Tuesday, January 24, 2017

You've Been Hacked - how far should governments go to protect against the influence of foreign states?

Like most people with a broad digital footprint I've been hacked multiple times, usually in fairly minor ways.

Around ten years ago I had my PayPal account hacked through malware in the Amazon site, costing me $300.

PayPal staff insisted this was a legitimate payment for goods (which I hadn't ordered) being delivered to my legitimate address in Norway (despite having provably never visited the country). I've been very cautious & limited in my PayPal use since, and never recommend them.

Over Christmas last year my Social Media Planner site was hacked and seeded with malware. Fortunately my IT team was able to identify, isolate and address the matter, without affecting visitors, but costing me financially (two weeks downtime). It's fine now BTW, with extra protections in place.

I've had a Skype account taken over by someone in Eastern Europe, who used it for phishing before I could reclaim it, had basic account details stolen in Yahoo, LinkedInDropBox and a range of other large-scale hacks of commercial services over the last five years - excluding the Ashley Madison hack (I've never been a member).

I'm not the only one affected by any means, well over 10 billion accounts were hacked in 2016 alone, with Australian politicians, police and judges outed as affected in at least one of these hacks (and a few in this one too).

Much of this widespread hacking results in the theft of limited personal information. On the surface it may appear to pose little risk to individuals or organisations. 

However the individual reuse of passwords and usernames can turn these hacks into a jackpot. This allows hackers, and clients they sell hacked data to, to access a wider range of accounts for individuals, potentially uncovering richer information that is useful for identity theft, economic theft, intelligence gathering or for influencing decisions and behaviour.

Despite all the reports of hacking, it seems many people still treat this lightly - the world's most popular password remains '123456'.

Most governments, however, do not. Securing their networks is a major challenge and a significant expense item. The data agencies hold has enormous political and economic value that could be easily misused to the detriment of the state if it falls into the wrong hands, or into the right hands at the wrong time.

It's not simply about troop movements or secret deals - early access to economic or employment data, access to the 'negotiables' and 'non-negotiables' for a trade deal, or even to the locations and movements of senior political figures (to know who they meet and for how long) can be used for the financial and political advantage of foreign interests at the expense of a state's own interests.

For the most part, Australia's government is decent at managing its own network security. This isn't perfect by any means, but there's a good awareness of the importance of security across senior bureaucrats and largely effective ongoing efforts by agencies to protect the secure data they hold.

However in today's connected world national interest goes far beyond the networks directly controlled and managed by governments. As we've seen from the US (and now Germany), political parties and individual politicians have also become hacking targets for foreign interests,

This isn't surprising. Politicians, potential politicians and even academics have long been targets for funding assistance and free or subsidised study trips to nations hoping to cultivate influence in various ways. In fact these approaches provide some positive benefits as well - by creating personal relationships between powerful people that can lead to improved national relationships, trade deals and even avert wars.

Hacking, however, has few of these positives, as we saw in the release of Democratic National Congress emails by Wikileaks, which were most likely obtained through Russian state-sponsored hacking and likely was designed to influence the US's election outcome.

Whether you believe the cumulative findings of the US intelligence community or not, it is certain that foreign states, and potentially large multi-nationals corporations, will continue to target political parties, and individual politicians, seeking insights into how they think and levers of overt and covert influence for economic and political gain.

Hacking will continue to grow as one of the major tools in this work.

The Australian Government is taking this seriously - and kudos to them for this.

However even this focus on political parties neglects a wide range of channels for influencing current and potential future politicians. What about their other memberships and personal accounts?

Politicians and potential politician are well-advised to position themselves in various community and business groups to improve their networks, build relationships and future support. They are also just as likely as other Australians to use the internet - for work and personal reasons.

This means they're likely to have numerous online accounts with both domestic and foreign-owned services, with varying levels of security and access control. 

On top of this, it's not simply politicians who may be the targets of influence. Political advisors and activists often shape and write party policy positions, despite never being publicly elected. Influence an advisor and you can influence policy, as the many registered lobbyists know only too well.

Equally bureaucrats across government often are exposed to material that could, if shared with foreign interests, cause some form of harm to a state. We've seen this in insider trading by an ABS staff member, where the economic gain to the individual public servant outweighed his good judgement and public duty.

While bureaucrats are security assessed to a significant degree (unlike our politician) and selection processes are in place, backed by rules and penalties, to screen out the 'bad eggs', the potential for public servants to be influenced through hacking their personal accounts has risen along with their internet use.

Right now we're in an environment where the number of attack vectors on a politician, an advisor and on individual public servants, is much higher than at any past time in history - while our tools for protecting against foreign influences have not kept up.

Of course this goes both ways - our government also has the capacity, and often the desire, to influence decisions or negotiations by other states. We've seen ample evidence of this, although it isn't really a topic our government wants to discuss.

The question for me, and I don't have a solid answer yet, is how far technically should a government go to limit the influence of foreign states.

Should governments merely advise political parties on how to secure themselves better?

Or should governments materially support parties with trained personnel, funding or even take over the operation of their networks (with appropriate Chinese walls in place)?

What type of advice, training or support should agencies provide to their staff and Ministerial advisors to help them keep their entire footprint secure, not just their use of work networks, but all their digital endeavours?

And what can be done to protect future politicians, advisors and bureaucrats, from wide sweeps of commercial services collecting data that could be useful for decades to come?

We need to have a more robust debate in this country about how foreign states and commercial interests may be seeking to influence our policies, and decide as citizens the level of risk we're prepared to accept.

Until this occurs, in a mature and informed fashion, Australia is hurtling forward into an unknown future. A future where our political system may be under constant siege from those who seek to influence it, in ways that are invisible to citizens but more wide-reaching and dangerous to our national interest than any expense scandal.

If this isn't the future that we want, then it is up to us to define what we want, and work across government and the community to achieve it.

Read full post...

Thursday, January 19, 2017

90% of digital disruption is still to come (podcast)

A few months ago I interviewed with Andrew Ramsden of AlphaTransform, who has spent the last year capturing the thoughts of digital leaders around Australia (he also has a book in the works).

He's now published the interview as Episode 16 in his Alpha Geek Podcast - which is definitely worth checking out.

You can listen to the interview below, in which I suggest that we're still at the start of the digital transformation journey for society, for business and for government...

Read full post...

Thursday, January 05, 2017

Defining and celebrating effective Australian leadership

Victor Perton, former Victorian Parliamentarian, Government Advisor, Advocate, Board Member and one of my mentors founded AustralianLeadership.com in 2016 with the mission to "celebrate, understand and improve Australian leadership."

He interviewed me on the topic of Australian Leadership in late 2016 and recently posted the interview, which I've replicated below.

For other great interviews, visit his AustralianLeadership.com site where he's collected a variety of interesting perspectives on leadership in Australia.

Victor PertonCraig, what do you see as the unique qualities of Australian leadership?

Craig Thomler: One of the most appealing and positive qualities about Australian leaders is their approachability. Australia has much less of a sense of hierarchy than Europe or Asia, and this egalitarian attitude displays itself through a readiness for leaders here to engage with, and listen to, people at all levels of their organisation and to be open to engaging with a wide range of people from outside their organisations.

This leads to an increased willingness to entertain new ideas, as well as an improved understanding of the needs of different groups and results in decisions that are more inclusive and attuned to customer and staff needs.

Another unique quality is how laid-back Australian Leaders commonly are. This allows them to more effectively manage difficult situations without significant apparent strain, simply taking challenges in their stride. This quality isn't universally positive, on occasions, it can lead to a lack of attention to detail, or giving up a level of control over events, which can lead to additional downside risk in certain situations.

Finally, in my experience, Australian Leaders are commonly more collaborative than many other leaders around the world. This exhibits itself more commonly between organisations and in the decision-making processes of leadership teams. Often the ultimate leader in a leadership team is seen as 'first among equals' rather than as a level above others in the group, reflective of Australia's egalitarian outlook.

Victor PertonCraig, what are the qualities that Australians seek from their leaders?

Craig Thomler: I believe that Australians value approachability and 'down-to-earth' practicalities in their leaders. We don't commonly place leaders on pedestals or exalt them. We accept that they are humans, with flaws, and, to a degree, accept those flaws as part of the characteristics that makes them good leaders.

Leaders who see themselves as 'above' others, due to expertise, experience or position, or who portray themselves as flawless, tend to be less credible to Australians and less believable as leaders.

Australians also value honesty and a sense of fairness in their leaders. Leaders who do not exhibit these traits consistently rapidly lose their shine and then their effectiveness.


Victor PertonCraig, what is the finest story of Australian leadership you have experienced or observed?

Craig Thomler: Probably the finest act of leadership I have observed in Australia in the last five years was by Lieutenant General David Morrison AO, whose position on sexism and violence against women, per his video statement in June 2013 (see below) demonstrated clear and effective values-based leadership on a topic that other Australians in leadership positions - both public and private sector - had been unable to grapple with.

His statement, which reverberated around the globe, drew a clear line in the sand on appropriate behaviour not only in the Australian Army but across the Australian community.

Read full post...

Thursday, December 15, 2016

Australian Public Servants want the right to comment respectfully on political and policy matters online

I've been monitoring the Australian Public Service Commission (APSC) public consultation on the current social media guidelines for Australian public servants (APS).

While they clearly aren't interested in comments from former or potential future public servants, having neglected to publish, or even link to, my comments - which I submitted to the APSC four weeks ago - there's been 109 public comments published from current public servants.

While there may be private responses to the consultation, or other public comments as yet unpublished, I've analysed the comments available and the viewpoint points consistently to one conclusion.

Australian Public Servants overwhelmingly want the right to comment respectfully on policy and political matters via the social media channels of their choice.

It's clear from the responses that social media is increasingly seen as a normal way to communicate - like chatting at a barbeque or on the phone - and public servants increasingly feel the medium should be treated in the same way, with an emphasis on the 'social' rather than the 'media'.

Only nine of the publicly published responses supported the current guidelines for public servants, which state (in part) that:

6.2.7 When employees make public comment in an unofficial capacity, it is not appropriate for them to make comment that is, or could be reasonably perceived to be:
  1. being made on behalf of their agency or the Government, rather than an expression of a personal view
  2. compromising the employee's capacity to fulfil their duties in an unbiased manner—this applies particularly where comment is made about policies and programs of the employee's agency
  3. so harsh or extreme in its criticism of the Government, a Member of Parliament from another political party, or their respective policies, that it raises questions about the employee's capacity to work professionally, efficiently or impartially
  4. so strong in its criticism of an agency's administration that it could seriously disrupt the workplace—APS employees are encouraged instead to resolve concerns by informal discussion with a manager or by using internal dispute resolution mechanisms
  5. a gratuitous personal attack that might reasonably be perceived to be connected with their employment
  6. compromising public confidence in the agency or the APS.

 Whereas 90 of the published responses stated that, to quote from one respondent,
It is important to recognise that, as citizens, public servants should have the right to express an opinion on key political issues providing they do this respectfully and that the issues they are commenting on do not not relate directly to their area of employment.
This view was represented many times, using different words and phrasing...

I can see that there is an argument that there should be more caution about what is said about the area in which you work, but why should I be prohibited from making comment publicly about immigration policy or environment policy if I don't even work in that area?

...if I want to make a comment about the work of my department in my position as a customer of that department, or as a taxpayer who has an interest in the direction of government programs generally, I ought to be able to do so.

Remaining a-political should not preclude someone from criticising an individual's performance in government… Questioning obviously wrong policy is not straying from the APS code of conduct.

People should not be persecuted or railroaded for making public comment in their own personal time on any social media platform regardless of what the posting is about or responding to that is not work/employment related.

If the APS are censored from making any criticism of the government of the day and their policies, it's going to be even harder to encourage good people to want to work with us. 

As an employee of the APS I am 100% committed to upholding the Values and Code of Conduct whilst at work, and in situations that are in connection with my employment. As a citizen I have my own set of values and beliefs and shouldn't be forced to remove myself from public debate on social media platforms just because I am a public servant. 

Having the right to vote, by default, forces you to have a political opinion. While public servants retain the right to vote, they should also be able to voice that opinion.

We should have freedom of speech, so long as we speak respectfully about issues

Public servants should be allowed to say anything on social media during their unpaid time.

If it does not relate directly to the programs administrated by their agency, preventing APS employees from engaging in public discourse as private citizens is excessive and oppressive.

No matter how distasteful, racist, sexist, or whatever an opinion is, a person should have the right to express that opinion, provided it is not obviously linked to an organisation.

Public servants should have the same rights as any other Australian to comment on the government of the day and political matters.

Some were even more blunt,

Every vote counts. So EVERY voice should have the ability to be heard… Why is the government so afraid of the people?

It's unfair and oppressive to expect that because someone works in the public service that they can't be affected by political and social issues and therefore have opinions about the issues which may affect them and the people who are important in their lives. 

Why pretend we agree with everything we're told to do? It's like an atheist praying in Church to make their religious parents happy. As long as expression is respectful, it should be permitted.

When a politician says something stupid (which many of them do) I should be allowed to comment that they said something stupid.

While others questioned whether the government's current policy suggested that public servants were not trustworthy or that Australian democracy was broken,

In 10 years of working in Government I have only ever seen fantastic, impartial and evidence based decision making, and this is despite the fact that as humans, Public Servants naturally hold opinions. To imply that they cannot be trusted to comment responsibly on social media is to imply they cannot be trusted anywhere. Why does the medium change things? I.e. if we're questioning the integrity and trustworthiness of the Public Service; why should it be limited to social media? Either we are trustworthy everywhere, or we are not.

In Australia we have a liberal democracy. Public servants are part of that democracy. As such the boundaries on political and social commentary should be set quite generously for all, public servants included. In our history we have fought totalitarian regimes that have sought to inhibit free speech, my father and grandfather both fought for freedom and democracy. I see the curtailing of free speech that all citizens currently have as a huge infringement on hard-fought and won rights.

People who work for the public service have just as much right to question the Government in a democratic society as the next person. If they don't, then how democratic a society is it?

 Any democracy that cannot deal with criticism, regardless of the source, is no longer a democracy.

Only a few believed the current limitations were fair,

To protect public servants from any erosion of trust now or in the future, I believe they should not be posting anything critical.

I have worked for three federal government agencies in my working life and am proud to have done so; I believe in what these agencies stand for and deliver to the Australian community. I am not about to bite the hand that feeds me. If I find a significant shift in agency policy and practice which would be at odds with my own belief system and make being a-political in a professional role impossible I wouldn't hang on for any length of time I would simply leave.

No matter who your employer is, whilst you are in their employ, I believe you should respect that bond and not do or say anything that would damage that company's reputation.

A minority (14) suggested that public servants should conceal their connection to the public service while posting, to prevent an obvious link to their employer, while a few others pointed out that this wasn't really a protection at all.

My suggestion would be that APS employees should not list their Department or Agency as their employer on social media sites. They should not divulge any information that is not already available on public record and should not publically denegrate their employer. Ooutside these restrictions, I should be able to have the same rights as Australians who work in the private sector.

A more effective result could be achieved by instructing PS employees to remove any identification as a PS employee on their personal social media accounts and to not permit comments which identify their opinion as being related to their employment. Without any identification to the person's employment, it's difficult to see how someone can perceive an employee as making comment on behalf of their employer.

On the topic of whether public servants should be able to comment on their department and work, opinions were split. 36 respondents clearly indicated they believed that public servants should not comment on their own work and agency, whereas 14 directly stated that they should and a number of others were ambivalent.

The arguments were fairly clear on both sides.

Those opposed to talking about their work and agency said it could compromise their ability to do their job impartially, and potentially release information that shouldn't be public.

Those that supported talking about their work and agency pointed out that they were the best informed about their areas and could provide critical facts and information into the public domain in ways that could enrich and improve the public conversation. They also noted that at times they were also customers of their own departments, and as such should have the same rights as other customers.

...if I want to make a comment about the work of my department in my position as a customer of that department, or as a taxpayer who has an interest in the direction of government programs generally, I ought to be able to do so.

I should be able to comment on policies and topics in the public spotlight that affect me, my family or my field without fear of reprisal from my employer - particularly where the discussion is not at all related to my employer.

It is said that Qantas staff can't publicly criticise their employer, so nor should public servants. But Qantas doesn't confiscate 20% of my income. Qantas doesn't tell me what I can and can't buy, sell, import or smoke. Qantas doesn't tell me who I can and can't marry. Qantas can't send armed men into my house to arrest me. Qantas doesn't decide what my children are taught at school... Public servants have a duty as citizens to participate fully in political debate, including in relation to the programs they administer. 

A few believed the existing policy was clear,

I do believe the social media stance is perfect as it stands.

Yes they are clear. They do not appear to require revising.

But most respondents felt otherwise,
...this area is extremely grey and needs not only definitive clarification, but absolute determination as to what can and can't be said on political issues without fear of reprisals or recriminations.

Overall all respondents agreed on one point - that public servants should be respectful when they engaged.

Hi, I think that we should have the same rights and rules of every Australian Citizen. We should be able to speak our mind, even to the point of a difference of opinion with a Government Minister, providing we do not denegrate our department, our managers or colleagues.

It is now up to the APSC as to what they do with this information and how it affects the next iteration of the APS's social media guidelines.

Read full post...

Wednesday, December 14, 2016

It's time to start talking about open innovation - how do we share innovations across society?

Innovation is one of the global buzzwords today.

From Parliament House in Australia to the remotest regions of Africa, the world is talking about innovating to solve old problems using new techniques and emerging problems using old ideas in new ways.

As a career entrepreneur and innovator, I'm supportive of these innovation agendas - innovation is an important and useful tool for organisational adaptation and problem solving within rapidly changing environments. 

Provided innovation is embedded and practiced as business as usual, rather than treated with lip service or ring-fenced into irrelevance it can be a powerful technique .

Thus far public discussions have largely focused on how we make organisations more innovative. How do we adjust cultures, structures and the legislative and policy frameworks that surround them, to help organisations embody that innovation spirit.

That's an important conversation - and very much a work in progress

However there's another conversation we need to have that might be even more important over time.

How do we share innovations such that their impact is magnified in ways that reshape industries and societies, not just individual companies and agencies.

Now this isn't a debate about the value of intellectual property (IP) ownership. There's strong and good reasons for individuals and companies to be able to protect and control the use of their new ideas and techniques. I'm broadly supportive of the current IP model used globally, although it can be cost-prohibitive and onerous and can (and has) been misused on occasion by those with the money and power to do so.

However there is a distinction between IP that should be protected and innovations that should be shared. 

For example, imagine how different the world would look today if an ancient Greek city-state had applied modern IP rules to the technique and process of democracy.

If the democratic process had been patented, on an ongoing basis, the concept and practice of democracy may never have become the modern standard for governance, against which all other models are regularly tested.

Now that's an extreme, and potentially absurd, example, but given the legal changes made over time to IP law to continue to globally protect the likeness of a cartoon mouse, perhaps not totally implausible.

There's many examples of innovations that only become valuable when shared, or have their value multiplied by collective use. The internet is such a modern innovation, with its base 'operating systems', IP addresses and HTML, available freely for reuse by billions around the world.

Other such innovations include the 3-point seatbelt, the global standard for protecting car passengers, which was invented and patented by Volvo in 1959, then given freely to the world to improve safety standards.
As a more recent example, in 2012 Tesla did something similar, 'opening up' many of its electric car patents, declaring they would not sue companies that used them under certain circumstances, in the interest of helping to build an ecosystem of car and component makers that expands the market for electrical cars.

There's other examples of innovations being 'open sourced' in some way to help share them. For example CKAN, the open data portal platform developed by the Open Knowledge Foundation, is open source - which has led to its widespread use by governments globally.

aGov, the Drupal platform used to deliver GovCMS, is also open source, and now deployed in over 400 instances around the world.

In both these cases vendors monetise these platforms through providing support services - but the platforms themselves are freely available should an organisation wish to go it alone.

Other examples of shared innovation include the code bases developed for government services and apps through Code for All and it's country-based affiliates, such as Code for America and Code for Australia.

Companies are sharing their AI research (and sometimes the code) - even the notoriously private Apple has recently announced that it will be taking part, in order to stay competitive in this fast changing field.

Governments are also, in certain cases, sharing their code - such as the US Army, which has shared code from its cyber defense systems to help tap the experience of others to improve their capabilities, and to help other organisations improve their own cyber defences.

The US Government even open sourced its open sourcing policy, along with a range of services it has built, so they can be easily reused by other governments.

There's been a little of this in Australia as well. The National Map is open source, as are several other systems. The Digital Transformation Agency has also worked in this space, open sourcing the code for their Alpha gov.au site and the text for its Design Guide.

However most innovation that could be shared is still not shared in a structured way.

Certainly events such as the new Public Sector Innovation Awards help raise awareness, and reward, innovations across the public sector, and can generate some informal sharing post event. Networks such as the Public Sector Innovation Network also play a role, at least in helping share ideas within the network itself, if not with the wider community.

But these are still largely inwards looking. They neither provide formal ways for agencies to share their innovations with other agencies or the community at large, or for agencies or those outside government to locate relevant innovations that might support their own endeavours, with a blueprint on how to implement them.

They also are poor tools for bringing innovation into government from outside - for learning from the daily innovation activity across more than 2 million businesses in Australia, and hundreds of millions worldwide.

There's really no current consistent structured method to find the right needles in that global haystack, the shared innovations that would transform an agency, company or community, solving problems and lifting their effectiveness.

This conversation, about how we share innovations effectively, is the one we need to have to scale the fantastic innovation work being done behind closed doors across Canberra, across Australia and across the world.

Without it all the work going into transforming organisations to be innovative is simply creating new types of silos, where innovation happens within a room and is poorly shared or built on by others who could leverage it.

I also believe that in this broader discussion of how to share innovations wisely and widely, we'll also find answers to the question of how to make organisations more innovative, as sharing will promote greater thinking about innovation 'within the walls' as well as without.

Read full post...

Bookmark and Share