted source, or the content that they're reading has been flagged as false and untrue. So I think that needs to be done. Because when you think about it, for a social media giant to implement that and to try and keep up with the volume of information that's flowing through their networks, if they're going to employ people to fact check things. That's a huge undertaking, a huge amount of cost to those organizations. If they implement an artifical intelligence system, then they need to have some process in place to correct it when you know, the artificial intelligence system goes astray. Because again, artificial intelligence systems can easily be manipulated by, you know, individuals or foreign governments as well. And I think those things really need to have some sort of legislation in order to encourage and force those media giants into putting those controls in place, a bit like car seatbelts weren't mandatory. So then therefore, car manufacturers didn't include seatbelts, even though seatbelts would save lives. And they knew that. And it wasn't until it becomes mandatory under legislation that suddenly now, you know, seatbelts are not even thought of, from a manufacturing perspective, because just a requirement that they have to adhere to.
Genevieve 20:48
The government has recently kind of realized because of the recent cyber attack from a state based actor, that there's a need to increase our cyber security. How come, it's just, our cybersecurity is just taking a turning point now, do you think?
Damien 21:09
So I think what's unfortunately happening is cyber security is becoming politicized. So if you look at the cybersecurity strategy that Malcolm Turnbull introduced in 2016, that was a really bold move forward. Because you know, prior to that time, cybersecurity was always important, but it was kind of always in the back room that was always considered, you know, the IT sort of geeks that had to do the cybersecurity bit. Really that kind of government policy level setting in terms of, we're going to appoint a Cybersecurity Ambassador to talk about cyber norms and sort of normalizing behavior in cyberspace with other countries. The implementation of the Joint Cybersecurity Centers around the major states and territories to formulate an environment where you could get academia, industry, government, and researchers coalescing and sharing and working on problems together were all sort of bold steps and helping to sort of push push us in the right direction. Unfortunately, with a lot of it, the execution fell down and kind of became corrupted, particularly when Malcolm was toppled as the PM and Scott Morrison sort of took over. And so now, late last year, there was the Cybersecurity 2020 Strategy sort of revival component, the government really hasn't done anything with it, it's been delayed due to COVID-19, there are going to be budgetary challenges, because now there's suddenly not enough money to fund activities. So what you're probably going to see is the government pushing a lot of the things that they think need to be done back to industry and back to consumers. The funding announcement that was made was really just a reallocation of funding from one part of defense to another part. So you know, the cynic in me is kind of saying that this is a way for them to enter the conversation, again, around legislation that they want to introduce in December, which may impact you know, privacy and civil liberty under the guise of, "Hey, we need to do this to try and protect the whole of the country". So you know, there's a fine line between privacy and protecting the nation, and so your civil civil liberties as well. And we have to be really careful not to erode our privacy and civil liberties at the expense of saying we need to do this either for cybersecurity or for terrorism.
Genevieve 23:35
So with a recent cyber attack, do you think it's safe to assume that China was behind it? Because there was all this rhetoric that you can't assume, but because of what's going through the mainstream media recently, it would be hard for society not to link the two together.
Damien 23:53
Agreed. It's just one of those things where it's safer to really probably realize that cyber attacks are happening all the time, across a number of countries. So you know, what we are even being, you know, you could say being attacked by allies as well, because, you know, even though countries are allies there, they are actually also spying on each other in terms of: is this one doing something? is the other country doing something that we're not happy about? So I guess it's just safer to assume that every government is looking at a way to attack Australia for their own national gain and sort of sovereignty. And if you take that perspective, then it really doesn't matter whether it's China that's attacking us, Indonesia, or Iran, the US, Brazil, etc, or, or even India. At the end of the day it's about improving our resilience as a country and improving our resilience as a citizen to make sure that it's harder for cyber criminals or foreign state actors to actually get the information that they need. Probably another classic example was, do you remember the low point that we had with Indonesia? Where, you know, some things were being said by the government of the time that really upset the Indonesian government. And, you know, it went to a sort of a political low point. There was hacktivist groups in Indonesia that were attacking any organization in Australia that had the word national or Australia or Commonwealth, because they figured that that was a way of getting back at the Australian Government. And so victims of those sort of attacks would be banks, for example. They're not necessarily a government entity, they both have the word national another bank has the word Commonwealth in it. If you're an organization that had the word Australia in it, even though you might not be linked to the government, you just have the word Australia in your company title, you were a potential victim as well. So cyberattacks can also be a political tool that gets used as well.
Genevieve 25:49
So is this is the biggest cyber attack we've seen in a while or ever even?
Damien 26:13
No, I wouldn't say it's the biggest cyber attack. Because when you think about cyber attacks, you've got to think about them in a couple of different contexts, because you've got what's called a Distributed Denial of Service attack. And that's where you're getting thousands of what are called bots, or zombies. And these are machines that have been taken over by either a country or criminal syndicates on the internet. And then once you've got control of, you know, these millions and millions of devices, you point them all at one particular service or one particular organization. And so those thousands and thousands and millions of requests, overload that system, or flood the pipe, if you like the internet pipe, that's kind of large volumes of data. And then you've got the other scale, which is talking about the value of information that's stolen in terms of stealing the Joint Strike Fighter Aircraft plans, or stealing the plans for new ASIO buildings and things like that. So you've got volume versus the importance of data. And it's really difficult to kind of measure which one's more important.
Genevieve 27:16
Have we had many attacks like this before?
Damien 27:19
So we've had many attacks on different organizations, you know, you could say ongoing attacks, but they're not necessarily structured, you might have criminal syndicate A and criminal syndicate B and criminal syndicate C attacking different organizations or different people within Australia, who are not necessarily all being coordinated, if you like by somebody behind the scenes. So it's probably more important, I guess, first to be worried about coordinated attacks that we are potentially seeing that being directed by a particular country.
Genevieve 27:52
So this was a coordinated attack, though was it?
Damien 27:54
So there's not enough information that's come out, there's been a lot of speculation, and the government hasn't released sort of enough details, which is a shame to kind of highlight where the actual threats are, and what the motivation for the threats are. And it's kind of left a lot of people in industry kind of thinking, well, is this just the normal background stuff that we see all the time? And hence, this is a political beat up? Or is there something more sinister going on? Or is this just part of the trade tensions that are occurring at the moment between Australia and China?
Genevieve 28:26
Yeah, is there much advantage to the government to conceal information like this?
Damien 28:31
I suppose the advantage to the government is if you're in sensitive negotiations with a training partner, and you've got two different cultures, so you know, there's the westernized culture, and then there's the Asian sort of culture aspect, or even if you're talking about, you know, somebody like Russia, or European culture, again, you've got sort of different cultural things. It may be in the interest to not attribute the attack to any specific country, and to not disclose what type of attacks were occurring, because that might, through analysis lead people to actually point the finger at a particular country, but it may be a way for them to just highlight to that country that, hey, we're publicly aware of this, we're going to start increasing our defense capability and our offensive capabilities. Let's get back to the trade negotiation table rather than sort of slapping each other in the playground behind the scenes type of scenario.
Genevieve 29:26
What role does trust have between the government and information sharing with industries?
Damien 29:33
So I think there's a challenge. So if you look at the challenge from industries perspective, industry and citizens are quite skeptical of government, and I think that's because of all the technology failures that governments had. And even when you look at the latest around the COVID-Safe app, the government pushing very hard for everybody to install the COVID-Safe app when all along it knew that it was quite ineffective for people that are on iPhones. Whereas if the government had have come out and said you know, we'd like everybody on Android devices to install the COVID-Safe app, the Apple one will be released while we, you know, after we resolve a particular issue that we've raised with Apple, you know, that could have been a more transparent, open approach, no surprises, and then that kind of helps to build trust between government and industry. The challenge that government has, from an industry perspective is if you have intelligence that is critical to a particular sector, there's two aspects that that you've got to think about: Do you disclose that information and help the sector and at the same time, show your hand to whoever it is that you've got the intelligence from, or declare in your hand to those criminal syndicates or foreign governments that, hey, actually, we know what you were already doing? And we've kind of discovered it. And then by some accounts, by giving that information to industry, can you trust that everybody in industry is working for the benefit of the country as well? Who's to say there's not a few rotten apples that are also working in industry that moonlight and work for criminal syndicates behind the scene as well? So it's that trust of information flow? I don't know if you've ever seen the movie, The Imitation Game, similar sort of thing during, you know, the World War, you know, when they cracked in the Enigma? Do you give the information to save the troops, and then kind of show your hand that, you know, to the Germans that actually you've cracked the code? And so now they can just switch to something new and change the behavior? Or do you try to minimize the fact that you actually have the ability to intercept information and you know, how they normally behave and the patterns that they respond to, and still let certain attacks occur, but then try and bolster defenses behind the same. So it's that fine balance.
Genevieve 31:52
And obviously, a lot of citizens will also very skeptical of COVID-Safe app. So I would assume that there's also a bit of a challenge there between trusting government and citizens to do the right thing.
Damien 32:05
Yep. Yeah, there is. And, you know, I think that the current government's had a fairly poor track record. And I think mainly because of the some of the legislation that's been passed, while well intended and, you know, you could say, for the right reasons. The unintended consequence of the outcome of that legislation hadn't been fully thought through. You know, one of the examples is, I don't know if you remember the metadata legislation that went through a number of years ago that legislation, and it was quite surprising. The mainstream media and the public didn't blink or bat an eyelid when that legislation went through. Everybody was just too engrossed in Barnaby Joyce's inability to explain what metadata was to really think about the consequences of what the legislation meant and, and what kind of impact it would have to people's privacy. So as a consequence of that legislation, every internet search you make in terms of every address that you go to, or visit, every telephone call you make, you know, the duration of the call, who you're calling, the location you're calling from. All that information is all recorded now by the telecommunication companies. And that's now accessible by certain agencies for two years. So they've got two years of information of what's called metadata. And metadata, really, for people who are not familiar with it. Think of metadata as your digital trail, it's kind of your digital footprint of where you've been and where you're going on the internet. It's not the actual content of the webpage that you were surfing, but they know the web address that you went to, they know how long you spent there, and all that kind of stuff. So think of that as the metadata. Unfortunately, when you collect a lot, a lot of metadata technology systems are so advanced now that you can actually perform some fantastic analysis on that metadata, where you can start to uncover people's behavioral patterns, you understand what kinds of things they like, you could even start to discern things like sexual preferences, political parties, and all that kind of stuff, in terms of the frequency or the types of things that people are actually going to. And all that information can be used. If you had a government that was corrupt against the citizens, with the metadata that's been collected today, we've started to see local councils even access that metadata. There was an instance where somebody had illegally dumped rubbish down at a particular location. And so a council went to the telecommunications company and said, "Okay, here's the date. And here's the time period, we want all the location information of who came into that area during that time period." And so yes, while it's good to be able to track down who's illegally dumping rubbish, the negative aspect of that is a whole lot of innocent people got swept up in that search, if you like, for, you know, who was actually the perpetrator of that crime and so that impinges on people's privacy and it changes the way people behave and the way that people act in society as well, which is not necessarily a good thing.
Genevieve 35:10
Was that the intention of the legislation like to be able to track people more?
Damien 35:15
The intention was really for sort of government agencies to track and look for terrorist behavior in the time when everybody was kind of thinking of ISIS and Al Qaeda and stuff like that. But unfortunately, we didn't limit it to just that. And so as a consequence, it can be used for so many other conditions as well, there's no reason why the government couldn't have used the metadata that's already collected, there would have been a political hot potato, but they couldn't use the metadata to look for virus cases, and use that as a silent behind the scenes mechanism to do contact tracing. So I guess, you know, on the one hand, you have to say congratulations to the government for coming up with the COVID-Safe app, because they were trying to keep the two things separate. But you know, there's no reason that they couldn't have done that.
Genevieve 36:03
Now, that's so interesting. You're saying it's kind of a bad thing because it's impinging on people's privacy? How does that information actually benefit, say, an enemy or a threat?
Damien 36:14
Yeah, definitely. So you've got two aspects. One would be, if a foreign government was able to get access to that information, you've now got a honeypot, which is really just a collection of information that could be very, very interesting, that government could then sort of access and extract. If you looked at it from a domestic perspective, today, we've got a government that's fairly stable, doesn't matter whether you're, you know, Labor, Liberal, Greens, or some other sort of party, but who knows what our government will be like, in 10, 15, 20 years time? And so as all this kind of legislation starts to encroach on civil liberty and privacy, you could have a scenario, imagine if we, for example, had a government a change of government, and the change of government, you know, regardless of party, was a bit like what's happened with Trump in the US. And you've suddenly got this blurring between the lines of legislation, and the government using law and legislation against their political rivals to, you know, stifle debate, maintain power, and all that kind of stuff, you can see how quite easily, you know, information can be used to kind of corrupt the system.
Genevieve 37:26
Are there ways that people can protect themselves?
Damien 37:29
Unfortunately, with the metadata laws, it's very difficult. And what you could do is you could have a VPN service. So there's a lot of companies that offer a VPN service, they tend to be companies based in Panama, or countries or jurisdictions where Australia and other countries don't have legal recourse to request additional information. So what ends up happening if you install these applications on your, you know, your Mac, your PC, or your mobile is all your data connections actually run through a private channel, which is encrypted, and then it pops out the other end when it has to get to its destination. So it makes it harder for the government and the agencies to actually track where people are going. However, that's nothing to say that the service that you're using today couldn't be made illegal tomorrow, or that that government that that service is based in couldn't be persuaded in some shape, or form to hand over records or information. So it's kind of a transient thing where could say using a VPN service is quite safe and secure now to kind of hide your tracks in terms of where you're going and provide a bit more privacy or, you know, switching to things like Signal. And there's a couple other sort of SMS tools that you can switch to where it's encrypted point to point. And that makes it harder for the government to actually eavesdrop and see what you're doing. But then you've got to weigh that up with convenience. And then you've got to think about, well, why am I so worried about stopping the government from seeing what I'm doing? When if I've got social media like Facebook, and I'm telling everybody what I've had for dinner, or where I've gone and all that kind of stuff. So it's that double-edged sword, you get some people which are very concerned about privacy and civil liberties, but then a quite happy to disclose absolutely everything that they're doing on social media. And really, if you're going to be a privacy advocate, you'd probably not want to use things like Facebook and certain social media services.
Genevieve 39:25
Yeah, it'd be hard to be an advocate without those platforms as well.
Damien 39:28
Yeah. And you got to think about: Can I use a platform in a way where I can advocate privacy, but then by the same token, I'm not publishing my kid's photos and things like that, or showing people inside my house, what I've just eaten for dinner or lunch type of things. So it's, it's about I guess, using a platform in the right way to get outreach and communicate with a large number of people without kind of going beyond those boundaries.
Genevieve 39:55
So my final question is: Do you have hope for the future of our cybersecurity laws and it protecting what it needs to?
Damien 40:04
There's always hope that things can improve. The trend at the moment is we seem to be moving as a society to become more and more like America, which is not a great thing. So, if you look at American society, American society really lives in fear. They live in fear of: the terrorists are gonna get us, the terrorists are gonna do this, the terrorists are gonna do that. When you're a country that is driven by fear it is very easy for the government to pass certain legislation that takes way certain privacies and civil liberties because people will say: Oh, I've gotten nothing to hide I'm innocent so I'm quite happy for the government to look at everything I do. But at the end of the day, people only function properly and well when there is a certain level of privacy and civil liberties. Encroaching into privacy and civil liberty stymies innovation, it reduces creativity. And really for those people who say I've got nothing to hide from the government, you can always ask them questions like, "Well tell me what your favourite sexual position is" or "How many people have you had sex within the last 5 days?" And just keep asking those questions until you get to the point where someone will say, "Well that's none of your business why do you want to know?" And that's the exact point you want to get them to. Because then it's suddenly the realisation that everybody doesn't need to know everything about what I do. As long as I'm a citizen that abides by the law and regulation of the land, and I respect other people, I should also be respected and have some privacy as well.
Genevieve 41:33
Yeah, that reminds me of a few of those futuristic Black Mirror episodes. Do you have anything else to say, maybe?
Damien 41:40
Yeah, you've raised Black Mirror, and there's a really interesting, I haven't seen the episode myself, but I've been told about it and I saw a similar thing on those comedy sci-fi things which was around social rankings and ratings. Well, what's really interesting is that China implemented a social ranking and rating system. so, depending on what school you go to, what things you post online, who you're connected with, you get a particular rank or rating. That rank or rating if it goes too low, can inhibit you from access to services or travelling to certain regions and all that kind of thing. So if you think about how scary that's getting, that's a great way for Chian to control the population, imagine if we had something like that here. Where you said unless you enter certain schools or had these political thoughts or affiliations, you are not allowed to get a job in a certain area. You start to create this kind of class systems and a caste system if you like, and unfortunately, I can see that's how technology is kind of driving our future. That is quite a scary future when you think about it, particularly when China is currently doing that and implementing it in their society.
Genevieve 42: 49
So, there's not really that much hope in terms of going back to that giving people more privacy, do you see us going back to that at all?
Damien 42:58
I see, you'd probably need a large event to have occurred. So, if say, for example, there's a change in government, and over time there was a government that crossed the line. And there was still enough press freedoms for that to be openly declared, and the press wasn't being hounded by Australian Federal Police and warrants and things like that as a mechanism of silencing information in the interest of public good getting out. There could be a scenario where you get another Watergate moment, where everyone stands back and says, "Wow that was so bad, we're going to now vote that government out". And the next government that is put in place has been entrusted to unwind some of the things that have been implemented over time. It's a fine balancing act, and it really requires people to look at legislation, people to have healthy robust debates, and to have those debates in a respectful way. It's also really important that we don't lose things like critical thinking, and I think the government's stance on humanities subjects for example, and making them more expensive because they view them as being less important, because they viewed them as not having the jobs there, is a huge mistake. Cybersecurity really needs people who have got critical thinking skills, cyber security's not just people who attack, geeks that know how to code. It's about understanding philosophy, it's about understanding human behaviour, psychology, politics, negotiation skills, there's a whole range of things that are needed. So I think it's kind of short-sighted what they've done with uni fees around humanities subjects in favour of other subject areas.
Genevieve 44:38
I did a Bachelor of Arts, so I know. A lot of industries come back to human behaviour and yeah, understanding politics and fundamentals through those kind of degrees, but thank you so much for your time though Damien. That was really interesting, cause it's really shed a light on where the government's been and where they're at now, so thank you so much for that.
Damien 44:57
No worries, I'll end with one quote for you that's a really cool one for the time. Albert Einstein said in an interview in 1926, "Imagination is more important than knowledge, knowledge is limited and imagination circles the world." So that's the plug for imagination is more important.
Genevieve 45:13
Thank you so much for that.
Damien 45:16
No worries, take care.