Tag Archive for: Cyber

Agenda for change 2025: Preparedness and resilience in an uncertain world

For more than a decade, which has included the 2013, 2016, 2019 and 2022 federal elections, ASPI has helped to generate ideas and foster debate about Australian strategic policymaking through Agenda for change, a wide-ranging collection of analyses and recommendations to assist the next Australian Government in its deliberations and planning.  

Agenda for change 2025: Preparedness and resilience in an uncertain world continues in its tradition by providing focused and anticipatory policy advice for the 48th Parliament of Australia. The agenda strives to highlight, and present solutions to, the most pressing questions that our next government must consider in order to advance and protect Australia’s national interests in a more disordered and challenging world. 

This edition reflects five interrelated aspects of Australia’s position in 2025, focused on the need to:

  • defend Australia
  • navigate our place in a new world (dis)order
  • reform our security architecture and policies
  • secure our critical infrastructure
  • protect and use our natural resources. 

In 2025, that means equipping the next government for the reality of the contest in which our country is engaged. Since the previous edition of Agenda for change in 2022 we’ve seen:

  • Russia’s ongoing war on Ukraine and public confirmation of the China–Russia ‘no limits’ partnership
  • change in Australia’s policy towards China, with a focus on ‘stabilisation’, accompanied by reduced economic coercion against Australia but a ratcheting up of military intimidation, including an unprecedented PLA Navy circumnavigation of Australia
  • heightened aggression by China against the Philippines in the South China Sea and against Taiwan
  • a lowering of the national terrorism threat level to ‘possible’ in 2022, before it was raised back to ‘probable’ not quite two years later 
  • the 7 October 2023 Hamas terrorist attacks on Israel, the resulting war in Gaza and an increase in politically motivated violence in Australia
  • the rise of artificial intelligence, including the landmark release of ChatGPT in late 2022 and then DeepSeek in 2025
  • the return of Donald Trump to the White House, bringing tension among allies and question marks over the future of the US-led international order.

Each chapter in Agenda for change includes a limited number of prioritised policy recommendations, which are intended to be discrete, do-able and impactful. Although, when dealing with some of the more existential challenges facing Australia, the recommendations are necessarily and similarly expansive.

In addressing that extraordinary range of developments, ASPI has drawn on a wide range of expertise for the 2025 edition of Agenda for change. The views expressed are the personal views of the authors and don’t represent a formal position of ASPI on any issue, other than a shared focus on Australia’s national interests. 

State-sponsored economic cyber-espionage for commercial purposes: Governmental practices in protecting IP-intensive industries

Introduction

This report looks at measures that governments in various parts of the world have taken to defend their economic ‘crown jewels’ and other critical knowledge-intensive industries from cyber threats. It should serve as inspiration for other governments, including from those economies studied in State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft. Despite accounting for the bulk of GDP growth, innovation and future employment, such intellectual property (IP)-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure and critical information infrastructure (Figure 1).

Figure 1: Various layers of cybersecurity protection regimes

Source: Developed by the authors.

Since 2022, an increasing number of governments have introduced new policies, legislation, regulations and standards to deal with the threat to their economies from cyber-enabled IP theft. Most prominently, in October 2023, the heads of the major security and intelligence agencies of Australia, Canada, New Zealand, the UK and the US (also known as the ‘Five Eyes’) appeared together in public for the first time, in front of a Silicon Valley audience, and called out China as an ‘unprecedented threat’ to innovation across the world.1 That was followed up in October 2024 with a public campaign called ‘Secure Innovation’.

There is, however, variation in how governments frame their responses. Countries such as the UK and Australia take a national-security approach with policy instruments that seek to monitor the flow of knowledge and innovation to and from specific countries (primarily China). Other countries, such as Malaysia and Finland, take a due-diligence risk approach with a focus on awareness building and providing incentives to organisations to do their due-diligence checks before engaging with foreign entities. Countries such as Japan and Singapore, by contrast, take an economic-security approach in which they focus on engaging and empowering at-risk industries proactively.

This report is the third in a compendium of three. The first report, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, published in 2022, looked at the scale, scope and impact of state-sponsored cyber-espionage campaigns aimed at extracting trade secrets and sensitive business information. The second report, State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, looks at the extent to which agreed norms effectively constrain states from conducting economic cyber-espionage and also examines the varying levels of vulnerability experienced by selected major emerging economies.

This third report complements those diagnoses by offering policymakers an action perspective based on good practices observed across the world. Various practices and examples have been selected, drawing from a multi-year capacity-building effort that included engagements in Southeast Asia, South Asia and Latin America and consultations with authorities in developed economies such as the US, Australia, Japan, Singapore and the Netherlands. Many of the practices covered in this report were presented at the Track 1 Dialogue on Good Governmental Practices that ASPI hosted during Singapore International Cyber Week 2023.

International guardrails

The issue of economic cyber-espionage2 is inherently international. It’s an issue caused by malicious or negligent behaviour of other states. Accordingly, international law and norms are as critical as domestic responses in countering the threat posed. This section offers a review of the most relevant international initiatives that touch on the governance of cyberspace and the protection of IP.

Through the UN First Committee process, states have introduced a set of voluntary and non-binding norms (Figure 2). That has included the following provisions:

  • States should not knowingly allow their territory to be used for internationally wrongful acts; that is, activities that constitute (serious) breaches of international obligations, inflict serious harm on another state or jeopardise international peace and security.
  • States should not conduct or support cyber activities that damage critical infrastructure or impair the operation of critical infrastructure that provides services to the public.
  • States should offer assistance upon request and respond to requests to mitigate ongoing cyber incidents if those incidents affect the functioning of critical infrastructure.

Figure 2: UN norms of responsible state behaviour in cyberspace


The G20 norm complements the work of the UN First Committee, providing that:

  • States should not engage in cyber-espionage activities for the purpose of providing domestic industry with illegitimately obtained commercially valuable information.

The extent to which states accept that economic cyber-espionage without commercial intent is an acceptable tool of statecraft remains a live debate. In 2017, the authors of the Tallin Manual 2.0 asserted that although ‘peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so’.3 Other states, however, such as the members of MERCOSUR (the trade bloc comprising Argentina, Brazil, Paraguay, Uruguay and Venezuela [currently suspended]) and China hold the view that ‘[n]o State shall engage in ICT-enabled espionage or damages against other States’.4 Austria recently (2024) added to this debate, arguing that ‘cyber espionage activities, including industrial cyber espionage against corporations, within a state’s territory may also violate that state’s sovereignty.’5

The Budapest Convention on Cybercrime and the new UN Cybercrime Convention don’t address the theft of IP or offer mechanisms to deal with state-sponsored cyber activities.6 Both frameworks merely offer mechanisms for the harmonisation of legal regimes to enable states to collaborate on investigations and prosecutions of cyber-related crimes.

The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), administered by the World Trade Organization (WTO), sets minimum standards for IP protection. Article 39 provides perpetual trade-secret protection, provided that the secret is not ‘generally known or readily accessible’ to the general public, has ‘commercial value because it is a secret’, and the owner has taken reasonable precautions to protect the secret.77 However, TRIPS doesn’t take into account any cyber-related threats to IP protection; nor does it provide dispute-settlement mechanisms to address state-sponsored or state-supported acts of theft.

Finally, there are international agreements that regulate certain technology transfers. For instance, the Wassenaar Arrangement—a voluntary export-control regime established to promote responsible transfers of conventional arms and dual-use technologies and goods—offers a list of technologies that are considered sensitive and ought to be subject of additional layers of review before being approved for export. While it doesn’t address cyber-enabled IP theft, it does regulate the trade in technologies that could facilitate such theft, such as intrusion software and surveillance tools.

However, despite the serious impact of IP theft, there’s a clear gap in current international law and norms that would otherwise offer national governments guardrails for introducing measures that would help states to prevent, deter, detect and recover from economic cyber-espionage. Therefore, the onus for protection presently lies on national governments taking ownership and responsibility within their own borders.

References

  1. Zeba Siddiqui, ‘Five Eyes intelligence chiefs warn on China’s “theft” of intellectual property’, Reuters, 19 October 2023, online.
    ↩︎

  2. ‘Economic cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one state against another or by one state against a private entity. ‘Industrial or commercial cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one private entity against another private entity. ↩︎
  3. Michael N Schmitt, Tallinn manual 2.0 on the international law applicable to cyber operations, 2nd edition, Cambridge University Press, 2017.
    ↩︎
  4. On China, see “China’s views on the application of the principle of sovereignty in cyberspace,” United Nations, online; on Mercosur, see “Decision rejecting the acts of espionage conducted by the United States in the countries of the region,” United Nations, 22 July 2013, online.
    ↩︎
  5. Przemysław Roguski, “Austria’s Progressive Stance on Cyber Operations and International Law,” Just Security, 25 June 2024, online.
    ↩︎
  6. See, for instance, Brenda I Rowe, ‘Transnational state-sponsored cyber economic espionage: a legal quagmire’, Security Journal, 13 September 2019, 33:63–82.
    ↩︎
  7. ‘Article 39 of the Agreement on Trade-Related Aspects of Intellectual Property Rights’, World Trade Organization, online.
    ↩︎

State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft

Introduction

Strategic competition is deepening existing tensions and mistrust between states and prompts nations to develop capabilities that they consider central to sovereign national power. Technological capabilities sit at the centre of this. It’s therefore not surprising that governments around the world are seeking technological advantage over their competitors and potential adversaries. In this context, safeguarding intellectual property (IP) has become necessary not just because it’s an essential asset for any modern economy—developed or emerging—but because it’s also increasingly underwriting national and regional security.

Today, middle-income countries1 ‘World Bank country and lending groups’, World Bank, 2024, online. that are seeking to progress in the global value chain are home to vibrant knowledge-intensive sectors. Some of the world’s largest science and technology clusters are located in São Paulo and Bengaluru, for example.2 Other exemplars include the biochemical industry in India, information and communication technology (ICT) firms in Malaysia and petroleum processors in Brazil. In fact, countries such as Brazil, India, Indonesia, Mexico and Vietnam have emerged as increasingly major producers of knowledge and innovation.3

Perhaps reflecting that changing reality, it’s middle-income countries that are confronted by increasing attempts to deprive them of their economic crown jewels. In our report State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, ASPI estimated that the number of state-sponsored cyber incidents affecting private entities in Southeast Asia, South Asia, Latin America and the Middle East increased from 40% in 2014 to nearly 60% in 2020.4 To be clear: economic espionage isn’t new. But it’s the growing scale and intensification of economic cyber-espionage for commercial purposes—and as an integrated tool of statecraft—that is a cause for concern.

The promise of 2015

In September 2015, a bilateral summit between Chinese President Xi Jinping and then US President Barack Obama laid the foundation for an international norm against cyber-enabled theft of IP for commercial gain. The joint communique produced at the end of the summit highlighted that China and the US had reached an understanding not to ‘conduct or knowingly support cyber-enabled theft of IP, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors’. This—critically—recognised a distinction between hacking for commercial purposes and hacking for national-security purposes. Building on that apparent progress, the 2015 G20 Antalya leaders’ communique on ICT-enabled theft of IP established bounds for responsible state behaviour in cyberspace—what was described at the time as a landmark moment.

However, the promise of that seemingly historic moment has not been realised since. Rather than seeing this practice stop, cyber-enabled theft of IP quadrupled between 2015 and 2023. Higher barriers to market access across China, the US and Europe—the result of tit-for-tat behaviour seeking to bolster local technological capabilities, reduce dependence on high-risk vendors, achieve greater strategic autonomy and/or counter unfair advantage—have combined to incentivise irresponsible behaviour by malign states.

China’s and the US’s adherence was always going to be critical to the continued strength and legitimacy of any international norm against cyber-enabled economic espionage. However, bilateral relations between Beijing and Washington devolved in the period after 2015. During the first Trump administration, the US drew a clearer connection between economic and national security. That included explicitly calling out in 2020 China’s theft of American technology, IP and research as a threat to the safety, security and economy of the US. The Trump administration also established the China Initiative, which investigated and prosecuted perceived Chinese spies in American research and industry. While the Biden administration closed the China Initiative, it has continued efforts to protect American IP. That includes through the passing of the Protecting American Intellectual Property Act of 2022, which empowers the US President to sanction entities seen to benefit from or sponsor trade-secret theft.5

For its part, China may never have intended to uphold its commitment to the norm over the long term. China may have endorsed a commitment against economic cyber-espionage as a strategic move to accelerate domestic initiatives, such as rooting out corruption in the People’s Liberation Army and refining Chinese hacking methods to be more sophisticated and less conspicuous.6 Alternatively, the lack of a clearly articulated distinction between hacking for competitive advantage and hacking for national-security purposes under Obama and Xi’s agreement may have contributed to the current situation. In any case, the threat of economic cyber-espionage continues to spiral rapidly, increasingly affecting emerging economies as well.

Emerging economies in the Global South, including members of the G20, have been the most vulnerable to that backsliding. India, Vietnam and Brazil have become important and impactful IP-producers, but their means to protect that innovation have lagged—unfortunately creating an expanded attack surface without the commensurate resilience. Still coming to terms with the scope and nature of the threat, they and other similar governments have so far introduced higher-end requirements and support arrangements for their own systems, and for operators of critical infrastructure and critical information infrastructure. However, most other industries—even when they’re substantial contributors to national GDP, high-value IP holders and the enablers for economic advancement—have been left out.

Building capacity to defend against cyber-enabled theft of IP

This report is a first-ever analytical exercise that examines the vulnerability of emerging economies in the face of economic cyber-espionage. It’s a culmination of two years of research and stakeholder engagement across the Indo-Pacific and Latin America. The focus has been on investigating perspectives on the threat of economic cyber-espionage and the degree to which major emerging economies are prepared to respond. The first of the three reports in the compendium—published in late 2022—examined state practices of cyber-enabled theft of IP. It found that, since 2015, the number of reported cases of economic cyber-espionage had tripled. Further, it found that the scale and severity of incidents had grown proportionally with the use of cyber technology as a tool of statecraft for securing economic and strategic objectives.

This specific report is the second in the compendium of three. It considers Chinese and US perspectives in the first instance—recognising their criticality to the effectiveness of any international norm. It goes on to assess the level of vulnerability across Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. This is because it’s those economies in South Asia, Southeast Asia and Latin America that are experiencing some of the world’s most rapid knowledge and innovation production. Each country has been assessed and given a risk label indicating its vulnerability based on a diagnostic tool developed by ASPI.

The third of the three reports in the compendium goes beyond analysing the problem. Through a mapping of responses, it identifies and presents a capture of best practice. The purpose is to support vulnerable states in defending their economic ‘crown jewels’—that is, critical knowledge-intensive industries. It offers a capacity-building checklist intended to help policymakers make sense of the cyber-threat landscape and respond to protect private entities from economic cyber-espionage.

References

  1. ‘World Bank country and lending groups’, World Bank, 2024, online. ↩︎
  2. ‘Science and technology cluster ranking 2023’, World Intellectual Property Organization (WIPO), online.
    ↩︎
  3. ‘2023 Global Innovation Index’, WIPO, online.
    ↩︎
  4. Gatra Priyandita, Bart Hogeveen, Ben Stevens, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to
    prosperity, ASPI, Canberra, 2022, online. ↩︎

  5. ‘Protecting American Intellectual Property Act of 2022’, US Congress, online. ↩︎
  6. Jack Goldsmith, ‘US attribution of China’s cyber-theft aids Xi’s centralization and anti-corruption efforts’, Lawfare, 21 June 2016, online. ↩︎

State-Sponsored Economic Cyber-Espionage for Commercial Purposes

The Australian Strategic Policy Institute (ASPI) has launched the world’s first capacity-building initiative dedicated to raising awareness about the threat of economic cyber-espionage in key emerging economies across the Indo-Pacific and Latin America.

Through a series of research reports, case studies, and learning materials, this initiative highlights how economic cyber-espionage is not just a concern for advanced economies—it is a growing risk for emerging economies like India, Brazil, and Indonesia, which are rapidly digitizing their industries.

Download report.
Download report.
Download report.

What is Economic Cyber-Espionage?

Economic cyber-espionage refers to the state-sponsored theft of intellectual property (IP) via cyber means for commercial gain. As nations undergo digital transformation, securing knowledge-based industries is critical for economic security. However, many countries—especially those with lower cybersecurity maturity—are increasingly vulnerable to cyber-enabled IP theft.

In the modern economy, local businesses that trade internationally, critical national industries, and start-ups as well as universities, research and development organisations and public services rely on secure data, digital communications and ICT-enabled systems and applications.

But trust and confidence in the digital economy is threatened by the practice of some states that deploy offensive cyber capabilities against industries, organisations and individuals in other states. Those who operate in environments with lower levels of cybersecurity maturity are particularly vulnerable to fall victim to cyber-enabled theft of intellectual property.

Project Activities and Findings

This project has included a series of workshops and engagements in India, Southeast Asia, and Latin America, bringing together officials and experts to discuss cyber threats that endanger national economies and innovation sectors.

For this project, ASPI has also published three reports, which can be downloaded on the right.

  1. State-sponsored economic cyber-espionage for commercial purposes: Tackling an invisible but persistent risk to prosperity (2022): Highlights how state-sponsored cyber-espionage has intensified, with more targeted industries and universities now based in emerging economies
  2. State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft: Evaluates the readiness of 11 emerging economies—including Argentina, Brazil, India, Indonesia, Malaysia, Mexico, the Philippines, Thailand, and Vietnam—to counteract cyber-enabled IP theft.
  3. State-sponsored economic cyber-espionage for commercial purposes: Governmental practices in protecting IP-Intensive industries: Reviews how governments around the world are responding to the threat of economic cyber-espionage and considers how states are employing, among others, legislative, defensive, and reactive measures.

On 15 November 2022, ASPI also issued a Briefing Note recommending that the G20 members recognise that state-sponsored ICT-enabled theft of IP remains a key concern for international cooperation and encouraging them to reaffirm their commitment made in 2015 to refrain from economic cyber-espionage for commercial purposes.

Videos and Podcasts

Explore the videos and podcasts we have produced to help you make sense of economic cyber-espionage.

Project Team

This team is led by CTS Deputy Director Bart Hogeveen and CTS senior analyst Dr. Gatra Priyandita. We thank the support and contributions of other serving and former ASPI staff, including Urmika Deb, Dr. Ben Stevens, Dr. Teesta Prakash, and Shivangi Seth. This project involved input from researchers from across the world, including those in South Asia, Southeast Asia, and Latin America. We thank them for their contributions.

Australia and South Korea: Leveraging the strategic potential of cooperation in critical technologies

Executive summary

Cooperation between Australia and the Republic of Korea (hereafter South Korea or the ROK) in a range of critical technology areas has grown rapidly in recent years. Underpinned by the Australia – South Korea Memorandum of Understanding (MoU) on Cyber and Critical Technology Cooperation signed in 2021, collaboration is currently centred around emerging technologies, including next-generation telecommunications, artificial intelligence (AI) and quantum computing. Such technologies are deemed to be critical due to their potential to enhance or threaten societies, economies and national security. Most are dual- or multi-use and have applications in a wide range of sectors.1

Intensifying geostrategic competition is threatening stability and prosperity in the Indo-Pacific region. Particularly alarming is competition in the technological domain. ASPI’s Critical Technology Tracker, a large data-driven project that now covers 64 critical technologies and focuses on high-impact research, reveals a stunning shift in research ‘technology leadership’ over the past two decades. Where the United States (US) led in 60 of the 64 technologies in the five years between 2003 and 2007, the US’s lead has decreased to seven technologies in the most recent five years (2019–2023). Instead, China now leads in 57 of those technologies.

Within the Indo-Pacific region, some countries have responded to those shifts in technology leadership through the introduction of policies aimed at building ‘technological sovereignty’. The restriction of high-risk vendors from critical infrastructure, the creation of sovereign industrial bases and supply-chain diversification are examples of this approach. But a sovereign approach doesn’t mean protectionism. Rather, many countries, including Australia and South Korea, are collaborating with like-minded regional partners to further their respective national interests and support regional resilience through a series of minilateral frameworks.

The Australia – South Korea technological relationship already benefits from strong foundations, but it’s increasingly important that both partners turn promise into reality. It would be beneficial for Australia and South Korea to leverage their respective strengths and ensure that collaboration evolves in a strategic manner. Both countries are leaders in research and development (R&D) related to science and technology (S&T) and are actively involved in international partnerships for standards-setting relating to AI and other technologies. Furthermore, both countries possess complementary industry sectors, as demonstrated through Australia’s critical-minerals development and existing space-launch capabilities on one hand, and South Korea’s domestic capacity for advanced manufacturing on the other.

This report examines four stages common to technological life cycles — (1) R&D and innovation; (2) building blocks for manufacturing; (3) testing and application; and (4) standards and norms. For each, we examine a specific critical technology of interest. Those four life-cycle areas and respective technologies—spanning biotechnologies-related R&D, manufacturing electric-battery materials, satellite launches and AI standards-setting—were chosen as each is a technology of focus for both countries. Furthermore, collaboration through these specific technological stages enables Australia and South Korea to leverage their existing strengths in a complementary manner (see Figure 1). Supporting the analysis of these four stages of the technological life cycle and selected critical technologies is data from ASPI’s Critical Technology Tracker and the Composite Science and Technology Innovation Index (COSTII) jointly released by South Korea’s Ministry of Science and ICT (MSIT) and the Korea Institute of Science & Technology Evaluation and Planning (KISTEP).

Informed by that examination, this report identifies a set of recommendations for strengthening cooperation that is relevant for different stakeholders, including government and industry.

Policy recommendations

Biotechnologies

Australia and South Korea can enhance knowledge-sharing in biotechnologies-related R&D through people-to-people exchanges. Links should be formalised through an MoU between relevant institutions—such as Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Korea Research Institute of Bioscience and Biotechnology. An MoU could be used to implement initiatives such as a virtual mentoring program and long-term in-person exchanges (preferably at least 12 months in duration). Such exchanges would support immersive in-country interaction, enabling the transfer of specialised R&D expertise. Australian researchers could share knowledge about advances in early-stage clinical trials processes, while South Korean researchers could contribute insights into synthetic biology and AI tools in drug-discovery clinical-trial methodologies. Financial support from Australia’s National Health and Medical Research Council could facilitate the exchanges.2 There remains a need to address visa constraints impeding the free flow of researchers between both countries. While this report focuses on R&D, we suggest that there’s equal value in considering cooperation in the manufacturing stages of the biotechnologies value chain.

Recommendation 1: Formalise links between Australia’s and South Korea’s key biotechnologies R&D institutions by facilitating long-term people-to-people exchanges aimed at transferring specialised expertise. This includes in areas such as clinical trials, synthetic biology and AI integration in biotechnologies.

Electric batteries

Australian companies should consider the production of battery materials, including lithium hydroxide and precursor cathode active materials (pCAM), through joint ventures with South Korean battery manufacturers. Such ventures would benefit from jointly funded and owned facilities geographically close to requisite critical minerals. Since spodumene is needed for lithium hydroxide and nickel, cobalt and manganese are required for pCAM, Western Australia provides the ideal location for those facilities. Furthermore, BHP’s recent suspension of its Western Australian nickel operations provides an ideal opportunity for a South Korean battery company to purchase those operations— securing nickel sulphate supplies necessary for pCAM manufacturing.3 There’s also the potential for South Korea to invest in cathode active manufacturing (CAM) manufacturing in Australia by taking advantage of the co-location of mining and pCAM operations.

The provision of loans with relatively low interest rates from South Korean Government–owned banks,4 as well as tax credits and energy incentives provided by the Australian Government, would assist in offsetting the relatively high operational costs (including for labour and materials) associated with establishing joint battery-material plants in Australia instead of South Korea.5 Environmental regulations will need careful consideration in assessing such proposals, such as those covering the disposal of by-products. In the case of sodium sulphate, that by-product can be used in fertilisers and even recycled for future use in battery-material manufacturing.6

Recommendation 2: Consider the establishment of facilities in Australia under joint venture arrangements between Australian and South Korean companies to enable expanded production of battery materials (including lithium hydroxide and pCAM).

Space and satellite technologies

Australia and South Korea should establish a government-to-government agreement that would facilitate the launch of South Korean satellites from northern and southern locations in Australia. This would be similar to the Australia–US Technologies Safeguard Agreement. The agreement would increase the ease with which companies from both countries can pursue joint launches by streamlining launch permit application processes, export controls, taxation requirements and environmental regulations. The agreement can establish a robust framework for joint operations and continued R&D in space and satellite technologies while ensuring that both countries protect associated sensitive technologies. Any such agreement should prioritise consultations with community stakeholders to further inclusive decision-making focused on addressing the social and environmental impacts of space launches.7 Engaging with Indigenous landowners to ensure the protection of cultural heritage, sacred sites and traditional land stewardship is particularly key.8

Recommendation 3: Establish a government-to-government agreement similar to the Australia–US Technologies Safeguard Agreement to bolster the ease with which Australian and South Korean companies can conduct joint satellite launches on Australian soil.

Artificial intelligence technologies

Closer collaboration between Standards Australia and the Korea Standards Association in establishing international AI standards will be beneficial. The established positive record of Australian and South Korean stakeholders in relation to international norms and standards relating to critical technologies, and comparative regional strengths, provide a means to ensure that international AI standards continue to evolve in a way that fosters interoperability, innovation, transparency, diversity and security-by-design. One recommended body through which Australian and South Korean stakeholders could coordinate their respective approaches is the international, industry-led multistakeholder joint subcommittee (SC) created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) known as the ISO/IEC Joint Technical Committee 1 Subcommittee 42 on AI (ISO/IEC JTC 1/SC 42).

Recommendation 4: Coordinate the approach of Standards Australia and the Korea Standards Association in establishing international AI standards in international technology standards bodies, for example, through ISO/IEC JTC 1/SC 42.

Full Report

For the full report, please download here.

  1. J Wong Leung, S Robin, D Cave, ASPI’s two-decade Critical Technology Tracker, ASPI, Canberra, 28 August 2024, online. ↩︎
  2. Austrade, ‘Australia: A go-to destination for clinical trials’. ↩︎
  3. ‘Western Australian Nickel to temporarily suspend operations’, BHP, 11 July 2024, online. ↩︎
  4. Government-owned banks in South Korea are currently funding a similar joint venture in the form of the POSCO – Pilbara Minerals lithium hydroxide facility in South Korea. For more information, see A Orlando, ‘POSCO Pilbara Lithium Solution executes US$460 million loan agreement to help fund chemical facility in South Korea’, Mining.com.au, 27 February 2023, online. ↩︎
  5. In particular, the high cost of a joint lithium hydroxide plant in Australia rather than South Korea was the primary reason for the joint POSCO – Pilbara Minerals plant to be built in Gwangyang, South Korea. For more information, see P Kerr, ‘Lithium processing is 40pc cheaper in South Korea, says POSCO’, Australian Financial Review, 22 May 2023, online. ↩︎
  6. M Stevens, ‘Cathode manufacturing: solutions for sodium sulphate’, Worley, 29 May 2024, online. ↩︎
  7. ‘Koonibba Test Range launches large commercial rocket’, Asia–Pacific Defence Reporter (APDR), 6 May 2024, online; J Hamilton, A Costigan, ‘Koonibba looks to the future as a rocket launch site, but one elder is concerned about the impact on sacred sites’, ABC News, 11 May 2024, online. ↩︎
  8. M Garrick, ‘Equatorial Launch Australia lodges plans for expansion to 300 hectares for Arnhem Space Centre’, ABC News, 8 November 2023, online. ↩︎

Persuasive technologies in China: Implications for the future of national security

Key Findings

The rapid adoption of persuasive technologies—any digital system that shapes users’ attitudes and behaviours by exploiting physiological and cognitive reactions or vulnerabilities—will challenge national security in ways that are difficult to predict. Emerging persuasive technologies such as generative artificial intelligence (AI), ambient technologies and neurotechnology interact with the human mind and body in far more intimate and subconscious ways, and at far greater speed and efficiency, than previous technologies. This presents malign actors with the ability to sway opinions and actions without the conscious autonomy of users.

Regulation is struggling to keep pace. Over the past decade, the swift development and adoption of these technologies have outpaced responses by liberal democracies, highlighting the urgent need for more proactive approaches that prioritise privacy and user autonomy. That means protecting and enhancing the ability of users to make conscious and informed decisions about how they’re interacting with technology and for what purpose.

China’s commercial sector is already a global leader in developing and using persuasive technologies. The Chinese Communist Party (CCP) tightly controls China’s private sector and mandates that Chinese companies—especially technology companies—work towards China’s national-security interests. This presents a risk that the CCP could use persuasive technologies commercially developed in China to pursue illiberal and authoritarian ends, both domestically and abroad, through such means as online influence campaigns, targeted psychological operations, transnational repression, cyber operations and enhanced military capabilities.

ASPI has identified several prominent Chinese companies that already have their persuasive technologies at work for China’s propaganda, military and public-security agencies. They include:

  • Midu—a language intelligence technology company that provides generative AI tools used by Chinese Government and CCP bureaus to enhance the party-state’s control of public opinion. Those capabilities could also be used for foreign interference (see page 4).
  • Suishi—a pioneer in neurotechnology that’s developing an online emotion detection and evaluation system to interpret and respond to human emotions in real time. The company is an important partner of Tianjin University’s Haihe Lab (see page 16), which has been highly acclaimed for its research with national-security applications (see page 17).
  • Goertek—an electronics manufacturer that has achieved global prominence for smart wearables and virtual-reality (VR) devices. This company collaborates on military–civil integration projects with the CCP’s military and security organs and has developed a range of products with dual-use applications, such as drone-piloting training devices (see page 20).

ASPI has further identified case studies of Chinese technology companies, including Silicon Intelligence, OneSight and Mobvoi, that are leading in the development of persuasive technologies spanning generative AI, neurotechnologies and emerging ambient systems. We find that those companies have used such solutions in support of the CCP in diverse ways—including overt and attributable propaganda campaigns, disinformation campaigns targeting foreign audiences, and military–civil fusion projects.

Introduction

Persuasive technologies—or technologies with persuasive characteristics—are tools and systems designed to shape users’ decision-making, attitudes or behaviours by exploiting people’s physiological and cognitive reactions or vulnerabilities.1 Compared to technologies we presently use, persuasive technologies collect more data, analyse more deeply and generate more insights that are more intimately tailored to us as individuals.

With current consumer technologies, influence is achieved through content recommendations that reflect algorithms learning from the choices we consciously make (at least initially). At a certain point, a person’s capacity to choose then becomes constrained because of a restricted information environment that reflects and reinforces their opinions—the so-called echo-chamber effect. With persuasive technologies, influence is achieved through a more direct connection with intimate physiological and emotional reactions. That risks removing human choice from the process entirely and steering choices without an individual’s full awareness. Such technologies won’t just shape what we do: they have the potential to influence who we are.

Many countries and companies are working to harness the power of emerging technologies with persuasive characteristics, such as generative artificial intelligence (AI), wearable devices and brain–computer interfaces, but the People’s Republic of China (PRC) and its technology companies pose a unique challenge. The Chinese party-state combines a rapidly advancing tech industry with a political system and ideology that mandate companies to align with CCP objectives, driving the creation and use of persuasive technologies for political purposes (see ‘How the CCP is using persuasive technologies’, page 21). That synergy enables China to develop cutting-edge innovations while directing their application towards maintaining regime stability domestically, reshaping the international order, challenging democratic values and undermining global human-rights norms.

There’s already extensive research on how the CCP and its military are adopting technology in cognitive warfare to ‘win without fighting’—a strategy to acquire the means to shape adversaries’ psychological states and behaviours (see Appendix 2: Persuasive technologies in China’s ‘cognitive warfare’, page 29).2 Separately, academics have considered the manipulative methods of surveillance capitalism, especially on issues of addiction, child safety and privacy .3 However, there’s limited research on the intersection of those two topics; that is, attempts by the Chinese party-state to exploit commercially available emerging technologies to advance its political objectives. This report is one of the first to explore that intersection.

Chinese technology, advertising and public-relations companies have made substantial advances in harnessing such tools, from mobile push notifications and social-media algorithms to AI-generated content. Many of those companies have achieved global success. Access to the personal data of foreign users is at an all-time high, and Chinese companies are now a fixed staple on the world’s most downloaded mobile apps lists, unlike just five years ago.44 While many persuasive technologies have clear commercial purposes, their potential for political and national-security exploitation—both inside and outside China—is also profound.

This report seeks to break through the ‘Collingridge dilemma’, in which control and understanding of emerging technologies come too late to mitigate the consequences of those technologies.55 The report analyses generative AI, neurotechnologies and immersive technologies and focuses on key advances being made by PRC companies in particular. It examines the national-security implications of persuasive technologies designed and developed in China, and what that means for policymakers and regulators outside China as those technologies continue to roll out globally.

Persuasive-technology capabilities are evolving rapidly, and concepts of and approaches to regulation are struggling to keep pace. The national-security implications of technologies that are designed to drive users towards certain behaviours are becoming apparent. Democratic governments have acted slowly and reactively to those challenges over the past decade. There’s an urgent need for more fit-for-purpose, proactive and adaptive approaches to regulating persuasive technologies. Protecting user autonomy and privacy must sit at the core of those efforts. Looking forward, persuasive technologies are set to become even more sophisticated and pervasive, and the consequences of their use are increasingly difficult to detect. Accordingly, the policy recommendations set out here focus on preparing for and countering the potential malicious use of the next generation of those technologies.

Full Report

For the full report, please download here.

References

  1. First defined by Brian J Fogg in Persuasive technology: using computers to change what we think and do, Morgan Kaufmann, 2003. ↩︎
  2. See, for example, Nathan Beauchamp-Mustafaga, Chinese next-generation psychological warfare, RAND Corporation, Santa Monica, 1 June 2023, online; Elsa B Kania, ‘Minds at war: China’s pursuit of military advantage through cognitive science and biotechnology’, PRISM, 2019, 8(3):82–101, online; Department of Defense, Annual report to Congress; Military and security developments involving the People’s Republic of China, US Government, 19 October 2023, online. ↩︎
  3. Shoshana Zuboff, The Age of Surveillance Capitalism: the fight for a human future at the new frontier of power, Ingram Publisher Services, 2017. ↩︎
  4. Examples of Chinese-owned apps that are among the most downloaded globally include Tiktok, CapCut (a ByteDance-owned video editor) and the e-commerce platforms Temu and Shein. See David Curry, ‘Most popular apps (2024)’, Business of Apps, 30 January 2024, online. ↩︎
  5. Richard Worthington, ‘The social control of technology by David Collingridge’, American Political Science Review, 1982, 76(1):134–135; David Collingridge,
    The social control of technology, St Martin’s Press, New York, 1980. ↩︎

The future of intelligence analysis: US-Australia project on AI and human machine teaming


Dr Alex Caples is Director of The Sydney Dialogue, ASPI’s annual summit for critical, emerging and cyber technologies.

Previously, she was Director of Cyber, Technology and Security at ASPI.

Alex is a former diplomat and national security official whose career spans over 20 years’ in Defence, the Office of National Intelligence, the Department of the Prime Minister and Cabinet and the Department of Foreign Affairs, including postings to Canada and Afghanistan.

Between 2019-2023, Alex was an Associate Director, Operations Advisory and Director, Policy Evaluation and Public Impact at professional services firm KPMG, supporting Commonwealth and State Governments on policy and program design and implementation.

Prior to this, Alex held various senior policy advisor roles in the Department of the Prime Minister and Cabinet’s National Security Division, including Director of Law Enforcement and Border Security, Director Cyber Security Policy and Director Crisis Management. In this capacity Alex provided advice to Government on a wide range of security legislation, policy and operations, including critical infrastructure security, foreign interference, cyberspace, telecommunications security, digital identity management, intelligence and border security.

During 2011-2012, Alex was a Senior Analyst for Transnational Issues at the Office of National Intelligence, where she provided senior executives and Ministers with all-source analysis on people smuggling, regional law enforcement and transnational crime.

Alex is an Australian Defence Force Academy Graduate. She holds a PhD in International Relations from Monash University (2007).

ASPI’s two-decade Critical Technology Tracker: The rewards of long-term research investment

The Critical Technology Tracker is a large data-driven project that now covers 64 critical technologies spanning defence, space, energy, the environment, artificial intelligence, biotechnology, robotics, cyber, computing, advanced materials and key quantum technology areas. It provides a leading indicator of a country’s research performance, strategic intent and potential future science and technology capability.

It first launched 1 March 2023 and underwent a major expansion on 28 August 2024 which took the dataset from five years (previously, 2018–2022) to 21 years (2003–2023). Explore the website and the broader project here.

Governments and organisations interested in supporting this ongoing program of work, including further expansions and the addition of new technologies, can contact: [email protected].

Executive Summary

This report accompanies a major update of ASPI’s Critical Technology Tracker website,1 which reveals the countries and institutions—universities, national labs, companies and government agencies—leading scientific and research innovation in critical technologies. It does that by focusing on high-impact research—the top 10% of the most highly cited papers—as a leading indicator of a country’s research performance, strategic intent and potential future science and technology (S&T) capability.

Now covering 64 critical technologies and crucial fields spanning defence, space, energy, the environment, artificial intelligence (AI), biotechnology, robotics, cyber, computing, advanced materials and key quantum technology areas, the Tech Tracker’s dataset has been expanded and updated from five years of data (previously, 2018–2022)2 to 21 years of data (2003–2023).3

These new results reveal the stunning shift in research leadership over the past two decades towards large economies in the Indo-Pacific, led by China’s exceptional gains. The US led in 60 of 64 technologies in the five years from 2003 to 2007, but in the most recent five years (2019–2023) is leading in seven. China led in just three of 64 technologies in 2003–20074 but is now the lead country in 57 of 64 technologies in 2019–2023, increasing its lead from our rankings last year (2018–2022), where it was leading in 52 technologies.

India is also emerging as a key centre of global research innovation and excellence, establishing its position as an S&T power. That said, the US, the UK and a range of countries from Europe, Northeast Asia and the Middle East have maintained hard-won strengths in high-impact research in some key technology areas, despite the accelerated efforts of emerging S&T powers.

This report examines short- and long-term trends, to generate unique insights. We have updated the recent five-year results (2019–2023) to show current research performance rankings (top 5 country results are in Appendix 1). We have also analysed our new historical dataset to understand the country and institutional trends in research performance over the full 21-year period. In select technologies we have also made projections, based on current trends, for China and the US to 2030.

The results show the points in time at which countries have gained, lost or are at risk of losing their global edge in scientific research and innovation. The historical data provides a new layer of depth and context, revealing the performance trajectory different countries have taken, where the momentum lies and also where longer term dominance over the full two decades might reflect foundational expertise and capabilities that carry forward even when that leader has been edged out more recently by other countries. The results also help to shed light on the countries, and many of the institutions, from which we’re likely to see future innovations and breakthroughs emerge.

China’s new gains have occurred in quantum sensors, high-performance computing, gravitational sensors, space launch and advanced integrated circuit design and fabrication (semiconductor chip making). The US leads in quantum computing, vaccines and medical countermeasures, nuclear medicine and radiotherapy, small satellites, atomic clocks, genetic engineering and natural language processing.

India now ranks in the top 5 countries for 45 of 64 technologies (an increase from 37 last year) and has displaced the US as the second-ranked country in two new technologies (biological manufacturing and distributed ledgers) to rank second in seven of 64 technologies. Another notable change involves the UK, which has dropped out of the top 5 country rankings in eight technologies, declining from 44 last year to 36 now.

Besides India and the UK, the performance of most secondary S&T research powers (those countries ranked behind China and the US) in the top 5 rankings is largely unchanged: Germany (27), South Korea (24), Italy (15), Iran (8), Japan (8) and Australia (7).

We have continued to measure the risk of countries holding a monopoly in research for some critical technologies, based on the share of high-impact research output and the number of leading institutions the dominant country has. The number of technologies classified as ‘high risk’ has jumped from 14 technologies last year to 24 now. China is the lead country in every one of the technologies newly classified as high risk—putting a total of 24 of 64 technologies at high risk of a Chinese monopoly. Worryingly, the technologies newly classified as high risk includes many with defence applications, such as radar, advanced aircraft engines, drones, swarming and collaborative robots and satellite positioning and navigation.

In terms of institutions, US technology companies, including Google, IBM, Microsoft and Meta, have leading or strong positions in artificial intelligence (AI), quantum and computing technologies. Key government agencies and national labs also perform well, including the National Aeronautics and Space Administration (NASA), which excels in space and satellite technologies. The results also show that the Chinese Academy of Sciences (CAS)—thought to be the world’s largest S&T institution5—is by far the world’s highest performing institution in the Critical Tech Tracker, with a global lead in 31 of 64 technologies (an increase from 29 last year, see more on CAS in the breakout box on page 19).

The results in this report should serve as a reminder to governments around the world that gaining and maintaining scientific and research excellence isn’t a tap that can be turned on and off. Too often, countries have slowed or stopped investing in, for example, research and development (R&D) and manufacturing capability, in areas in which they had a long-term competitive advantage (5G technologies are an example6). In a range of essential sectors, democratic nations risk losing hard-won, long-term advantages in cutting-edge science and research—the crucial ingredient that underpins much of the development and advancement of the world’s most important technologies. There’s also a risk that retreats in some areas could mean that democratic nations aren’t well positioned to take advantage of new and emerging technologies, including those that don’t exist yet.

Meanwhile, the longitudinal results in the Critical Tech Tracker enable us to see how China’s enormous investments and decades of strategic planning are now paying off.7

Building technological capability requires a sustained investment in, and an accumulation of, scientific knowledge, talent and high-performing institutions that can’t be acquired through only short-term or ad hoc investments.8 Reactive policies by new governments and the sugar hit of immediate budget savings must be balanced against the cost of losing the advantage gained from decades of investment and strategic planning. While China continues to extend its lead, it’s important for other states to take stock of their historical, combined and complementary strengths in all key critical technology areas.

This report is made up of several sections. Below you’ll find a summary of the key country and institutional findings followed by an explanation of why tracking historical research performance matters. We then further analyse the nuances of China’s lead and briefly explain our methodology (see Appendix 2 for a detailed methodology). We also look more closely at 10 critical technology areas, including those relevant to AI, semiconductors, defence, energy, biotechnology and communications. Appendix 1 contains visual snapshots of top 5 country rankings in the 64 critical technologies.

We encourage you to visit ASPI’s Critical Technology Tracker website (https://techtracker.aspi.org.au) and explore the new data.

What is ASPI’s Critical Technology Tracker?

ASPI’s Critical Technology Tracker is a unique dataset that allows users to track 64 technologies that are foundational for our economies, societies, national security, defence, energy production, health and climate security. It focuses on the top 10% of the most highly cited research publications from the past 21 years (2003–2023).9 The new dataset is analysed to generate insights into which countries and institutions—universities, national labs, companies and government agencies—are publishing the greatest share of innovative and high-impact research. We use the top 10% because those publications have a higher impact on the full technology life cycle and are more likely to lead to patents, drive future research innovation and underpin technological breakthroughs.10

Critical technologies are current or emerging technologies that have the potential to enhance or threaten our societies, economies and national security. Most are dual- or multi-use and have applications in a wide range of sectors. By focusing early in the science and technology (S&T) life cycle, rather than examining technologies already in existence and fielded, the Critical Technology Tracker doesn’t just provide insights into a country’s research performance, but also its strategic intent and potential future S&T capability. It’s only one piece of the puzzle, of course: it must be acknowledged that actualising and commercialising research performance into major technological gains, no matter how impressive a breakthrough is, can be a difficult, expensive and complicated process. A range of other inputs are needed, such as an efficient manufacturing base and ambitious policy implementation.

The Tech Tracker’s dataset has now been expanded and updated from five years of data (previously, 2018–2022)11 to 21 years of data (2003–2023). This follows previous attempts to benchmark research output across nations by focusing on quality over quantity, key technology areas and individual institutions, as well as short-term, long-term and potential future trends. This update continues ASPI’s investment in creating the highest quality dataset of its kind.12

Both the website and two associated reports (this one included) provide decision-makers with an empirical methodology to inform policy and investment decisions, including decisions on which countries and institutions they partner with and in what technology areas. A list of the 64 technologies, including definitions, is on our website.13 Other parts of this project include:

  • the Tech Tracker website: ASPI’s Critical Technology Tracker14 contains an enormous amount of original data analysis. We encourage you to explore these datasets online as you engage with this report. Users can compare countries, regions or groupings (the EU, the Quad, China–Russia etc.) and explore the global flow of research talent for each technology.
  • the 2023 report: We encourage readers to explore the original report, ASPI’s Critical Technology Tracker: the global race for future power.15 In addition to analysing last year’s key findings, it outlined why research is vital for S&T advances and it examined China’s S&T vision. The report also made 23 policy recommendations, which remain relevant today.16
  • visual snapshots: Readers looking for a summary of the top 5 countries ranked by their past five years of performance in all 64 technologies (see example below) can jump to Appendix 1.
Example of the visual snapshots depicted further in the report.

Data source: ASPI Critical Technology Tracker.

Full Report

For the full report, please download here.

  1. Critical Technology Tracker, ASPI, Canberra. ↩︎
  2. Jamie Gaida, Jennifer Wong Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: the global race for future power, ASPI, Canberra, 1 March 2023. ↩︎
  3. 21-year dataset with improved search terms and institution cleaning, see Methodology for more details. ↩︎
  4. In the early years, such as 2003–2007, some of the 64 technologies have not yet emerged and the credits assigned to top countries or institutions are too low to be statistically significant. Where this is the case we have avoided pulling key insights from the rankings of countries and institutions in these technologies. ↩︎
  5. Bec Crew, ‘Nature Index 2024 Research Leaders: Chinese institutions dominate the top spots’, Nature, 18 June 2024. ↩︎
  6. Elsa B Kania, ‘Opinion: Why doesn’t the US have its own Huawei?’, Politico, 25 February 2020. ↩︎
  7. See, for example, Zachary Arnold, ‘China has become a scientific superpower’, The Economist, 12 June 2024.
    ‘China’, Nature, 9 August 2023, https://www.nature.com/collections/efchdhgeci ;
    ‘China’s science and technology vision’ and ‘China’s breakout research capabilities in defence, security and intelligence technologies’ in Gaida et al.
    ASPI’s Critical Technology Tracker: The global race for future power, 14–20; Tarun Chhabra et al., ‘Global China: Technology’, Brookings Institution, April 2020, https://www.brookings.edu/articles/global-china-technology/ ;
    Jason Douglas and Clarence Leong. “The U.S. Has Been Spending Billions to Revive Manufacturing. But China Is in Another League”, The Wall Street Journal, August 3, 2024, https://www.wsj.com/world/china/the-u-s-has-been-spending-billions-to-revive-manufacturing-but-china-is-in-another-league-75ed6309 . ↩︎
  8. Eva Harris, ‘Building scientific capacity in developing countries’, EMBO Reports, 1 January 2004, 5, 7–11. ↩︎
  9. These technologies were selected through a review process in 2022–23 that combined our own research with elements from the Australian Government’s 2022 list of critical technologies, and lists compiled by other governments. An archived version of the Australian Government’s list is available: Department of Industry, Science and Resources, ‘List of critical technologies in the national interest’, Australian Government, 28 November 2022.
    In May 2023, the Australian Government revised their list: Department of Industry, Science and Resources, ‘List of critical technologies in the national interest’, Australian Government, 19 May 2023, https://www.industry.gov.au/publications/list-critical-technologies-national-interest .
    A US list is available from National Science and Technology Council, ‘Critical and emerging technologies list update’, US Government, February 2022, https://www.whitehouse.gov/wp-content/uploads/2022/02/02-2022-Critical-and-Emerging-Technologies-List-Update.pdf .
    On our selection of AUKUS Pillar 2 technologies, see Alexandra Caples et al., ‘AUKUS: three partners, two pillars, one problem’, TheStrategist, 6 June 2023, https://www.aspistrategist.org.au/aukus-three-partners-two-pillars-one-problem/ . ↩︎
  10. Felix Poege et al., ‘Science quality and the value of inventions’, Science Advances, 11 December 2019, 5(12):eaay7323;
    Cherng Ding, et al., ‘Exploring paper characteristics that facilitate the knowledge flow from science to technology’, Journal of Informetrics, February 2017, 11(1):244–256, https://doi.org/10.1016/j.joi.2016.12.004 ;
    Gaida et al., ASPI’s Critical Technology Tracker: The global race for future power, 9. ↩︎
  11. Jamie Gaida, Jennifer Wong Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: The global race for future power. ↩︎
  12. See more details in the full methodology in Appendix 2. ↩︎
  13. ‘List of technologies’, Critical Technology Tracker. ↩︎
  14. Critical Technology Tracker ↩︎
  15. See Jamie Gaida, Jennifer Wong-Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: the global race for future power. ↩︎
  16. Jamie Gaida, Jennifer Wong-Leung, Stephan Robin, Danielle Cave, ASPI’s Critical Technology Tracker: the global race for future power, 44. ↩︎

Negotiating technical standards for artificial intelligence

The Australian Strategic Policy Institute (ASPI) is delighted to share its latest report – the result of a multi-year project on Artificial Intelligence (AI), technical standards and diplomacy – that conducts a deep-dive into the important, yet often opaque and complicated world of technical standards.

At the heart of how AI technologies are developed, deployed and used in a responsible manner sit a suite of technical standards: rules, guidelines and characteristics that ensure the safety, security and interoperability of a product.

The report authors highlight that the Indo-Pacific, including Australia and India, are largely playing catch-up in AI standards initiatives. The United States and China are leading the pack, followed by European nations thanks to their size, scope and resources of their national standardisation communities as well as their domestic AI sectors.

Not being strongly represented in the world of AI governance and technical standards is a strategic risk for Indo-Pacific nations. For a region that’s banking on the opportunities of a digital and technology-enabled economy and has large swathes of its population in at-risk jobs, it’s a matter of national and economic security that Indo-Pacific stakeholders are active and have a big say in how AI technologies will operate and be used.

Being part of the conversations and negotiations is everything, and as such, governments in the Indo-Pacific – including Australia and India – should invest more in whole-of-nation techdiplomacy capabilities.

Authored by analysts at ASPI and India’s Centre for Internet and Society, this new report ‘Negotiating technical standards for artificial intelligence: A techdiplomacy playbook for policymakers and technologists in the Indo-Pacific’ – and accompanying website (https://www.techdiplomacy.aspi.org.au/) – explains the current state of play in global AI governance, looks at the role of technical standards, outlines how agreements on technical standards are negotiated and created, and describes who are the biggest ‘movers and shakers’.

The authors note that there are currently no representatives from Southeast Asia (except Singapore), Australia, NZ or the Pacific Islands on the UN Secretary-General Advisory Body on AI – a body that’s tasked to come up with suggestions on how to govern AI in a representative and inclusive manner with an eye to achieving the UN Sustainable Development Goals.

The capacity of the Indo-Pacific to engage in critical technology standards has historically been lower in comparison to other regions. However, given the rapid and global impact of AI and the crucial role of technical standards, the report authors argue that dialogue and greater collaboration between policymakers, technologists and civil society has never been more important.

It is hoped this playbook will help key stakeholders – governments, industry, civil society and academia – step through the different aspects of negotiating technical standards for AI, while also encouraging the Indo-Pacific region to step up and get more involved.

Truth and reality with Chinese characteristics

ChineseFrench and Spanish translations are now available.

Executive Summary

The Chinese Communist Party (CCP) is leveraging its propaganda system to build a toolkit to enable information campaigns. Its objective is to control communication and shape narratives and perceptions about China in order to present a specific version of truth and reality, both domestically and internationally. Ultimately, the CCP aims to strengthen its grip on power, legitimise its activities and bolster China’s cultural, technological, economic and military influence.

The CCP seeks to maintain total control over the information environment within China, while simultaneously working to extend its influence abroad to reshape the global information ecosystem. That includes not only controlling media and communications platforms outside China, but also ensuring that Chinese technologies and companies become the foundational layer for the future of information and data exchange worldwide.

This research report finds that the CCP seeks to harvest data from various sources, including commercial entities, to gain insights into target audiences for its information campaigns. We define an information campaign as a targeted, organised plan of related and integrated information operations, employing information-related capabilities (tools, techniques or activities) with other lines of operation to influence, disrupt, corrupt or manipulate information — including the individual or collective decision making based on that information — and deliberately disseminated on a large scale. The party also invests in emerging technologies such as artificial intelligence (AI) and immersive technologies that shape how people perceive reality and engage with information. The aim is to gain greater control, if not dominance, over the global information ecosystem.

To understand the drivers, tools and outcomes of that process, this report and its accompanying website (ChinaInfoBlocks.aspi.org.au) examine the activities of the People’s Republic of China (PRC) in the information domain, particularly its investments in technology and research and development (R&D) companies that might serve as ‘building blocks’ for the party’s information campaigns.

Specifically, this research comprehensively maps the CCP’s propaganda system, highlighting the linkages between the Central Propaganda Department, state-owned or -controlled propaganda entities and data-collection activities, and technology investments in Chinese companies, many of which now operate globally.

This research illustrates the various ways in which the party-state is leveraging the propaganda system and commercial entities to gain access to data that it deems strategically valuable for the propaganda system and its ongoing information operations. It also shows how the propaganda system uses new and emerging technologies, including generative AI, mobile gaming and immersive technologies, to establish and maintain control of the narrative and continuously refine its toolbox and techniques.

It’s imperative that policymakers develop robust defences and countermeasures against future disruptive information campaigns from Beijing and to ensure an open and secure global information environment. In mapping those companies linked to China’s propaganda system that are seeking market dominance in key technologies, and how their activities may support CCP efforts to shape the global information environment, this project aims to inform government and industry decisions on digital supply-chain security, supporting policies for safer and more secure digital technologies.

The first section of this report lays out the fundamentals of CCP theory that have, over decades, defined the party-state’s strategy in the information domain. A theoretical understanding of how the CCP conceptualises its goals is important in unpacking the different tools used to achieve them. The second section outlines the CCP’s complex and vast propaganda system and how it works. Later sections expand on the ways in which CCP theory underpins the propaganda system and its activities, including through practical examples and case studies.

This report is accompanied by a website that offers detailed network diagrams of the relationships between China’s propaganda system and the companies associated with it: directly, through a state-ownership structure linking back to the propaganda system, or indirectly, through significant state support. The website also hosts case studies relevant to the report findings. The map can be explored on the website, Identifying The Building Blocks of China’s Information Campaigns (ChinaInfoBlocks.aspi.org.au).

figure 1
Source: Screenshot of ChinaInfoBlocks.aspi.org.au dataset, ASPI.

Research methodology

The CCP’s propaganda efforts on social media have been widely studied, enabling a baseline understanding of common narratives and tactics. Previous ASPI research, for example, has tracked a persistent, large-scale influence campaign linked to Chinese state actors on Twitter and Facebook.1 Several other research institutes have published important research on how the Chinese party-state attempts to control the information environment globally.2

China’s propaganda system is a vast structure. Under its direct control or with its direct support are a web of additional entities whose portfolio contributes to the party’s ability to meet its strategic aims in the information environment. Countries that understand the ‘invisible architecture’ of the CCP’s propaganda system and technologies will be better able to address and respond to its global efforts to skew the information environment.

Important research questions remain understudied. In particular, research on the building blocks that need to be in place to support and inform successful efforts to shape the information environment is limited. What’s the Chinese party-state doing to build its capacity to control ‘truth’ and influence how external audiences perceive, engage with and question reality?

To bridge that knowledge gap, this project examines how the party-state is leveraging the propaganda system:

  1. through commercial entities, by collecting data or gaining access to datasets that it deems strategically valuable that could be used for propaganda purposes, including potentially for current or future information operations (for example, undertaking data-collection activities that build the party-state’s capacity to generate insights on current or potential targets of information operations)
  2. through state support, by investing in R&D and access to new and emerging technology to shape or distort the information environment both domestically and globally.

Our project is based on ASPI’s 2019 report, Engineering global consent. That report first identified Global Tone Communications Technology (GTCOM), a machine-translation company that’s controlled by the CCP Central Propaganda Department. GTCOM claims that it accesses data from social media and has downstream access to datasets of the internet of things (IoT) and software products that it supplies, mainly to other PRC technology companies, to generate insights to support China’s state security and propaganda work.3

Building on Engineering global consent, we’ve sought to identify and explain how the Chinese party-state’s expansive propaganda system exploits new and emerging technologies and seeks to shape or distort the information environment both domestically and globally. To answer these questions, we generated network graphs describing the relationships between companies in our dataset, which are mostly Chinese state-owned or backed by state funds, with direct links to the propaganda system and other entities. We used that research to better understand areas of business activity associated with the PRC’s propaganda system, especially when such activity is related to data collection, aggregation and processing.

Our research effort involved identifying entities linked to the Propaganda Department of the Chinese Communist Party’s Central Committee (‘the Central Propaganda Department’), provincial-level propaganda departments, or other party-state bodies linked to the propaganda system, such as the Ministry of Culture and Tourism. This project began with a months-long effort to build a network graph of companies that were directly and indirectly linked to the Central Propaganda Department. Our research included looking for subsidiaries, shareholders and strategic cooperation and MoU partners of the companies we identified. Our information sources focused on PRC-based company databases and shareholders, and included company websites, company press releases and corporate disclosure documents. We then narrowed the scope of our research to focus on the specific case studies covered in this report.

Party-state news and publishing outlets were included in our research because the Central Propaganda Department is responsible for the supervision of news and publishing work, and those outlets are key platforms for disseminating information. However, rather than simply mapping out the names of media and publishing outlets, and their publication outputs domestically in China and overseas, our research emphasis was on identifying where those outlets are establishing branches or partnerships that expand their business activity into areas of business related to new and emerging technology.

While this research has revealed large amounts of previously inaccessible information on Chinese companies with links to the CCP’s propaganda institutions, it relies on publicly available information sources that are accessible outside mainland China. Continued research on these connections, as well as on connections between these types of companies and other parts of the party-state bureaucracy, is required.

Key findings

The report places the PRC’s propaganda system in the context of the CCP’s overall strategic frameworks, which are filtered down to specific policy outputs. Key findings are as follows:

  • The Chinese party-state sees data as central to its ability to modernise its propaganda efforts in the global information environment. Unlike the legislation of other state actors, China’s 2021 Data Security Law clearly articulates a vision for how data and data exchanges contribute to an overall national strategy (see ‘The propaganda system and its feedback loop’ at page 13). It prioritises data access and the regulation of data flows as part of its efforts to ensure control.
     That data is global. For example, China’s People’s Public Opinion Cloud combines about half a million information sources across 182 countries and 42 languages to support the Chinese Government’s and PRC enterprises’ international communication needs.4 The platform has both government and corporate applications and provides tools for public-security agencies to monitor the information environment and public sentiment on sensitive events and topics.5
  • The CCP sees emerging technology, such as e-commerce, virtual reality and gaming, as a means to promote a CCP-favoured perspective on truth and reality that supports the official narrative that the CCP seeks to project (even if those technologies may also be potentially hazardous to the party’s interests). This is especially true in relation to the CCP’s ability to conduct information campaigns and shape global information standards and foundational technologies.
     The CCP’s national key cultural export enterprises and projects lists (both the 2021–22 and 2022–2023 versions), name dozens of mobile gaming companies and mobile games that receive state support (see ‘The perception of reality’ at page 19), including subsidies, so that they can continue to enjoy global success and help advance the mission to boost China’s cultural soft power.
     In e-commerce, for example, companies such as Temu (which became the most-downloaded free iPhone app in the US in 20236) also collect large amounts of data that’s likely to be shared with the PRC’s propaganda system.7 In gaming, popular video games such as Genshin Impact, the developers of which receive Chinese state support linked to the propaganda system, create similar security risks due to the strategic value of the user data that they generate and collect.
  • Under Xi Jinping’s leadership, the CCP has renewed its emphasis on a national strategy of media convergence that brings together traditional and ‘emerging’ media across various dimensions—content, channels, platforms, operations and management—to enhance the agility of propaganda initiatives in responding to real-time shifts in public sentiment.8 Media convergence is directly linked to the perception that an absence of guidance on public opinion risks China’s security and stability. The party uses digital media, particularly the data resources that digital media help to generate, to improve its ability to use media effectively in its communications strategy and to create feedback loops in China and internationally.9

Policy recommendations

Policymakers face two key challenges: first, to apply the CCP’s way of thinking to efforts to counter information campaigns, before they’re conducted; and, second, to resist China’s efforts to shape global information standards and core foundational technologies for Web 2.0 and beyond.10

Informed by the findings contained in this report, we make the following recommendations for governments, civil society, social-media platforms and hardware and software developers and vendors:

  1. Governments should exert pressure on technology companies to conduct more thorough reviews of their digital supply chains to ensure that their Web 2.0 and future Web 3.0 foundations, and the companies and technologies that they rely on, are transparent and secure. Improving due diligence, transparency, trust and security by design in the digital supply chain, at both the technology and systems/applications layers, must be considered, especially for companies engaged in government procurements. That can be achieved by imposing more stringent reporting requirements, developing high-risk vendor frameworks, imposing and enforcing privacy and data requirements, and developing consistent data-minimisation approaches. Already the US and partner nations have sought to enhance software security by requiring companies working with governments to provide software ‘bills of materials’. The Quad Cybersecurity Partnership’s ‘joint principles for secure software’11 is an excellent template for considering enhanced transparency regulation.
     Technology companies, including vendors, platforms and developers should commit and adhere to the Cybersecurity Tech Accord, develop security by design standards, and impose greater moderation and fact-checking standards across online platforms, social media, etc. to reduce the potential for attacks on the availability, confidentiality, and integrity of data, products, services, and networks and highlight mis- and dis-information and propaganda. As China’s information campaigns seek to weaponise truth and reality, increasing vigilance, verification and veracity must be asserted to ensure information consumers are offered the best chance of identifying mis- and dis-information influences.
  2. Governments must exert significantly more policy attention to the regulation of technologies used for surveillance and related immersive technologies. Few governments have developed broad definitions of those technologies or studied their privacy and data-security impacts. As a consequence, their regulation hasn’t been effective or focused on their future societal and national-security implications. More specifically:
     Governments should define machine learning and cloud data as surveillance or dual-use goods. For example, the European Union has identified dual-use applications of AI systems as an area of concern in their assessment process as part of the Ethics Guidelines for Trustworthy AI.12 The Council of Europe has also raised concerns with the Pegasus surveillance software.13 The US has identified cloud data as an export under the Export Administration Regulations that may attract dual-use controls. While these efforts are significant, regulation still lags the use of machine learning and cloud data by companies and governments, resulting in inconsistent application, a situation rife for exploitation by authoritarian regimes. Governments should standardise and tighten regulation on the technologies and services not traditionally understood as surveillance or dual-use (data) products, including data-generating products and services in e-commerce gaming industries. Doing so would enable them to apply traditional tool sets for preventing access to goods of that nature, such as export controls, technologies and services not traditionally understood as surveillance or dual-use (data) products, including data-generating products and services in e-commerce gaming industries.
     Additionally, increased transparency in regard to which technology actors and entities, whether they’re involved in R&D activities or product sales, are acting on behalf of state interests could clarify what data is used for surveillance purposes and what data can be used to undermine another state’s sovereignty.
  3. To further increase transparency, governments should also more clearly define which individual actors and entities are required to register under foreign-agent registration schemes. That includes Australia’s Foreign Influence Transparency Scheme, the US Foreign Agents Registration Act (FARA) and emerging equivalents elsewhere, such as the UK’s upcoming foreign influence registration scheme. The US, for example, used FARA to force PRC state-owned media companies such as Xinhua and CGTN to register as state agents.14Based on the same logic, any technology company linked directly to China’s propaganda system or receiving state support to facilitate the party-state’s propaganda efforts could be required to register.
  4. Internationally, governments should work to standardise the ways in which data is shared, and proactively regulate how it can be produced and stored. Efforts thus far have failed to reach accord, and many have been siloed within specific functional domains (such as meteorological data, social services, food and agriculture, finance and so on). Such efforts can reduce opportunities for authoritarian regimes to collect, use and misuse data in ways that harm ethnic communities, disparage and denigrate alternative perspectives and silence dissent in the global information environment. The International Organization for Standardization, together with the UN Centre for Trade Facilitation and Electronic Business, among others, should establish joint government–industry standardisation mechanisms.
  5. Multilaterally, democratic governments should work together to develop a stronger institutional understanding of the future vulnerabilities and risks of new technologies, particularly in the digital technology ecosystem. That understanding should guide the development of new standards for emergent technologies and assist industry to commercialise those technologies with the goal of safety and security by design. The Quad Principles on Critical and Emerging Technology Standards are a good example of work that needs to occur on the future vulnerabilities and risks of new technologies.
  6. Locally, governments and civil society should establish guardrails against the negative impacts of CCP efforts to shape the information environment, including through information campaigns such as media literacy and critical thinking campaigns targeting individuals and communities. Efforts should not only help users understand what’s ‘real’ and what’s ‘fake’, but also ensure that they have broader awareness of how entities supporting foreign information campaigns may be present in their supply chains, so that risks associated with them are identified and more reliably controlled.

Full Report

For the full report, please download here.

QR Code to download this report in English

Chinese translation is available here.

QR Code to download this report in Chinese

French translation is available here.

QR Code to download this report in French

Spanish translation is available here.

QR Code to download this report in Spanish
  1. Tom Uren, Elise Thomas, Jacob Wallis, Tweeting through the Great Firewall, ASPI, Canberra, 3 September 2019, online; Jacob Wallis, Tom Uren, Elise Thomas, Albert Zhang, Samantha Hoffman, Lin Li, Alexandra Pascoe, Danielle Cave, Retweeting through the Great Firewall, ASPI, Canberra, 12 June 2020, online; Albert Zhang, Tilla Hoja, Jasmine Latimore, Gaming public opinion, ASPI, Canberra, 26 April 2023, online. ↩︎
  2. Freedom House, for example, found in its survey of CCP media influence in 30 countries that ‘the Chinese government and its proxies are using more sophisticated, covert, and coercive tactics—including intensified censorship and intimidation, deployment of fake social media accounts, and increased mass distribution of Beijing-backed content via mainstream media—to spread pro-CCP narratives, promote falsehoods, and suppress unfavourable news coverage.’ See ‘Beijing’s global media influence 2022: Authoritarian expansion and the power of democratic resilience’, Freedom House, 8 September 2022, online; ‘New report: Beijing is intensifying its global push for media influence, turning to more covert and aggressive tactics’, Freedom House, 8 September 2022, online. The National Endowment for Democracy’s work on sharp power has similarly examined how the PRC and authoritarian states engage in activities that undermine media integrity; see Christopher Walker, Jessica Ludwig, A full-spectrum response to sharp power the vulnerabilities and strengths of open societies, Sharp Power and Democratic Resilience series, National Endowment for Democracy, June 2021, online; Sharp power: rising authoritarian influence, National Endowment for Democracy, December 2017, online. ↩︎
  3. Samantha Hoffman, Engineering global consent: the Chinese Communist Party’s data-driven power expansion, ASPI, 14 October 2019, online. ↩︎
  4. ‘People’s Public Opinion Cloud’ [人民舆情云], People’s Cloud, no date, online. ↩︎
  5. ‘People’s Public Opinion Cloud’ [人民舆情云], People’s Cloud, no date, online. ↩︎
  6. Sarah Perez, ‘Temu was the most-downloaded iPhone app in the US in 2023’, TechCrunch, 13 December 2023, online. ↩︎
  7. Temu has also reportedly engaged in controversial business practices, such as forced and exploitative labour practices, and copyright infringement. See Nicholas Kaufman, Shein, Temu, and Chinese e-commerce: data risks, sourcing violations, and trade loopholes, US–China Economic and Security Review Commission, 14 April 2023, online. ↩︎
  8. Patrick Boehler, ‘Two million “internet opinion analysts” employed to monitor China’s vast online population’, South China Morning Post, 3 October 2013, online. ↩︎
  9. ‘CMP dictionary: media convergence’, China Media Project, 16 April 2021, online. ↩︎
  10. Web 2.0 refers to a shift in the way websites and web applications are designed and used, characterised by user-generated content, interactivity and collaboration, marking a departure from static web pages to dynamic platforms facilitating social interaction and user participation. See Ashraf Darwish, Kamaljit Lakhtaria, ‘The impact of the new Web 2.0 technologies in communication, development, and revolutions of societies’, Journal of Advances in Information Technology, November 2011, online. ↩︎
  11. Quad Senior Cyber Group, ‘Quad Cybersecurity Partnership: joint principles for secure software’, Department of the Prime Minister and Cabinet, Australian Government, 20 May 2023, online. ↩︎
  12. High Level Expert Group on Artificial Intelligence, ‘Ethics guidelines for trustworthy AI’, European Union, 8 April 2019, online. ↩︎
  13. ‘Pegasus spyware and its impacts on human rights’, Council of Europe, 20 June 2022, online. ↩︎
  14. National Security Division, ‘Obligation of CGTN America to register under the Foreign Agents Registration Act’, Department of Justice, US Government, 20 December 2018, online; National Security Division, ‘Obligation of Xinhua News Agency North America to register under the Foreign Agents Registration Act’, Department of Justice, US Government, 18 May 2020, online. ↩︎

Tag Archive for: Cyber

The five-domains update

Sea state

An Australian contingent participated in Exercise Bersama Shield on 17-22 April, joining with forces from Britain, New Zealand, Malaysia and Singapore in a simulated defence operation around the Malay Peninsula. The exercise focused on integrated maritime and air power among the partner states. It’s one of two annual exercises held under the Five Power Defence Arrangements—one of Australia’s oldest regional security frameworks, through which the Australian Defence Force has maintained a forward posture at Penang in Malaysia for decades.

Joint exercises between the United States and the Philippines began on 21 April. About 9,000 US and 5,000 Philippine personnel—along with an Australian contingent of 200—took part in the Balikatan exercises. The exercises centred around testing anti-ship missile systems and countering amphibious attacks on islands. The collaboration was both a show of US commitment and a pointed message from Manila, considering the Philippines’ history of tense standoffs with China over outlying shoals.

Flight path

The local government of Playford in Adelaide’s northern suburbs has proposed rezoning 400 hectares of land adjoining RAAF Base Edinburgh, with the intention to support aerospace and defence industries. The proposal is still in the early stages, and a lot of preparatory study is still to be done. However, the state government has demonstrated serious buy-in: it expects the Deep Maintenance and Modification Facility for P-8 Poseidon reconnaissance aircraft, currently being built next to the base, to catalyse a local boom in the defence sector after it opens in 2026.

The US has approved a potential $1.8 billion sale of up to 400 advanced air-to-air missiles to Australia. The proposed sale includes the latest missile variant, the AIM-120D-3, currently only employed by the US Air Force and select allied nations. The acquisition would strengthen Australia’s military presence and broader regional defence strategy.

Rapid fire

Lockheed Martin’s precision strike missile has been successfully integrated with a US Army M270A2 tracked launcher vehicle for the first time. This is a promising step toward field deployment, not only for the US’s army, but also for Australia’s. Australia has been co-funding the missile program for several years while moving to acquire HIMARS rocket artillery vehicles to fire the new missile. The missile’s projected 400-kilometre range will dramatically increase the army’s ability to strike targets from land—a capability previously limited to short-range anti-tank missiles and towed artillery.

Tasmanian firm Elphinstone is set to build hulls for the army’s Redback infantry fighting vehicles following its signing of a $90 million contract with Korean defence manufacturer Hanwha. Previously known primarily for manufacturing equipment and vehicles for the mining sector, Elphinstone seems poised to become a key player in the Australian defence industrial base. This is the company’s second major contract with Hanwha’s local subsidiary to co-manufacture a next-generation army capability, the first covering hulls and turret structures for the Huntsman self-propelled artillery system.

Final frontier

Australian space capability development program iLAuNCH Trailblazer has signed a memorandum of understanding with US-based Space Information Sharing and Analysis Center. Announced at the 40th Space Symposium, the agreement aims to enhance cooperation in space technology and cybersecurity by establishing a framework to share cyber threat data, co-host events and support joint research. The partnership is expected to strengthen Australia’s role in the global space industry and safeguard critical infrastructure from emerging threats in the space domain.

The Australian army will fund research led by the Defence Science and Technology Group to develop quantum technology capable of linking satellites with optical ground stations, according to a 14 April statement from Defence. This is a key component of a quantum-secured timing network, one of the priorities for next-generation capabilities identified in the 2024 National Defence Strategy. The technology will allow the ADF to navigate in contemporary combat environments where GPS signals are often jammed.

Wired watchtower

On 26 March, the ADF’s Cyber Command celebrated its first anniversary. The command has been a pivotal force in Australia’s defence, unifying key cyber units to meet the growing and borderless threats in the fifth warfighting domain. Major General Robert ‘Doc’ Watson emphasised the urgency of its mission: ‘The threat is real, persistent and current. In the cyber domain, we are in conflict now.’ The command supports multi-domain operations, enabling the ADF to defend networks critical to national security and future military readiness.

A recent report from cybersecurity firm Armis revealed that Australia is increasingly targeted by nation-state cyber actors, with 56 percent of Australian respondents having already fallen victim to state-backed cyber activity—more than 10 percent higher than the global average. The report highlights artificial intelligence as a key driver of these threats, enabling smaller nations and non-state actors to launch higher-level cyberattacks.

Decrypting tomorrow’s threats: critical infrastructure needs post-quantum protection today

Some argue we still have time, since quantum computing capable of breaking today’s encryption is a decade or more away. But breakthrough capabilities, especially in domains tied to strategic advantage, rarely follow predictable timelines. Just as nuclear research leapt from theory to practical application with little warning, quantum computing could deliver similar surprises. That uncertainty makes waiting a dangerous gamble.

For years, adversaries have quietly intercepted and stored encrypted data from critical infrastructure networks, betting that when quantum decryption arrived, they’d already have the material. This strategy, known as ‘harvest now, decrypt later’ (HNDL), is no longer hypothetical. It’s an operational reality. And what’s at stake is not just state secrets or financial data, but the control systems that power modern life.

Operational technology (OT) systems—responsible for electricity, water, transport, manufacturing and defence—are particularly exposed. These environments depend on long-lived data, including configuration files, schematics and control logic, that rarely change. In the wrong hands, this information becomes a blueprint for infiltration, disruption or sabotage. Many OT systems still rely on encryption standards that are widely expected to fall to quantum decryption well within the life of the data they protect. In this context, encryption that’s ‘good enough for now’ becomes a strategic liability.

Cyber authorities across Five Eyes, NATO, and the Gulf Cooperation Council are increasingly treating quantum risk as a present-tense issue. In Australia, the 2018 Security of Critical Infrastructure Act and its ongoing reforms have elevated cyber risk from a technical issue to a board-level responsibility. The next logical step is embedding cryptographic resilience into that framework. Long-term confidentiality is no longer a luxury—it’s a foundation of national security, and one that extends to both public and private sectors.

Traditional OT cybersecurity rightly focuses on segmentation, uptime and predictable control behaviour. But these principles must now expand to include cryptographic survivability. It’s not enough for systems to withstand tampering today. They must remain secure five or 10 years from now, when today’s encrypted traffic could be cracked wide open.

Consider a hostile actor targeting the supervisory systems of regional utilities or firmware update paths for industrial controllers. Even if encrypted, the data need not be decrypted today. HNDL means it needs only to be stored. Once quantum decryption is feasible, attackers could reconstruct topologies, emulate trusted behaviour, or craft malware that mimics legitimate operations. The breach may have already occurred; we just haven’t seen the consequences yet.

Nor are only the crown jewels at risk. Protocol maps, telemetry logs and vendor documentation can all yield strategic insights. Anything that reveals how a system behaves, recovers or updates could be exploited to undermine it.

Some governments are moving early. In the US, the National Cybersecurity Strategy and the National Institute of Standards and Technology’s post-quantum standardisation program provide a roadmap for transition. Australia’s Critical Infrastructure Risk Management Program similarly positions quantum readiness within a broader push for cyber maturity. But real-world implementation, especially across OT, is still patchy.

Meeting the quantum threat requires governments, regulators and industry to work in concert. This starts with mandating post-quantum cryptography for critical communications, especially in domains where data must remain confidential for the long term. This isn’t a premium feature. It’s a baseline for strategic continuity.

Next, we need investment in quantum-resistant data tunnels, built to operate in contested or degraded environments. These secure channels must be independent of lower-trust networks and resilient even in black-start or disconnected conditions.

Supply chains must also be reassessed. Firmware signing, vendor update mechanisms and remote access protocols must be evaluated for quantum-resilience. A system is only as strong as its weakest trusted component.

Front-line staff, particularly field technicians and engineers, must be trained to spot subtle anomalies. HNDL-style breaches won’t trip conventional alarms. But informed human operators are often the first to notice when something feels wrong, before systems do.

Finally, contingency planning must evolve. If data loss today could be weaponised years from now, response plans must treat that loss as a latent threat, not a closed incident. Recovery isn’t enough; organisations must anticipate re-exploitation on longer timelines.

The most dangerous cyberattack may not be the one we can’t detect; it’s the one we’ve already forgotten.

HNDL forces a change in mindset. It shifts the conversation from recovery to irreversibility. Once sensitive data is lost, it can’t be made safe again. It can be only mitigated, redesigned, or prepared for impact. Quantum threats are not abstract. They are real, cumulative and already embedded in the systems we depend on.

The fuse is lit. We don’t know how long it is. But we do know this: the time to act was yesterday. The next best time is now.

Australia can learn from Britain on cyber governance

Australia needs to reevaluate its security priorities and establish a more dynamic regulatory framework for cybersecurity. To advance in this area, it can learn from Britain’s Cyber Security and Resilience Bill, which presents a compelling model for reforming our own cyber governance and standards.

Amid the increasing frequency and sophistication of cyber threats and geopolitical tensions, complacency is no longer an option. The risks of inaction are significant, potentially including economic turmoil, disruption of essential services and threats to national sovereignty.

Australia must transition away from a system of voluntary compliance and instead introduce enforceable regulations. Britain’s cyber bill imposes clear obligations on providers across critical sectors such as transport, energy, health, communications and even extends to digital service providers. In contrast, Australia still relies on sector-led initiatives and non-binding guidelines. As cyber attackers become increasingly adept, our legislative frameworks must evolve. Voluntary standards can no longer serve as a sufficient baseline for national security.

Furthermore, regulatory bodies in Australia lack the authority needed to enforce compliance. Britain’s framework empowers regulators to designate ‘critical suppliers’, demand incident reports and impose penalties for non-compliance. While Australia has established agencies such as the Australian Cyber Security Centre (ACSC) and the Cyber and Infrastructure Security Centre within Home Affairs, they lack the legal authority to conduct audits and enforce regulations across various sectors. Without robust oversight, regulations risk becoming mere formalities.

Australia also must abandon a one-size-fits-all regulatory approach. Different sectors face unique cyber threats; the needs of a hospital differ significantly from those of a logistics company or a power provider. Britain’s sector-specific regulations serve as a useful framework that Australia can adopt, tailoring obligations to reflect sector-specific operational realities and threat profiles.

Cyber regulation is an ongoing process, not a static checklist. A resilient cyber regime is built through continuous refinement guided by experience and international best practices. Australia must remain receptive to insights from global partners, including Britain, and incorporate effective international measures into its domestic model. A siloed approach will only hinder our progress. The Aspen Institute emphasises the importance of interoperable cybersecurity regulations in addressing the interconnected nature of cyber threats and fostering effective cross-border cooperation.

Recent statistics underscore the urgency of reform. In 2023–24, the ACSC reported more than 87,400 cybercrime incidents, averaging one report every six minutes. The financial impact is escalating, with individual self-reported losses averaging around $30,700—17 percent more than a year earlier. High-profile breaches, including the April incident affecting major superannuation funds and prior breaches at Optus and Medibank, highlight the scale of the threat and the ongoing vulnerability of our critical infrastructure.

The economic cost of cybercrime in Australia was estimated at up to $29 billion in 2020, encompassing business disruption, recovery, reputational damage and loss of consumer trust. Beyond the monetary implications, each breach erodes public confidence in government and national resilience.

Fortunately, Australia isn’t starting from scratch. The government has already made strides in enhancing its cyber defences. The 2024 Cyber Security Act introduced significant reforms, including mandatory ransomware reporting and minimum standards for smart devices. Amendments to the Security of Critical Infrastructure Act have expanded coverage and improved information-sharing mandates. Upcoming reforms to the Privacy Act aim to harmonise protections across sectors.

While these initiatives are necessary, they aren’t sufficient.

To strengthen our cyber resilience, Australia must connect these reforms into a cohesive, enforceable framework. Inspired by Britain’s approach, Australia should make six key moves. It should:

—Ensure legislative clarity and mandates by transitioning from recommendations to binding standards for essential service operators, with penalties for non-compliance;

—Introduce proactive regulatory power by equipping agencies such as the ACSC with the legal authority to investigate, audit and enforce compliance;

—Implement mandatory incident reporting including the swift reporting of significant cyber incidents through centralised platforms to enhance cross-sector threat sharing and response;

—Tailor rules to be sector-specific through customised guidelines for critical sectors including healthcare, energy, finance, transport and communications;

—View cyber resilience as a geopolitical priority by coordinating response and recovery plans, public preparedness campaigns and joint exercises with industry; and

—Develop a world-class cyber workforce, by treating the talent gap in cyber security as a strategic priority, funding education and creating attractive career paths.

Australia has taken important first steps. But the gap between policy ambition and practical implementation remains wide. The choices made now regarding our cybersecurity posture will have profound and lasting consequences for our national security, economic prosperity and social stability. Britain’s bill offers a roadmap and lessons that Australia should adopt and adapt with urgency and decisiveness.

Strengthening South Korea’s national security by adopting the cloud

To improve its national security, South Korea must improve its ICT infrastructure. Knowing this, the government has begun to move towards cloud computing.

The public and private sectors are now taking a holistic national-security approach that includes the country’s military capability and cybersecurity. Success in this approach will require an improved competitive edge across emerging technologies to project and defend national power.

Cloud-based ICT infrastructure provides scalable computing capacity by managing vast quantities of data and adapting to varying workloads. From a defence perspective, flexible computing capacity enables rapid scaling during different mission phases.

Beyond modernising internal ICT infrastructure and military readiness, increasing South Korea’s cloud uptake could improve the country’s military interoperability with regional partners by facilitating real-time sharing of data at lower levels of classification and sensitivity.

Such information sharing is particularly important considering the international growth of South Korea’s defence industrial base, which includes Hanwha’s facility in Australia and Korea Aerospace Industries’ ongoing support to the Philippine Air Force to enhance its air combat capabilities. Furthermore, if South Korea participates in specific AUKUS Pillar 2 projects, a common federated cloud-based platform could foster secure information-sharing, advancing collaborative development of advanced technological capabilities.

The South Korean government has introduced initiatives and policies to catch up on cloud adoption, including the 2015 Act on the Development of Cloud Computing and Protection of its Users, the 2022 Digital Strategy and a series of plans in 2024. But to improve cloud uptake in line with these policies and strengthen national security, the South Korean government must overcome several barriers.

The first of these barriers relates to the Cloud Security Assurance Program, a certification that cloud service providers (CSPs) must receive before working with South Korean government agencies. Despite a reformation in 2022, the certification process remains complex and lengthy. Australia’s Certified Cloud Services List program faced similar criticism for its complexity, and was terminated in June 2020 following an independent review by the Australian Signals Directorate.

ASD’s review into Australia’s cloud services list outlined a need for greater industry engagement, for example through co-designed cloud security guidelines and the establishment of industry consultative mechanisms. In South Korea, regulatory reform processes—sparked by uptake challenges in the public sector—must engage CSPs to better meet provider needs.

This will require a careful balancing act. Although international CSPs can now serve government agencies, their ability to support public systems managing sensitive or private data—labelled as mid-risk and high-risk tier segments—is limited. Conversely, domestic CSPs have argued that the entry of international CSPs into the government market threatens their survival.

While market competition is healthy, the concerns of domestic CSPs mustn’t be understated—the government plays an important role in the success of domestic tech companies, such as Samsung and Naver, which are now points of national pride.

To meet the commercial interests of both international and domestic CSPs, international-domestic collaborations must continue to be brokered in South Korea. One recent example is between KT Corporation and Microsoft Corporation, which involves the development of a sovereign cloud solution to drive cloud and AI innovation in the public sector and regulated industries.

The second barrier to cloud uptake is the country’s relatively low level of necessary expertise. Cloud-specific skills are required for organisations to assess the benefits of implementing cloud services. Despite the country’s technologically advanced status, a 2021 OECD report stated that less than 15 percent of South Korean small and medium enterprises provided general ICT education to employees.

The third barrier, also linked to inadequate cloud expertise, is perceived security concerns. South Korean enterprises are conscious of the risks that cyberattacks pose, such as those that North Korea’s Lazarus group has been conducting since 2009.

Many leading CSPs offer cyber protections through mitigation as well as response and recovery at scale, which would become particularly important in major combat operations near the Korean Peninsula, such in the South China Sea. However, organisations with limited cloud expertise often stick to existing systems due to misconceptions around cloud security and the perceived burden of data protection under the shared responsibility model.

To overcome these final two barriers, ICT professionals must upskill. Beyond government-led initiatives, such as a 2021 plan to nurture a talent pool of 10,000 cloud-trained professionals, CSPs are taking the lead. For example, Amazon Web Services Korea offers free cloud-computing education to South Korean jobseekers.

South Korea’s slow adoption of cloud computing presents a gap in its national security and technological competitiveness. The government has recognised cloud infrastructure as essential to strengthening national power and interoperability with allies and partners—ultimately supporting defence, economic growth and emerging technologies. This has pushed South Korea to develop uptake strategies, but regulatory hurdles, low digital literacy and security concerns are persistent challenges. Encouraging collaboration between CSPs and improving digital literacy will only become more important as cloud technology becomes central to South Korean security.

Australia needs a civilian cyber reserve. State emergency services are the model

Australia should follow international examples and develop a civilian cyber reserve as part of a whole-of-society approach to national defence.

By setting up such a reserve, the federal government can overcome a shortage of expertise in cybersecurity and increase national resilience to cyber threats. It could be modelled along the lines of state emergency services.

In doing so, the government should consider the way state emergency services are formed and mobilised when needed. Legal safeguards will also be needed to protect the recruits and also organisations that would receive assistance from the reserve when subject to cyberattack.

Malicious cyber activities are a persistent threat faced by nation states globally—from cyber operations against critical infrastructure, to cyber-enabled disinformation operations seeking to undermine social cohesion.

As noted by the director-general of the Australian Security Intelligence Organisation, Mike Burgess, the cyber threats faced by Australia include those from nation states seeking to pre-position themselves in Australia’s critical infrastructure, allowing them to carry out more disruptive and destructive attacks in the future. At the same time, a global skills shortage in the cybersecurity workforce undermines the capacity to defend against these threats.

In response to these issues, several countries are seeking to harness volunteers in cybersecurity and defence. Funded by the Department of Defence’s Strategic Policy Grants Program, we are currently carrying out research mapping out some of the key initiatives around the world.

The United States, for example, is carrying out a pilot project establishing a Civilian Cybersecurity Reserve. This was in response to recommendations made by the US National Commission on Military, National, and Public Service which in 2020 argued that a federal civilian cybersecurity reserve would allow US agencies to obtain additional cybersecurity capacity from cyber experts when needed. These recommendations were echoed in the 2020 final report of the US Cyberspace Solarium Commission which argued that a cyber reserve would play a key role in mobilising surge capacity using existing links between the private sector and the government.

The developments in the US follow similar developments elsewhere. Ukraine’s IT Army made headlines in 2022 when it called on hackers from around the world to join Ukraine’s defence against Russian aggression.

Estonia’s Cyber Defence Unit, within its Defence League, was established already in 2011 following large scale distributed denial of service attacks against Estonia a few years prior. Another example is the Cyber Peace Builders NGO which helps connect corporate volunteers with not-for-profit organisations to improve their cybersecurity.

The proposed US federal-level cyber reserve also follows from developments in several US states that already have similar structures in place. These began with the Michigan Civilian Cyber Corps, established in 2013; a growing number of states including Ohio, California and Texas have followed suit. These civilian cyber reserves engage in a variety of activities, ranging from education in schools and public organisations, cybersecurity audits, and incident response. They can provide high-level training and certifications for their members for free and organise cyber war games exercises for participants.

Often compared to volunteer firefighters or other volunteer-based emergency services, cyber reserve organisations provide an opportunity for cyber experts to give back to society and help increase cybersecurity awareness, resilience and preparedness. For example, in March 2025 the Ohio Cyber Reserve responded to a cyber incident affecting the municipal court of the city of Cleveland, and it also deployed in 2024 when the city of Cleveland was subject to a ransomware attack by Russia-affiliated actors.

Australia should follow and create a civilian cyber reserve. However, several considerations must be addressed for it to be effective. These include the appropriate structure, membership, criteria for organisations to be eligible for support, and relevant legal safeguards.

In terms of structure, it could be modelled on existing organisations such as state emergency services which operate at the state level and are designed to help communities both prepare and respond to natural disasters. Initial members could be recruited from those with a high level of cybersecurity expertise, but gradually the membership base can be built through training and upskilling of volunteers with general cybersecurity skills or other relevant subject matter knowledge.

The identification of eligible organisations should start with public organisations at the state and local levels, including schools and hospitals. Finally, appropriate legal structures will need to be explored to protect volunteers, as well as to protect the confidentiality of organisations seeking support.

Creating a civilian cyber reserve can promote a culture of cybersecurity and be an avenue through which volunteers can use their expertise to help others and give back to the community. Having a structure like this in place in peacetime also provides a potential capability that can be harnessed in times of crisis or conflict.

Australia’s cyber strategy needs a vulnerability disclosure upgrade

Australia is in a race against time. Cyber adversaries are exploiting vulnerabilities faster than we can identify and patch them. Both national security and economic considerations demand policy action.

According to IBM’s Data Breach Report, the average cost of a data breach in Australia reached a record $4.26 million in 2024. By contrast, identifying vulnerabilities through ethical hackers costs on average $1670, according to HackerOne’s annual security report.

The equation is simple: preventing breaches through the disclosure of vulnerabilities is far cheaper than dealing with the fallout of a successful attack.

While vulnerability disclosure programs are mandatory for Australian government entities under the Protective Security Policy Framework, they are not required for other organisations. Any organisation can start such a program without significant outlay, though some use rewards to incentivise testing.

Certainly, the Australian government has made progress. Amendments to the Security of Critical Infrastructure Act imposed stronger cybersecurity obligations. The Cybersecurity Act, passed in November 2024, also lays a foundation for addressing cyber risks. One promising element of the act is the development of a security standard for connected devices, which will require manufacturers to provide structured channels for ethical hackers to report vulnerabilities.

This measure should be an early step toward a national coordinated vulnerability disclosure policy. Such disclosure, often including a public-facing vulnerability disclosure program, is a cybersecurity best practice that provides clear guidelines for ethical hackers to report vulnerabilities to organisations before malicious actors can exploit them. Coordinated vulnerability disclosure may also encompass vulnerability rewards programs, also known as bug bounty programs, that, through reward, incentivise ethical hackers to responsibly disclose vulnerabilities.

In addition to the rising costs of breaches, our cyber adversaries are pushing ahead with the exploitation of existing bugs and hoovering up new ones.

The widely reported Volt Typhoon operation offers an insight into the national security threat. Since at least mid-2021, state-backed Chinese hackers strategically pre-positioned themselves within critical systems in the United States.

The 2024 Annual Threat Assessment from the US Office of the Director of National Intelligence underscores the intent behind such operations:

If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.

Cooperation with Five Eyes partners has led to joint advisories and critical network threat-hunting efforts, but the Volt Typhoon operation underscores that unmitigated vulnerabilities pose a strategic risk for Australia.

China has taken deliberate steps to make operations using unmitigated vulnerabilities not only viable but the new normal. To get to this operational footing, China integrated vulnerability reporting into its national cybersecurity framework. Under China’s 2021 National Security Law, all cybersecurity vulnerabilities, particularly those in critical infrastructure, must be reported to authorities regardless of mitigation status. By all accounts, China has done a remarkable job of setting up a framework to industrialise vulnerability disclosure to further its strategic objectives.

Australia is making progress, but not quickly enough to keep pace. Other states’ vulnerability collection and exploitation efforts are advancing much more quickly. China’s strategic use of zero-day exploits demonstrates how adversaries can rapidly identify, collect and weaponise vulnerabilities, gaining a significant tactical advantage.

As the Australian government moves into Horizon Two of the National Cyber Security Strategy 2023–2030, it must prioritise addressing long-term vulnerabilities and increasing resilience. The next phase of the strategy should include the formalisation of a national coordinated vulnerability disclosure policy, including the strong endorsement of vulnerability disclosure programs to encourage an economy-wide ‘see something, say something’ approach to cybersecurity.

One important element of it could also include federal funding of bug bounty programs across the federal government. This would also bring Australia in line with the US and Britain, who have embraced these programs to identify and report vulnerabilities in their defence portfolios. At a time when the security of the AUKUS program is paramount, any gap that leaves Australia’s defence systems vulnerable to undetected exploits could jeopardise national security and undermine our allies’ confidence in Australian information security.

In an era of evolving cyber threats, Australia’s national security and economic future depend on the resilience of its digital infrastructure. A national coordinated vulnerability disclosure policy is essential for addressing vulnerabilities before they are exploited. With cyber adversaries such as China shifting their cyber doctrine to exploit vulnerabilities, the time to act is now.

Red tape that tears us apart: regulation fragments Indo-Pacific cyber resilience

The fragmentation of cyber regulation in the Indo-Pacific is not just inconvenient; it is a strategic vulnerability.

In recent years, governments across the Indo-Pacific, including Australia, have moved to reform their regulatory frameworks for cyber resilience. Though well-intentioned, inadequate coordination with regional partners and stakeholder consultations have created a situation of regulatory fragmentation—the existence of multiple regulatory frameworks covering the same subject matter—within and among Indo-Pacific jurisdictions.

This inconsistency hinders our ability to collaboratively tackle and deter cyber threats, essentially fragmenting the cyber resilience of the Indo-Pacific.

Regulatory fragmentation threatens regional security for three key reasons.

Firstly, it impedes technical efficiency. While we tend to think of cyberspace as borderless, its composite parts are designed, deployed and maintained on the territory of states that enact their own laws and regulations. Factors such as threat perception, the organisation of the given state and its agencies, and regulatory culture shape these frameworks. The degree to which the state provides essential services and owns physical and digital infrastructure also influences framework development.

As governments introduce complex regulatory obligations for cyber resilience, most digital services providers and ICT manufacturers will have to divert resources from efforts that would otherwise enable them to prepare for and respond to threats more effectively and across jurisdictions. Ironically, this undermines the effectiveness of regulatory regimes for cyber resilience in the first place.

In addition, complex and confusing nation-specific requirements push regulatees to follow a checkbox approach to cyber resilience, rather than a holistic, risk-informed and agile one. Boards may prioritise meeting the bare minimum of regulatory requirements instead of maintaining a risk management posture commensurate with the rapidly evolving threat environment.

Secondly, regulatory fragmentation undermines innovation. Complex regulatory regimes—especially for government procurement and for critical infrastructure operators—can seriously undermine competition and innovation. Startups and smaller vendors (looking to sell to such entities) have to divert scarce resources away from research, development and innovation to fund compliance with a maze of obligations. This is especially problematic for small and medium enterprises in sectors reliant on innovation—such as cyber resilience and advanced manufacturing—as regulatory risk mitigation can deny these firms the ability to scale and expand into new markets.

Thirdly, regulatory fragmentation impedes trust in partnerships. A jurisdiction’s regulatory robustness in relation to cyber resilience is a key factor in determining the suitability of partners in sensitive policy domains.

For example, while Japan has taken steps to invest in its national cyber resilience, particularly after Chinese hackers compromised government networks, the United States has remained cautious about Japan’s ability to protect sensitive information. Through sections 1333 and 1334 of the National Defense Authorization Act for Fiscal Year 2025, the US Congress tasked the Departments of State and Defense with reporting on issues such as: the effectiveness of Japanese cyber policy reforms since 2014; Japanese procedures for protecting classified and sensitive information; and how Japan ‘might need to strengthen’ its own cyber resilience ‘in order to be a successful potential [AUKUS Pillar 2] partner’.

Collaboration requires trust. That trust hinges not just on the quality and harmonisation of regulatory frameworks; it also depends on whether they’re enforced and underpinned by a shared appreciation of the cyber threat environment, including in relation to state-sponsored actors looking to preposition themselves in critical infrastructure assets and steal intellectual property.

That trust also relies on a shared appreciation of the importance of removing unnecessary impediments to innovation, including the growth of allied and partner capability, and threat mitigation by stakeholders, which is itself contingent on shared political will.

After all, regulatory fragmentation is politically driven. Leaders, ministers, officials and regulators each seek to satisfy constituents at home and exert influence abroad over cyber policy. They may prefer to clean the cobwebs through visible operational reactions rather than kill the spider through holistic, long-term preparation.

Such political considerations may disregard commercial and technical realities when regulatory parameters are determined in the interests of digital sovereignty, including when it comes to (not) banning technology vendors.

Fixing this is a tall order but not impossible. Australia and its partners could consider establishing a baseline degree of regulatory harmonisation and reciprocity. This could include factors such as:

—Definitions of the subjects and objects of cyber regulation;

—Thresholds and deadlines for reporting breaches of cyber resilience to the state;

—Standards and controls that regulatees must implement, and outcomes they must achieve;

—Technology supply chain risk management requirements, including methods to assess whether procuring technology from certain vendors is too risky;

—Types of penalties for non-compliance; and

—Powers of the state to gather information or intervene in the operations of regulatees.

Allies and partners must better align their regulatory frameworks. Be it via multi-stakeholder collaboration or multilateral regulatory diplomacy, tackling regulatory fragmentation will make the Indo-Pacific more cyber-resilient.

Let us tear away the red tape that tears us apart.

The five-domains update

Sea state

Australian assembly of the first Multi Ammunition Softkill System (MASS) shipsets for the Royal Australian Navy began this month at Rheinmetall’s Military Vehicle Centre of Excellence in Redbank, Queensland. The ship protection system, which uses launched decoy projectiles to defeat incoming sensor-guided missiles, will be integrated into Australia’s ANZAC-class frigates and Hobart-class destroyers. The system has already been operated by New Zealand’s two ANZAC-class frigates for about 10 years.

Last week, Defence announced upgrades to the main transmitter at the Harold E Holt Communication Station near Exmouth, Western Australia—the first major overhaul since the facility was commissioned by the US navy in 1967. The Australian-operated very-low-frequency antenna array contributes to US nuclear deterrent through long-range communication with US ballistic-missile submarines. Maintenance will be carried out on a rolling schedule, to ensure the station remains in operation.

Flight path

China’s J-36 stealth fighter was back in the sky for its second test flight, this time flying solo. The test flights seemingly reveal two unique features: a diverterless supersonic inlet design that assists in regulating air flow and a three-engine layout. Both features suggest supersonic speed capabilities. The timing of its debut signals China’s readiness to challenge the United States’ aerial dominance in the Asia-Pacific region. Last weekend the US made a surprise announcement awarding the Next Generation Air Dominance contract to Boeing for the F-47 fighter jet.

Canada will become the first buyer of Australia’s Jindalee Operational Radar Network (JORN). The world-leading radar technology system can detect and track targets thousands of kilometres away by refracting high frequency radio signals. Its sale could be Australia’s biggest defence export to date. The surprise announcement from new Canadian Prime Minister Mark Carney comes despite the US’s long-held interest in acquiring the technology.

Rapid fire

The first two of 42 planned High Mobility Artillery Rocket Systems (HIMARS) vehicles were delivered to Australia this week. The Albanese government accelerated the acquisition of the US-made precision-strike platform. The systems will be fielded by the 10th Fires Brigade and improve army capabilities. The delivery follows the signing of a memorandum of understanding between Australia and the US in March for co-assembly of Guided Multiple Rocket Launch System (GMLRS) munitions for use with HIMARS platforms. Assembly will begin at Orchard Hills in Western Sydney later this year.

At the end of February, Defence Minister Richard Marles inspected the first batch of the Australian army’s new AS9 self-propelled artillery and AS10 armoured ammunition resupply vehicles. The South Korean designs will be manufactured by Hanwha at its Armoured Vehicle Centre of Excellence at Avalon. Australian supply chain partners are already producing components to support delivery. The AS9 is the army’s first self-propelled artillery piece. The army currently operates M777 towed artillery.

Final frontier

An Australian-made nanosatellite was successfully launched into low-Earth orbit as part of Defence’s Buccaneer project. Weighing less than ten kilograms, Buccaneer Main Mission was a collaboration between Adelaide-based Inovor Technologies and the Defence Science and Technology Group. Over its 12-month operational lifespan, the nanosatellite will gather data on how radio waves propagate through the upper atmosphere, potentially improving Australia’s over-the-horizon radar capabilities.

At the end of last month, US-based Varda Space Industries retrieved its Winnebago-2 space capsule after re-entry over remote South Australia. The landing site, Koonibba Test Range, is about 500km north-west of Adelaide. It is operated by Australian firm Southern Launch in partnership with the Koonibba Community Aboriginal Corporation. As the first commercial return to a commercial spaceport anywhere in the world, this is a landmark moment for Australia’s space industry.

Wired watchtower

Microsoft has released research showing that Russian state-sponsored hacking groups are expanding cyber operations to target critical infrastructure and governmental organisations in Western countries, including Australia. The BadPilot campaign is associated with Russian state actor Seashell Blizzard, and intrusions have targeted sectors such as energy, telecommunications and defence manufacturing. Hackers exploit known but unpatched vulnerabilities in widely used IT management and remote access software platforms. Once they gain access, they maintain their presence in compromised networks using legitimate remote-access tools such as Atera Agent and Splashtop remote services.

The Australian Securities and Investments Commission is taking fixed-income broker FIIG Securities to court after a 2023 cyberattack. The attack affected FIIG’s entire IT network and resulted in the theft of approximately 385 gigabytes of confidential data, potentially exposing the personal information of around 18,000 clients. ASIC alleged that FIIG failed to update and patch its software and lacked sufficient cybersecurity measures, leaving its systems exposed to intrusion and data theft. This breach contributed to growing concerns over Australia’s cybersecurity resilience and was part of a broader pattern of intrusions, including those attributed to state-backed groups.

The threat spectrum

 

Information operations

Australia has banned cybersecurity software Kaspersky from government use because of risks of espionage, foreign interference and sabotage. The Department of Home Affairs said use of Kaspersky products posed an unacceptable security risk to the Australian government, networks and data. Government agencies have until 1 April 2025 to remove the software from all systems and devices. The ban follows a February decision to ban Chinese-owned AI platform DeepSeek from all government systems and devices.

Among members of the Five Eyes intelligence partnership, Canada, Britain and the United States had already announced restrictions on use of Kapersky products. The US banned sales and licensing of Kaspersky products within the US or by US citizens last year over fears of Russian control and influence over the company. Kaspersky said the US decision arose from the current geopolitical climate rather than technical assessments of its products.

Follow the money

Talks in Canberra last week over the future of Darwin Port and its lease to Chinese infrastructure operator Landbridge Group ended in a fizzle. Northern Territory officials met with federal counterparts after federal Labor member of parliament Luke Gosling said the government was examining options for buying back the 99-year lease. The federal opposition supported that proposal, citing the strategic significance of the port for Australian and US defence posture in the country’s north.

But last week’s meeting ended with no clear pathway forward. Northern Territory Infrastructure Minister Bill Yan expressed dismay that the federal government, citing election timing, declined to make concrete commitments about the port.

The meeting followed recent uncertainty over Darwin Port’s finances. Last November the Port disclosed a $34 million net loss for the financial year 2023–24. The port company also said Landbridge had defaulted on corporate bonds worth $107 million and might sell some of its Chinese assets in coming months.

Terror byte

A new report from Australia’s eSafety Commissioner reveals that between April 2023 and February 2024 Google received 258 user reports of suspected deepfake terrorist content made using its own AI software, Gemini. Commissioner Julie Inman Grant characterised these and other gaps in Google’s content moderation as ‘deeply concerning’.

The commissioner issued transparency reporting notices to Google, Meta, WhatsApp, X, Telegram and Reddit in March 2024 requiring each company to report on its progress in tackling harmful content and conduct online. X challenged the notice in the Administrative Review Tribunal, and Telegram has been fined over $950,000 for its delayed response. The commissioner’s report, released last week, finds Big Tech’s progress on content moderation unsatisfactory, highlighting slow response times, flawed implementations of automated moderation, and the limited language coverage of human moderators.

The eSafety commissioner has repeated calls for platforms to implement stronger regulatory oversight and increase transparency on harm minimisation efforts. This follows the latest annual threat assessment from the Australian Security Intelligence Organisation, which stressed the importance of stricter content regulation in prevention against radicalization and highlighted the role that tech companies can play in this domain.

Democracy watch

The New South Wales state government introduced new hate-crime laws into parliament in response to rising antisemitic and Islamophobic violence, including a 580 percent increase in Islamophobic incidents and threats against places of worship. These laws, which the parliament passed, expanded offences of advocating or threatening violence, imposed mandatory minimum sentences and strengthened measures to prevent ideologically motivated attacks. While intended to safeguard public safety and national stability, they have sparked concerns regarding possible infringement of democratic principles, particularly freedom of expression.

While these laws aim to curb hate-fueled violence, critics argue that they may limit free expression. Others say they create loopholes. The legislation permits individuals to cite religious text in discussions, shielding certain forms of extremist rhetoric from prosecution. Additionally, the introduction of mandatory minimum sentences has been criticized for potentially undermining judicial discretion and disproportionately affecting marginalised groups.

Planet A

Tropical Cyclone Sean forced Rio Tinto to shut down Dampier port in Western Australia for five weeks in early 2025, costing 13 million metric tons in lost exports. In 2019, Cyclone Veronica closed Port Hedland, reducing Rio Tinto’s iron ore production for the year by an estimated 14 million metric tons. More recently, in February 2025, Cyclone Zelia closed Port Hedland and Dampier, disrupting iron ore shipments and halting operations at BHP, Rio Tinto, and Fortescue Metals.

An ASPI report released on the 50th anniversary of Cyclone Tracy recommended that disaster resilience must go beyond infrastructure reinforcement. To mitigate climate risks, the country also needs advanced predictive technologies, such as satellite monitoring, and early warning systems.

Reaction isn’t enough. Australia should aim at preventing cybercrime

Australia’s cyber capabilities have evolved rapidly, but they are still largely reactive, not preventative. Rather than responding to cyber incidents, Australian law enforcement agencies should focus on dismantling underlying criminal networks.

On 11 December, Europol announced the takedown of 27 distributed platforms that offered denial of service (DDoS) for hire and the arrest of multiple administrators. Such a criminal operation allows individuals or groups to rent DDoS attack capabilities, which enable users to overwhelm targeted websites, networks or online services with excessive traffic, often without needing technical expertise.

The takedown was a result of Operation PowerOFF, a coordinated and ongoing global effort targeting the cybercrime black market. While the operation has demonstrated the evolving sophistication of international law enforcement operations in tackling cyber threats, it has also exposed persistent gaps in Australia’s cyber enforcement and resilience. To stay ahead of the next wave of cyber threats, Australia must adopt a more preventative approach combining enforcement with deterrence, international cooperation, and education.

Operation PowerOFF represents a shift in global cybercrime enforcement, moving beyond traditional reactive measures toward targeted disruption of cybercriminal infrastructure. Unlike previous efforts, the operation not only dismantled illicit services; it also aimed to discourage future offenders, deploying Google and YouTube ad campaigns to deter potential cybercriminals searching for DDoS-for-hire tools. This layered strategy—seizing platforms, prosecuting offenders and disrupting recruitment pipelines—serves as a best-practice blueprint for Australia’s approach to cybercrime.

The lesson from Operation PowerOFF is clear: Australia must shift its cyber strategy from defence to disruption, ensuring that cybercriminals cannot operate with impunity.

One of the most effective elements of Operation PowerOFF is its focus on dismantling the infrastructure of cybercrime, rather than just arresting individuals. By taking down major DDoS-for-hire services and identifying more than 300 customers, Europol and its partners effectively collapsed an entire segment of the cybercrime market.

This strategy is particularly relevant for Australia. Cybercriminal operations frequently exploit weak legal frameworks and enforcement gaps in the Indo-Pacific region. Many DDoS-for-hire services, ransomware networks and illicit marketplaces are hosted in jurisdictions with limited enforcement capacity, allowing criminals to operate across borders with little fear of prosecution.

Australia must expand its collaboration with Southeast Asian law enforcement agencies on cybercrime, ensuring that cybercriminal havens are actively targeted rather than passively monitored. Without regional cooperation, Australia risks becoming an isolated target rather than a leader in cybercrime enforcement.

Beyond enforcement, Australia must integrate preventative strategies into its cybercrime response. The low barriers to entry for cybercrime mean that many offenders—particularly young Australians—are lured in through gaming communities, hacking forums and social media.

Targeted digital deterrence, including algorithm-driven advertising campaigns, could disrupt this pipeline, steering potential offenders toward legal cybersecurity careers instead of cybercrime. An education-first approach combined with stronger penalties for repeat offenders, will help prevent low-level offenders from escalating into hardened cybercriminals, while helping to ensure that those cybercriminals face consequences.

Australia’s cybercrime laws must also evolve to address the entire cybercriminal supply chain, not just the most visible offenders. Operation PowerOFF showed that cybercrime is not just about the hackers who launch attacks, but also the administrators, facilitators, and financial backers who enable them.

Australian law enforcement should target financial transactions supporting cybercrime, using crypto-tracing and forensic financial analysis to dismantle cybercriminal funding networks. Harsher penalties for those who fund or facilitate DDoS-for-hire services could create a more hostile legal environment for cybercriminal enterprises, ensuring that they cannot simply relocate to more permissive jurisdictions. At the same time, youth diversion programs should be expanded, offering first-time cyber offenders rehabilitation options rather than immediate prosecution, preventing them from becoming repeat offenders.

Operation PowerOFF’s success is a win for international cybercrime enforcement, demonstrating that proactive, intelligence-driven disruption can dismantle even the most entrenched criminal networks.

But it is also a warning: without continuous vigilance, cybercriminals will regroup, rebrand, and relaunch. Australia must act now to strengthen its cyber enforcement, combining international cooperation, legal reform and preventative education to ensure that cybercriminals see Australia as a hostile environment for their activities, not a soft target.

Tag Archive for: Cyber

The road to artificial general intelligence, with Helen Toner

Australian AI expert Helen Toner is the Director of Strategy and Foundational Research Grants at Georgetown University’s Center for Security and Emerging Technology (CSET). She also spent two years on the board of OpenAI, which put her at the centre of the dramatic events in late 2023 when OpenAI CEO Sam Altman was briefly sacked before being reinstated.

David Wroe speaks with Helen about the curve humanity is on towards artificial general intelligence—which will be equal to or better than humans at everything—progress with the new “reasoning” models; the arrival of China’s DeepSeek; the need for regulation; democracy and AI; and the risks of AI.

They finish by discussing what will life be like if we get AI right and it solves all our problems for us? Will it be great, or boring?

Status update: Responsible state behaviour in cyberspace

2025 is a pivotal year for international cyber governance. Not only is it the tenth anniversary of the international community’s agreement to a global framework for responsible state behaviour in cyberspace, but it is also the year that the UN Open-Ended Working Group on security of and in the use of information and communications technologies will conclude its mandate. This sets the stage for the establishment of a more permanent mechanism for global cyber discussions.

To discuss these developments and reflect on how states around the world have interpreted and operationalised responsible state behaviour in cyberspace, ASPI’s Gatra Priyandita speaks with two leading cyber experts, Farlina Said from the Institute of Strategic and International Studies in Malaysia, and Louise Marie Hurel, from the Royal United Services Institute in London. 

Building cyber resilience with Lieutenant General Michelle McGuinness

In this episode of Stop the World, ASPI’s Executive Director Justin Bassi speaks with Australia’s National Cyber Security Coordinator Lieutenant General Michelle McGuinness CSC to discuss her role and how it helps protect Australians online.  

LTGEN McGuinness explores the dual role that the National Office of Cyber Security plays in preparing for and responding to increasing cyber incidents, the importance of building resilience to respond efficiently and effectively to them, and how preventative measures such as using multi-factor authentication can mitigate over 80 percent of cyber risks.  

Justin and LTGEN McGuinness also discuss the role that attribution plays in deterring malicious cyber activity and how attribution can improve mitigation strategies, drive norms and establish that Australia does not tolerate unacceptable behaviour in cyberspace. 

Guests: 

Lieutenant General Michelle McGuinness

Justin Bassi

Stop the World: TSD Summit Sessions: How to navigate the deep fake and disinformation minefield with Nina Jankowicz

The Sydney Dialogue is over, but never fear, we have more TSD content coming your way! This week, ASPI’s David Wroe speaks to Nina Jankowicz, global disinformation expert and author of the books How to Lose the Information War and How to Be a Woman Online.

Nina takes us through the trends she is seeing in disinformation across the globe, and offers an assessment of who does it best, and whether countries like China and Iran are learning from Russia. She also discusses the links between disinformation and political polarisation, and what governments can do to protect the information domain from foreign interference and disinformation.

Finally, Dave asks Nina about her experience being the target of disinformation and online harassment, and the tactics being used against many women in influential roles, including US Vice President Kamala Harris and Australia’s eSafety Commissioner Julie Inman Grant, in attempts to censor and discredit them.

Guests:
⁠David Wroe
⁠Nina Jankowicz

Stop the World: TSD Summit Sessions: Defence, intelligence and technology with Shashank Joshi

In the final lead-in episode to the Sydney Dialogue (but not the last in the series!), ASPI’s Executive Director, Justin Bassi, interviews Shashank Joshi, Defence Editor at the Economist.  

They discuss technology, security and strategic competition, including the impact of artificial intelligence on defence and intelligence operations, the implications of the no-limits partnership between Russia and China and increasing alignment between authoritarian states. They also cover the challenge of protecting free speech online within a framework of rules which also protects public safety.

They talk about Shashank’s latest Economist report ‘Spycraft: Watching the Watchers’, which explores the intersection of technology and intelligence, and looks at the history of intel and tech development, including advancements from radio to the internet and encryption.

The Sydney Dialogue (TSD) is ASPI’s flagship initiative on cyber and critical technologies. The summit brings together world leaders, global technology industry innovators and leading thinkers on cyber and critical technology for frank and productive discussions. TSD 2024 will address the advances made across these technologies and their impact on our societies, economies and national security.

Find out more about TSD 2024 here: ⁠https://tsd.aspi.org.au/⁠    

Mentioned in this episode: ⁠https://www.economist.com/technology-quarterly/2024-07-06⁠  

Guests:
⁠Justin Bassi⁠
Shashank Joshi

Stop the World: TSD Summit Sessions: Technology innovation and investment with Gilman Louie

The Sydney Dialogue (TSD) is just weeks away.

To help our listeners prepare for the forthcoming discussions at TSD, we are bringing you an interview with Gilman Louie, who was the first CEO of In-Q-Tel— set up in 1999 by the CIA as an independent, not-for-profit strategic investment firm —and Commissioner on the National Security Commission on Artificial Intelligence from 2018-2021. Gilman is co-founder and partner at Alsop Louie Partners, and he is also a co-founder and CEO of the America’s Frontier Fund, so there is no one better placed to talk about strategic competition, innovation and investment.

Director of the Sydney Dialogue, Alex Caples, asks Gilman about the role of technology as a component of state power, how the innovation landscape has changed in the United States and how the government and private sector are working together on innovation and investment in the design and manufacturing of technologies.

TSD is ASPI’s flagship event for cyber and critical technologies. The summit brings together world leaders, global technology industry innovators and leading thinkers on cyber and critical technology for frank and productive discussions. TSD 2024 will address the advances made across these technologies and their impact on our societies, economies and national security.

Find out more about TSD 2024 here: ⁠https://tsd.aspi.org.au/⁠

Guests:

⁠Dr Alexandra Caples⁠

⁠Gilman Louie

Stop the World: TSD Summit Sessions: Countering hybrid threats with NATO Deputy Assistant Secretary General James Appathurai

The countdown to the Sydney Dialogue (TSD) is on!  
 
In the second episode of ASPI’s TSD Summit Sessions, Justin Bassi, Executive Director of ASPI, speaks to James Appathurai, NATO’s Deputy Assistant Secretary General for Innovation, Hybrid and Cyber on all things tech, innovation, security and democracy.  
 
Justin and James discuss hybrid threats in the context of challenges in Europe and the Indo-Pacific, and how democracies in both regions need to work together to prevent and respond to these increasing activities. They explore the impact of technological innovation on security, the rise of artificial intelligence and deep fakes and the risks to democracies, including in elections.  
 
They discuss the challenges posed by Russia and China and how they are harnessing technology to achieve their goals. The conversation canvasses the need for a strategy of deterrence, not just in relation to conflict, but to counter threats below the threshold of war. Such a strategy will require some offence, not just defence, to protect both domestic democratic processes and the international rules-based order.  
 
Note: This episode was recorded prior to the NATO Summit, which took place in Washington DC on 9-11 July.  
 
Guests:  
Justin Bassi 
James Appathurai

Mapping China’s data harvesting and global propaganda efforts

ASPI has released a groundbreaking report that finds the Chinese Communist Party seeks to harvest user data from globally popular Chinese apps, games and online platforms in a likely effort to improve its global propaganda.

The research maps the CCP’s propaganda system, highlighting the links between the Central Propaganda Department, state-owned or controlled propaganda entities and data-collection activities, and technology investments in Chinese companies.

In this special short episode of Stop the World, David Wroe speaks with ASPI analyst Daria Impiombato about the key takeaways from this major piece of research.

Mentioned in this episode:
Truth and reality with Chinese characteristics

Guests:
David Wroe
Daria Impiombato