AUSTRALIA’S E-ENVOY
One of the world’s few cyber affairs ambassadors, Tobias Feakin is on a mission to get countries talking more about how to keep the online world safe for everyone. By Erich Parpart
Step into the office of Tobias Feakin during lunchtime and you might hear the pulsing bass of Jack Bruce from 1960s legends Cream or the latest album by Circa Waves, a Liverpool-based indie rock band of more recent vintage. Listening to music, he says, helps him unwind, and a taste for British bands reflects his time spent studying in the UK.
Running half-marathons and participating in triathlons are among the other offline pursuits of the former high-school bass player who now serves as Australia’s first Cyber Affairs Ambassador. Still, he finds it hard to kick the work habit completely.
“One of the dangers of being a researcher by background for so long is that I treat music like a research process too,” he told Asia Focus during a visit to Bangkok last month.
Mr Feakin is carving out a new slice of decidedly 21st century diplomatic territory, leading his country’s international engagement in national security, foreign policy, economics, trade and development interests on the internet and in cyberspace.
Prior to his appointment in November last year, Mr Feakin was a member of the independent panel of experts that produced Australia’s 2016 Cyber Security Strategy. He was also director of national security programmes at the Australian Strategic Policy Institute from 201216, helping to establish its International Cyber Policy Centre (ICPC) with a mandate to promote greater understanding and debate in the cybersecurity field in Australia and Asia Pacific.
Ambassador for Cyber Affairs is a relatively new position on the Asia Pacific diplomatic scene — apart from Australia, similar positions exist only in Japan — but it is more necessary now than ever. The recent global spread of WannaCry ransomware is a perfect reminder of why we need new types of international relationships to combat the growing threats to essential communication systems.
“One of the reasons my job exists is the fact that one of the strongest factors in fighting cybercrime, cyber threats in general, are actually international relationships and cooperation,” explains Mr Feakin, who holds an honours degree in Security Studies and a PhD in International Politics and Security Studies, both from the University of Bradford in England.
“It would be incredibly rare to find a cyber incident of some sort that didn’t have an international linkage, so that is where my job comes in and where the regional partnerships that we have formed come in.”
Unless countries have mature relationships that allow them to plug in, share information, discuss threats and find ways to respond to then “we are not going to be able well-equipped” to counter cyber terrorism and other dangers now and in the future, in his view.
“The WannaCry ransomware incident is a great example of the kind of threat picture that we are seeing now, where threats are global and they are shared,” he continues.
“There is an incredible flurry of information sharing, not only from governments but also from independent sources, where it was remarkable that Marcus Hutchins was, just by himself, able to discover the way of actually stopping the attack.”
Mr Hutchins, a 22-year-old computer security expert from the south coast of England who works for Los Angeles-based Kryptos Logic, managed to more or less stumble on the “kill switch” that stopped the spread of the ransomware. He told The Associated Press in May that he didn’t consider himself a hero because hundreds of computer experts also worked to fight the attack that paralysed computers in 150 countries before it was accidentally stopped.
Says Mr Feakin: “That was amazing and you can see how it is that sort of partnership approach that we have to take [to combat cybercrime]. One of the jobs that I have is not only to coordinate with governments but also engage with private-sector organisations.”
THREATS IN ASIA
To cooperate against cybercrime, he says, we have to ensure our police agencies are talking to one another, our computer emergency response teams are talking to one another and sharing information.
“It is about trying to share best practices. One of the reasons I am here in Thailand is to support some work that our Australian Federal Police are assisting the Royal Thai Police with in terms of understanding digital forensics, how to investigate cybercrime, and make sure that the evidence chain is clear and prosecutable.”
This just one of the exchanges that Australia is pursuing in many places around the region to try and raise the bar for everyone in terms of understanding threats and how to formulate responses, given that the threat picture in Asia Pacific is quite severe.
“It is a fact that there is one-third more impact on businesses in Asia Pacific from cybercrime than there is in the European Union and North America, which shows you that we are being hit hard. So there is a lot of work to be done to ensure that this is not going to be a trend that continues or gets worse,” he says.
Criminals are essentially business enterprises that will look to where new money exists and where there is less chance of being arrested for the work that they do, and Asia seems to fit their requirements at the moment.
“Unfortunately, yes, the Asia Pacific does get targeted quite extensively but, that said, it is weighing up against the fact that we are incredibly connected now in this region and there is still a huge scope for growth,” says Mr Feakin.
The rapid growth in the number of people going online, and in particular in the number of people buying and selling online, present fundamental opportunities but “unless we get our basic cybersecurity right, promote ‘cyber hygiene’, and have citizens who understand some of the basics of cyber security for themselves, then unfortunately, we might miss that window of opportunity that exists currently.”
In Asia Pacific excluding Japan, the technology consultancy International Data Corporation (IDC) forecasts the value of the security services market will surge by at least 30% in 2017 because of the scarcity and high cost of available data scientists. The region is currently the third largest market for cybersecurity products after the US and Western Europe, with expected compound annual growth rate (CAGR) of 13.8% from 2016-20.
However, Mr Feakin cautions that hardware and software are only as smart as the people using it.
“Spending [against cyber threats] can only go so far, and I think before you spend it is imperative to have a good strategy in place. First, on how to deliver a cybersecurity as a government and second, if you are business, how to deliver cybersecurity for your business based on a good strategy and a good plan which ensures excellent communication between the different elements,” he says.
“This also includes how you respond in a time of crisis. If you have created that structure and those policies, then when you make major investments that money will go a lot further, so I do not think it is all about money.”
The right structure includes leaders who are more aware of cyber security and prioritise it throughout their organisations, which is a topdown approach.
“Politicians have to think about these things because it is a strategic risk concern that they carry as leaders, and they need to prioritise in the same way,” says Mr Feakin. “We are beginning to see that increasingly, wherever you look around the globe. Former US president Obama did it a long time ago and president Xi Jinping of China has made a very clear statement about how he views this topic.”
An Australian ICPC research paper, “Cyber Maturity in the Asia-Pacific Region 2016”, assessed the approaches taken by 23 regional economies to challenges and opportunities that cyberspace presents. It reveals that the US has continued to further refine its national policy approach to cyber issues while South Korea, Japan, Australia and Singapore round out the top five.
This shows that developed economies are taking the issue very seriously. Governments are increasingly engaging with cyber policy issues as the threats and opportunities in cyberspace are better understood by regional policymakers.
Several states released new policies or strategies in 2016. Significant new legislation is being seen, including moves in Southeast Asia to update frameworks to adapt to emerging challenges and address issues in more effective ways.
Australia launched its long-awaited Cyber Security Strategy last year which promises additional funding and deeper private-sector engagement on cyber policy. In the same year, Cambodia, Laos, Thailand, China, Papua New Guinea and Pakistan also passed new legislation relating to cyber issues, particularly cybercrime.
However, the ICPC report stated that the quality of policy development and implementation remains uneven, and many states have achieved only minimal or poor-quality outcomes.
BOTTOM-UP APPROACH
The bottom-up approach in respond to cybercrime is to have more users who have more understanding about the very basic things they can do to protect themselves. This includes patching all your operating systems, making sure your software is up to date, enabling automatic updates and backing up data.
“Have a think about whether you really want to click on that link, do you really want to open that attachment, does the email look right, and just be a considered user of the information that flows through your handset or your laptop or wherever it might be,” says Mr Feakin.
“Those, for an individual, are very basic things that can actually raise the bar and then when you are applying that to an organisation, it costs money to do these things and it is not cheap to suddenly start patching all your software all the time, but it is a basic thing that is absolutely vital in order to be more resilient to attacks.”
Asia, he notes, is a study in contrasts, partly because of the wide disparity in levels of economic development, which is reflected in the cyber sophistication of each country. At the top end there are cyber-savvy countries such as South Korea where advances are rolling out constantly, but at the other end there are many countries and people at the beginning of their digital journeys so it is a wide range, he explains.
For most places that have adequately prepared against cyber threats, their governments have prioritised security from the top level, providing a function to coordinate across various units of government. This conveys a clear message of ownership throughout the departments where people know who needs to do what and when.
Various government departments then take decisive steps to engage with the private-sector, not by telling them what to do but by saying instead, “We understand that you know a lot about this issue and we don’t and we need your help.” This is the partnership approach that Australia has been undertaking.
It is hard to get people to share information across governments and across borders, and there is no magic recipe because “it is all about trust building”, acknowledges Mr Feakin. It is about taking a chance and a bit of a risk at times, but “if we open the door a little bit and show what we know, often we get a whole lot in return”, he says.
“WannaCry is not the most sophisticated level of threat we will find but it is something where that information sharing between companies and between governments and the private sector means that you can respond far more quickly and effectively because we are all going to be affected by it.”
Creating an effective international network, in a way, is not unlike the process of creating a great piece of music. The players on their various instruments have to agree on the tune, trust each other and collaborate, so that the result can be greater than the sum of its parts.
The analogy appeals to Mr Feakin, who still dabbles on the bass, an instrument he was inspired to pick up after hearing Jack Bruce and Cream bandmates Eric Clapton and Ginger Baker many years ago.
Music forms an important backdrop to his work, he says. “There is certain music I listen to when I’m writing or reading and it depends on my mood at the time. For example, intense dance music can sometimes help when I’m trying to write,” he says.
“Music plays a big role in my office and it’s important to the soul.”
It is a fact that there is one-third more impact on businesses in Asia Pacific from cybercrime than there is in the European Union and North America, which shows you that we are being hit hard. So there is a lot of work to be done to ensure that this is not going to be a trend that continues or gets worse”