Just in:
Afogreen Build Highlights Growing Adoption of Building Performance Modelling in Australia’s Sustainability-Driven Construction Sector // Why your AI transformation can fail — and it’s not the technology // Abu Dhabi starts new Saadiyat arts landmark // Bid To Rebuild Bengal To Its Old Glory Is Welcome, Though Difficult // France and Oman press toll-free Hormuz passage // PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // Beijing widens Japan curbs as Takaichi row deepens // OpenAI limits Sol launch amid cyber risks // DSQ Real Estate Highlights Post-Purchase Advisory as a Growing Need for Overseas Dubai Property Owners // Most UAE expats under-insured, reveals survey // Dubai advances Gold Line contractor race // Binzhou’s Leap from Manufacturing to Intelligent Manufacturing // Taiwan International Plant-Based Festival Launches in Singapore: High-End Culinary Partnerships and Diplomatic Exhibitions Shape Premium Agri-Product Branding // Hawaii tests plastic waste in roads // This summer will never stop us from our wellness routine // Payments giants back shared Open USD stablecoin // Bangladesh-China Joint Statement On Teesta Cooperation Poses A Big Challenge To India // World’s First Commercial Multimodal LLM for Cultural Tourism Enters Broad Application // Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success // 5 Law Firms Making a Difference in Cincinnati //

How the Cyber Kangaroo can help defend the Internet of Things

australia road kangaroo

What are Australia’s policy options for responding to the internet threats of 2022? This question was explored in the 360° Cyber Game conducted jointly by RAND Corporation and the National Security College (NSC) at the Australian National University (ANU) in Canberra on Thursday.

RAND has conducted two of these games before, in Washington DC and in Silicon Valley, and has written up the methodology and results in the paper A Framework for Exploring Cybersecurity Policy Options.

ADVERTISEMENT

The Canberra game worked the same way.

Around 60 participants from government, academia, and the private sector — your writer was one of them — explored two scenarios. First, we were divided into teams to consider each scenario from a certain angle. How might our proposed policy responses increase the cost for attackers, for example, or how might they affect our cultural norms by infringing on civil rights and the like. Then we reconvened as one group to compare and integrate our proposals.

The game was held under the Chatham House Rule, so I can’t reveal who the participants were, or who said what, but it was an impressive lineup.

While RAND plans to release a formal report in February, these are my initial observations. Note that the entire game was about policy responses, not technical responses.

The first scenario was about the Internet of Things (IoT).

ADVERTISEMENT

“This scenario places you in a world in which malicious exploitation of the IoT is becoming too common and beginning to be socially and economically disruptive,” the scenario notes read.

A vulnerability was found in a smart door lock used by a big real estate developer, giving burglars access to thousands of homes.

A woman’s self-driving car diverted from its planned route, and she was unable to resume manual control. It ploughed into pedestrians, injuring 12 and killing one. It turned out the car had been hacked by her boyfriend, who thought that bringing her to him would make a novel marriage proposal.

“The public outcry over these malicious activities [and others that were detailed in the scenario] leads to an impending crisis that demands action. But what action?”, asked RAND.

The consensus was that chasing the hackers was unlikely to be successful, at least in the short term, citing the usual problems with attribution and jurisdiction. That said, there should still be diplomatic efforts to remove hacker-friendly havens.

It would be more effective to work with the players we could identify: the manufacturers, distributors, and retailers of IoT devices, and with consumers. Given the low cost and low profit margins of many IoT devices, any solution had to be easy and cheap.

As an initial response, we should leverage existing consumer law. We already have strong product recall processes for unsafe products, especially for electrical items and children’s toys. This could quickly remove the most problematic devices from the market, giving time for the development of coherent cyber safety standards.

Crowdsourced security testing, along the lines of bug bounty programs, could also help identify problems quickly.

Participants noted that telcos can already identify most of the malicious traffic on their networks, but have no incentive to do anything about it. Monitoring networks and blocking certain traffic presents obvious civil liberties and privacy objections, so exploring that policy option would have to be handled carefully.

By 2022, IoT devices were likely to be smarter, with more processing power. Perhaps each device would be able to learn what constituted normal activity, and flag anomalies. Communicating with each other, they could develop something akin to an immune system. That, however, is a technical rather than a policy response, so it wasn’t explored further.

However, the consensus was that we should hit the manufacturers and sellers, because they’re the ones putting the insecure devices on the market.

The solution that emerged was a cyber safety rating system, the same kind of security star rating system proposed by Andrew Jamieson, the “Security Oompa Loompa” at safety science company UL.

The same problems were identified too, such as the difficulty of comparing the safety of different kinds of devices. Hacking a smart toaster doesn’t have the same potential impact as hacking an insulin pump.

The Canberra game participants decided that devices rated under this system would be branded with the Cyber Kangaroo of approval. The Cyber Kangaroo regime would be phased in, first as a voluntary standard accompanied by a public education campaign, then as a compulsory rating for any device sold in Australia.

Insurance companies could also encourage consumers to buy Cyber Kangaroo-approved devices.

Participants decided that developing an international standard would be too slow. Australia should just do it.

Australia could also benefit from becoming an innovation centre for IoT security, including the rapid development and testing of secure IoT code.

RAND’s previous cyber games had also identified standards and market forces as policy options likely to succeed.

“Participants saw a need for market forces to reward security and penalize insecurity. They identified a role for government in classifying products by degree of cybersecurity (assessed through certifications or performance standards). They also agreed that cybersecurity should be prioritized according to the impact of failure, with health and safety devices being the most critical targets for regulation,” RAND wrote.

The second scenario was about intellectual property (IP) theft and corporate espionage, some of it state-sponsored.

The sale of an Australian mining company soured when their network was discovered to have been compromised for years.

An Australian solar technology company was concerned that it might lose a tender for a massive solar project in South America because they believed their IP had found its way to China.

This scenario was tougher.

RAND’s formal report may well identify clear themes, but from this participant’s perspective there we no obvious answers.

It was clear that retaliatory action in the form of “hacking back” would be counter-productive. Not only would it be illegal, it could well trigger a tit-for-tat spiral of escalation.

Instead, Australia should continue to help develop peacetime norms for cyberspace, encouraging nations to sign on to these standards of behaviour.

Australia should then develop its processes for responding to breaches, which might range from sanctions against individual companies, through to sanctions against nations as a whole, to boycotts, or even to something more physical.

On the home front, organisations should be encouraged to report incidents of corporate espionage through a confidential no-fault process.

The idea that Australia would have passed mandatory data breach notification laws by 2022 was met with laughter, and in any event the current drafts of such legislation only cover the theft of personal data, not corporate secrets.

Directors of public companies should also be reminded of their responsibility to disclose any events that might affect the share value.

While the cyber game didn’t come up with any magic solutions, it made two things clear. One, this is complicated. And two, we need to start developing solutions now.

(via PCMag)



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Where Minds Meet to Launch Space Economy Association Off the Ground // Bangladesh-China Joint Statement On Teesta Cooperation Poses A Big Challenge To India // Payments giants back shared Open USD stablecoin // Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success // Bid To Rebuild Bengal To Its Old Glory Is Welcome, Though Difficult // OpenAI limits Sol launch amid cyber risks // Beijing widens Japan curbs as Takaichi row deepens // Taiwan International Plant-Based Festival Launches in Singapore: High-End Culinary Partnerships and Diplomatic Exhibitions Shape Premium Agri-Product Branding // Dubai advances Gold Line contractor race // World’s First Commercial Multimodal LLM for Cultural Tourism Enters Broad Application // China’s digital hub Hangzhou hosts conference on AI, OPC // PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // This summer will never stop us from our wellness routine // DSQ Real Estate Highlights Post-Purchase Advisory as a Growing Need for Overseas Dubai Property Owners // XRG and Eni deepen Argentina LNG push // ClawHub breach exposes agent marketplace risk // Bracell Welcomes Fernando Branco’s Appointment to Lead ABAF and Reinforces Commitment to Sustainable Forestry Development in Bahia // Abu Dhabi starts new Saadiyat arts landmark // CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // France and Oman press toll-free Hormuz passage //