[00:00:00] Speaker A: AI, just like cybersecurity, is something that's going to be relevant to every part of society. Being able to develop a robust policy ecosystem around that, that allows us to really harness all the benefits of these technologies while mitigating the risks. That's what needs to be at the core of all of these policy discussions. There are clear intersections with AI policy in almost every other area of policy as well, which makes it another really good analogy and almost sister issue to cyber security.
[00:00:35] Speaker B: This is KBCS.
[00:00:37] Speaker A: Are they completely silenced?
[00:00:38] Speaker B: As a primary target for ransomware campaigns.
[00:00:41] Speaker A: Security and testing and performance and scalability.
[00:00:44] Speaker B: We can actually automatically take that data and use it.
Joining me today is Min Livanidis, head of digital policy, public policy from Amazon Web Services, as known as AWS. And today we're discussing laying the foundation for a secure Australia. So, Minh, thanks for finally joining and welcome.
[00:01:06] Speaker A: Thank you for having me, Carissa. I'm happy to be here.
[00:01:08] Speaker B: So, public policy. Now, when I saw you last, we talked about public policy. So maybe let's start there. Can you help our audience understand and maybe define what this means?
[00:01:19] Speaker A: Yeah, sure thing. Cybersecurity itself, public policy has quite a lot of definitions out there about what it is and isn't. But in its simplest form, public policy is about what governments choose to do or not to do, and why, and the consequences of those decisions. At its heart, it's government identifying a public issue or a problem and choosing a type of response to reach certain objectives, obtain a specific result. And I think what's really important here is that although the definition of public policy in the sense of what it is, centers around government, there are multiple players or stakeholders involved. Firstly, there's capital g government. That's the executive at the federal level. In Australia, that's obviously the albanese government. There is also the parliament as the legislature. And then there's small g government in the forms of agencies and departments that comprise the public sector ecosystem. But then we also have external players. So media, like yourself, are key stakeholders for how these issues are communicated and really form a big part of how these public policy conversations play out. There are also non governmental entities in civil society, as well as academia. And of course, industry has voice, and that's the role I play with AWS. My role with AWs very much focuses on more technical aspects of public policy, so I take care of things like cyber security, critical infrastructure, artificial intelligence, privacy, et cetera.
[00:02:58] Speaker B: So you said before there are multiple definitions of public policy. Where do you think that stems from? Why do people have different views on.
[00:03:05] Speaker A: Public policy, that's very much an academic question, but ultimately, policy is a label for a series of activities. And if we take the cybersecurity strategy as a really good, illustrative example, policy through the data breaches that took place in the latter half of 2022, Minister O'Neill identified cybersecurity as a key issue. The government had already done that through the appointment Clara Neal as the cyber security minister as well as minister for home affairs. But she announced very quickly after those incidents that we needed a new cybersecurity strategy for the country. And if you unpack what that means, cybersecurity strategy at that national level isn't altogether that different from how we would conceive of a corporate strategy or a corporate cybersecurity strategy. You have a vision statement, you have a set of objectives in the context of australian government cybersecurity strategy. It's the six shields, and then you have a set of actions that sit under each of those objectives to help you realise a certain outcome. And those are the measurables that we have attached to the public policy space as well. But in terms of what public policy is and isn't, it very much interweaves between the political aspects or political dimensions of policy, where governments choose to make a decision or they choose not to, which is also valid decision conscious non action, what levers you choose to pull, whether or not a bill proposal that you put up to parliament actually gets through. These are all public policy mechanisms. But how you would define the policy itself can sometimes actually depend on the outcome that's attached to it, or indeed can become clear in retrospect. So you take a set of actions in response to something, and that articulates itself as a policy.
[00:05:00] Speaker B: Overall, what does a good sort of public policy look like in Australia? More specifically, in your eyes, with your background, with your experience, and do you think people even know what good looks like?
[00:05:10] Speaker A: Public policy is an interesting base in the sense that it's never something that has a clearly defined beginning, middle and end. Anybody that studied public policy would be familiar with the policy lifecycle, and that it starts nominally with the idea of issue identification, policy analysis, then right through to the articulation of outcomes and assessments. And so the cycle continues. In reality, it's not linear like that. There are a lot of concurrent activities that take place. That's not to make a judgment call over whether an outcome is good or bad. There are multiple ways that we can ascribe success in the policy space, and that really comes down to the outcomes that are attached to these issues. Cybersecurity is a really great example of that, because it's a problem that is entrenched in all aspects of society. So we're talking about societal issue that impacts citizens as individuals through to small businesses, medium businesses, large enterprises like an AWS and critical infrastructure providers, the australian government itself. And then there's the national security component of that as well. So it's really quite a complex and layered policy ecosystem, but one where there is an opportunity for a lot really collaborative policy making, a lot of co design processes, and where an entity like an AWS can have a really important voice as genuine technical experts in this field.
[00:06:46] Speaker B: Okay, so there's a couple of things in there you said, which is interesting, you said a lot of concurrent activities happening. What is a concurrent activity? What does that look like?
[00:06:53] Speaker A: So if we take again, for example, the cyber security policy, there were the data breaches that took place later. Half of 2022. Minister O'Neill started a process of consulting on a new cybersecurity strategy. But at the same time, the government introduced a set of measures relating to the Privacy act in terms of the enhanced data breach scheme, new powers for the Office of the Information Commissioner, and several other activities that supported a program of work, including the appointment of the cyber coordinator. So that demonstrates that the activities around that particular policy, although there was a development process for the strategy in place, the government didn't wait to take action to address what it saw as an immediate requirement or an immediate need. And that's where you see those concurrent activities start to come into it.
[00:07:48] Speaker B: And that makes sense. One of the things I'm curious to know is, with all these activities, how do we hold people that.
Now, I have interviewed people on this show around, great, we can come out, we can say all these wonderful things. How do we keep people's feet to the fire in ensuring that, hey, here, the actions, but have they been actioned? When? How long is the timeline? Is that something that is part of public policy? Is there something that people can understand where things are at? In terms of, if we look at the cybersecurity strategy, for example, there's multiple.
[00:08:22] Speaker A: Ways to start to dice this up. There's the accountability in terms of the delivery of the cybersecurity strategy, and that accountability ultimately sits with government and the various government departments that are attached to it. The national cyber coordinator has a really important role to play as part of that process, as the central cog for government to be able to articulate its priorities and ensure that accountability is internally, in terms of corporate accountability. There are the expectations that are articulated through the Corporations act, and we also have guidance that's been distributed by the Institute for Company directors around what good corporate governance looks like in a cybersecurity sense. And there's accountability mechanisms being built into that. There is data breach notification scheme, there are the critical infrastructure notification requirements and the various registration processes, all of the accountability mechanisms that have been built into that legislation as well. So you see it coming through at multiple layers. And then within organizations, there is the articulation of governance standards, risk management and then policies that support the corporate ecosystem. All of these things have a really important role to play in developing those ultimate outcomes, which we hope will be more robust cybersecurity and increased cyber resiliency across the entirety of the australian ecosystem.
[00:09:52] Speaker B: Now, I asked that previous question because I'm curious then to understand, would you say, with your experience, we, as in Australia, is doing a good job in the public policy arena at the moment?
[00:10:05] Speaker A: I think Australia's been extremely proactive when it comes to cybersecurity policy. A lot of countries internationally, they're looking to what Australia has been doing as part of this process to say, what are some options that are available to us? And this is something I like to say about Australia. We are small enough that we can have this really quite close knit cybersecurity community and ecosystem, and that articulates into how we engage with government and how government engages with us. We develop these really robust policies and programs of work that support these policies. But we're also big enough that Australia can have quite an outsized impact in the sense that other countries can look to us and say, hey, this policy worked over there, or the design of this policy worked over there. Is this something we can adapt to our environments? We're seeing that cyber security policy, we're certainly seeing that with critical infrastructure policy as well.
[00:11:04] Speaker B: Do you think Australia looks to other countries to say, hey, you guys are doing a great sort of work here in the public policy space as well? As much as people are drawing inspiration from us as Australians, would we sort of draw inspiration from other countries as well?
[00:11:18] Speaker A: Yeah, absolutely. And I think that's a benefit of a company like in AWS. Something we can really bring to the table as part of these discussions is that international perspective. We obviously have a footprint globally. We engage with governments globally on exactly these issues. So if we're seeing something that's worked really well over in the UK, we can speak to the australian government about our experience through that process. And obviously the australian government has their own relationships with these governments as well, that they're able to draw from as they're developing these policy proposals.
[00:11:54] Speaker B: So in terms of what you said earlier with public policy, you've got, you know, companies like aWs, you've got media like self, you've got, you know, the industry. How do people understand where the front door is? Like, how do they know who to go to? If I'm sitting there saying, all right, Min, I have a, got a problem. I want help to get you to help institute some change. How do people go about that? And the reason why I asked that question is simply because I speak to a lot of people in this industry. At the coalface, yes, in Australia, but globally as well. But if I focus here on Australia, people are saying, you know, government's not doing this, or, I wish we'd got this more for security startups, or what about this? And I don't really have an answer for that. So I'm hoping that you can help maybe navigate that for me and for people who are listening to this interview, that if someone's got something that they think is valuable, how do they go about it?
[00:12:46] Speaker A: It's a really important question for a lot of entities. A lot of entities don't have a dedicated public policy or government relations team that are able to keep track of track of all of these developments. So we're very fortunate in that respect. The key thing to keep an eye out for, typically, at the beginning of any of these sorts of processes, you'll see a consultation paper be distributed through one of the government departments. That consultation will be open for a certain period of time, will involve being able to provide a written submission, but it will also involve the opportunity to be involved with roundtables, being able to provide that sort of direct feedback to the members of the department that are doing that work in the background to develop these policy proposals and assess all of those inputs. If it's something that then requires a legislative amendment or a bill or a set of proposals, that will then probably be consulted again, which we've just seen with the legislative consultations that came out as part of the cyber strategy, provides all entities with another opportunity to provide their inputs as part of the process. Once a bill reaches parliament, if it gets referred to a committee for an inquiry, again, there are opportunities to actively engage and provide feedback as part of the process. The important thing is to really stay plugged in and attuned to what's happening within your ecosystem that may be achievable more readily through industry associations, and memberships, or it may be achieved through institutions like ACeR, the ACs, those sorts of entities that also keep track of these developments. And then there's a lot of great free resources out there as well. A lot of legal houses, big legal houses, have great pages that keep track of these sorts of policy developments and try to articulate it in a way that's digestible for entities of all sizes as well. The important thing is find a resource, stay plugged in. It doesn't have to be extremely difficult or sophisticated. You just need to find what's out there.
[00:14:59] Speaker B: And do you think some of the public policy stuff you said, the word operative word digestible, do you think some of it is sort of a little bit convoluted for people to understand?
[00:15:07] Speaker A: I do think that there is an opportunity to simplify in this space, and particularly for a area like cybersecurity, where we see simplification, these concepts being so central to success in this area. When I was developing the AWS submission to the cybersecurity strategy, which you can find online on the Home affairs website, I was very conscious language as part of that process and really wanting to speak to cybersecurity in a way that resonated with everybody that read that document, not just cybersecurity professionals that understand what Stigs taxi means in terms of threat intelligence, needing to go beyond that, to really speak to the people that are at the heart of this issue. And that was the foundation of the vision zero model that I developed with reference to car safety as a really good analogy for a public policy issue that was recognized and was adopted nationally. And you've seen the outcomes of that policy strategy develop over time. And we've got about 30, nearly 40 years of that strategy being in a distance to see its results, talking about these things in a simple way that allows people to engage with the process, really lets them feel empowered to be a voice in that process, and that their voice is valid in that process. It's really crucially important to developing a cyber security strategy and cyber security ecosystem that meets the needs of everyone, from individuals right through to large enterprises.
[00:16:44] Speaker B: Now, in terms of feeling like people feel valued in terms of their voice, do you think in some of these forums that you're involved in terms of public policy, do you think people, as in maybe smaller organizations, don't feel a part of that voice? Maybe they don't have a dedicated person like yourself to be able to go and have these discussions like. Like you're having? Do you think that there is this element of people not feeling like they're being heard in the industry, maybe because they're smaller, or they don't know how to go about it, or maybe they are, they don't can't communicate as strongly. Perhaps you think there is that side of it.
[00:17:17] Speaker A: I think there is probably something to be said for that, purely in the sense that these things can very much be a resourcing and awareness issue. I do know that government, as part of this consultation process, were very active in wanting to get perspectives from small business, and we've seen that in, I believe it's pillar two of the cyber security strategy that very much focuses on the needs of small business and how to right size cybersecurity for small business players. So I think because government took such a conscious interest in small business in particular, we've seen a real development of fairly robust set of policies that are designed to support that ecosystem. Outside my role at AWS, I also sit on the board of the Australian Cyber Collaboration Centre that's Got the CUSP program, which is all about uplifting cybersecurity for small businesses in a way that's affordable and achievable and really speaks to their issues in terms of how they use security, what their actual risk profile is. Even how a small business interacts with technologies really can be extremely variable. So you should never assume that there's a one size fits all approach to this, and I think that's been reflected through the programs that have come out of the last strategy as well.
[00:18:43] Speaker B: So with public policy generally, what do you think it's maybe missed or overlooked that you've sort of seen in your years of doing this?
[00:18:52] Speaker A: I don't know that I would say things have been overlooked so much as you might have differences of opinion in where there is a particular emphasis. I know that after this strategy came out, there was always a bit of LinkedIn chatter about these things, but there was a bit of chatter about the absence of adequate support for startups, which is something else that's able to be addressed separately. But some people felt that that wasn't explicitly called out enough. Others wanted more explicit guidance or compliance elements to be included as part of the program. Everybody has a different perspective on where that balance should be, and that's something that is a real challenge for government in releasing these policies, because you need to fine tune your approach to the needs of a lot of stakeholders. That's why the consultation process is really so important. But ultimately, government decides what are the things that they want to emphasize, to realize the outcomes that they have set. What are their set of objectives? And that's what gets articulated as part of that policy process.
[00:20:03] Speaker B: Okay, so there's a couple of things in there which is interesting. So I'm just going to assume that no matter what policies put forward, there's always going to be someone that complains their voice wasn't heard, this was overlooked. We need more money here. There's too much money on that other thing. Do you think there's always going to be that? There's always going to be someone that perhaps doesn't like what the end result is?
[00:20:23] Speaker A: I think that's the nature of the beast to a certain extent. And again, that's not a judgment for me of whether that's right or wrong or whether. What?
[00:20:33] Speaker B: Human nature, though?
[00:20:34] Speaker A: Yeah, it's human nature. That sense of the perspective that I have wasn't entirely reflected through this process, and that's going to lead me to reach a set of conclusions that may be perfectly valid from that person's perspective or that entity's perspective. That doesn't mean that they're right or wrong, or that government is right or wrong, but it does demonstrate the challenges inherent to the public policy process, particularly for an area like this, where I think people have especially strongly held views, especially if you're a practitioner in this space, and you and I are both former cybersecurity practitioners that are now still engaged with the cybersecurity community. From a different perspective, I'm doing it from that public policy perspective, you're doing it from the media perspective and doing deep dives into these issues that really matter to particular senior executives in this space. We all have different perspectives that we bring to it. I think having been a practitioner, having also previously worked in government and now working in the public policy space, it's given me that genuine sense of empathy across the board, empathy to government, in the sense that these are really complex issues, that they need to be able to articulate it in a way that is digestible across not just the cybersecurity practitioner space, but more broadly. And then for cybersecurity practitioners that feel the challenges of working in these environments day in, day out, wanting to see their perspective represented in a way that they think reflects the reality that they experience. And these are all perfectly valid opinions and points of view. So it's a very fine needle to thread. And I don't think there is ever going to be a situation where you can definitively say you got it 100% right or wrong. It's always going to be more complex than that. And to be honest, that's why I enjoy it. It's not binary.
[00:22:33] Speaker B: Let's get to the consultation process. What does that look like? Just so people are not really. Maybe, perhaps people aren't aware. I don't think many people actually are aware of public policy men and how the mechanics, the complexity of it at all. In this space, there are quite a.
[00:22:46] Speaker A: Number of things that happen in the background as part of any of these sorts of consultation processes. The most obvious element is that you get the discussion paper, which is a primary artifact as part of the consultation, that will typically pose a problem to you, or a hypothesis or some statement of a perspective around an issue. In the cybersecurity case, it's we're seeing x number of threats. This is the value to the economy over time. This is why we need to take action. So it's with a pause for a call for action statement. Then you typically get into an analysis of the issues and they'll attach a set of questions around that, what do you think of x? What do you think of y? And then you're invited to put in a submission as part of the process. So if you go to any departmental website, home affairs, attorney general's department, et cetera, they will typically have a consultation hub where you can see consultations they've done in the past so that are currently open. And then unless you ask for it to remain private, they'll publish those responses. So all of the responses that Home affairs will have received as part of the cyber strategy consultation, they're now available online. You can go and read about what all the different entities and individuals who shared their views on that had to say. From there, there are typically a set of town halls or roundtables that take place, a lot of conversations, and these things happen over the course of months. It's not by any stretch a really quick process, and that's because you've got a lot of issues to work through. And through the consultation process, you may identify something that you hadn't necessarily thought of before, or somebody's brought a really interesting perspective that you want to explore more. You start doing deep dives as part of that process. So there's a lot that goes into it and a lot of really deep thinking that happens along the way. And then from there, it's through that process the department will take all of the inputs that they've received and start developing the actual primary deliverable, which is the strategy itself. And that's, I think, a really important thing to remember as well. That you've got the minister and their office, but then you've also got the department and the public servants that staff that department. And there is a clear sort of division of responsibilities. In that sense. There's the department that does the primary work of holding the pen on these documents and actually producing the outcomes. The minister obviously works very closely and the minister's office works very closely with the department and the minister ultimately signs off on that as the count hall minister, but it's very much collaborative within government itself.
[00:25:47] Speaker B: So you said before, things take months, which I assumed it would. But how so hard is it, from your understanding, to institute changes to the public policy? So if I had an idea, I went through the process that you just explained what would happen now? I know it depends, and there's all these things and deliberations, there's meetings and there's people, but do you think perhaps people. And when, I mean people like, you know, whether they're practitioners or just everyday people, do you think that they think it's harder than what it is, so therefore they don't bother to try to have a seat at the table, have a voice? Do you think there's a bit of that in there? Because they think, oh, it's all too hard. Oh, I couldn't be bothered going through the process because they think it just won't actually move the needle at all.
[00:26:30] Speaker A: Yeah, I think there's probably a bit of that. I don't want to say cynicism about the process, but I do think that people probably are not sure how much of an influence they can actually have as part of the process. But I think the key thing to remember here is we've all got the opportunity to have that voice as part of these consultations. And for your voice to be heard, you need to use it so actively. Encourage anybody who really feels passionately about these things, these issues, to engage with these policy processes.
[00:27:04] Speaker B: I was just curious. Do you think people feel overwhelmed by the process, considering, you know, these things don't happen in a day, they take months, years, do you think people sort of just think, well, I'm too busy now. I tried to start the process, but now, you know, I've got other things going on in my life and I'm. I'm not going to follow it through?
[00:27:22] Speaker A: I think if you're a smaller entity who is very pressed for time, that the level of consistency needed to engage directly with these processes. Yes, that probably can be really quite time consuming. The important thing, I think, with cyber security is that we are a community of practitioners. If I go through, even for your podcast career, I go through and look at the guests that you've had on. I know probably 50% of those people.
That's a really cool thing. That's one of the strengths that we've got in Australia on this front. So as much as we say that cybersecurity is a team sport, so is public policy. We've all got the ability to obviously have that voice and have that level of influence or try to have that level of influence. But I think the key thing as well is we are part of a community, and you can look to your peers and look to the people around you to say, this is my perspective on this. This is why this really matters. And there is a very good chance that the people or the entities that you are talking to who are within your ecosystem are going to also advocate on your behalf. And I see that pretty regularly as part of the conversations I have with other pockets of industry, you know, through the work that I do as part of the trusted information sharing network that's run by Home affairs. And I chair the. I co chair the data center group, I sit on the Resilience expert advisory group. I get to talk to a lot of different critical infrastructure entities through those positions, but I also get to talk to entities that you might not think about in terms of critical infrastructure, resilience or cybersecurity and whatnot. I got to share the stage with the CEO of Food bank last year, brought this fabulous perspective to what resilience means for them and how cybersecurity impacts them. And then I was able to take that forward and say, actually, these are really important points that need to be reflected here. Can I get some more information from you so I can take that forward? Make yourself known as part of the ecosystem. Talk to people like me who, you know, are actively engaged in this space. You don't have to try to do it all alone.
[00:29:42] Speaker B: Yeah, those are great points. And I think that's what's really important about getting you on the show so you can dissect the process. I think people out there do think it's hard or it's impossible. You got to know somewhere, how does it work? So it would be a fair assumption to say, min, that people do need a little bit, be a bit more proactive. Whether they come and approach you, they are being a bit more proactive and going direct. Do you think maybe people just, they just didn't know?
[00:30:04] Speaker A: I think it's bit of everything public policy, like any conversation and ultimately, it is a set of conversations that will ultimately result in decisions and actions. The perspectives that you put forward, they need to be precise, they need to be said to be heard. They need to be heard to be taken into account and to be taken into account. And then to. I'm completely jumbling where I was going with this as a metaphor, but you see where I'm bogging this. You've got to say something for it to be heard and ultimately acted upon, potentially. And you can't take, you can't take your perspective not being acted upon as a rejection. It doesn't mean that your perspective wasn't valid. It doesn't mean that it wasn't heard. It would have been considered as part of the process. And then through the balancing that needs to get done to ultimately make these decisions, decide on a set of desired objectives and measures. What you've said may well have contributed quite heavily into that decision, but from the alternate perspective, actually, we did consider that. And based on our assessment of these variables over here, we decided that that wouldn't work or it wouldn't have been the most effective mechanism, but it is something that will be considered as part of this process. So you should never take the absence of something as failure. It's still important to have infected into that process. And if I can put it in another way, for the intelligence professionals that are potentially listening to this podcast, you do the analysis of competing hypotheses. We put forward a hypothesis, and you have to try to prove it, and you also need to try to disprove it. That is the foundation of good intelligence analysis. It's also the good foundation of any analysis. You can't just go with what you think is right. You also need to challenge your own thinking. And that's another reason why these perspectives that we all provide to government as part of these processes are so important to provide that challenge, the analysis of competing hypotheses.
[00:32:12] Speaker B: Do you think the word considered rattles people a little bit, though? It's like, oh, well, we considered it, which is sort of like, we didn't reject it. We kind of looked at it. Is that maybe that gets people on the back foot?
[00:32:25] Speaker A: It might, but I would just be speculating on that front.
[00:32:28] Speaker B: So then in terms of, I want to institute some change, I hit you up, you. That's a great idea. How long does something sort of take to change? And I know that's a very broad question. I'm just curious to know. I know it doesn't take a day or a week, but how long does it, like, is it years? Is it centuries? Does it ever change? Because, you know, I've heard people saying, like, I've been campaigning this for like 30 years across other sectors, but what is a real sort of number here?
[00:33:03] Speaker A: Well, if we again take the cyber security strategy as the example, that's set out into three two year horizon periods, and those horizons go out to 2030. So along the way there will be a set of initiatives that are rolled out over that period of time. And then you start to
[email protected] sequence of events for the actual changes to start happening. We're already seeing those things making moves now, the implementation of certain types of activities like the awareness programs and campaigns that have come out as a consequence of the strategy. We'll see various things happening through, I don't know the mechanism exactly yet, but probably cyber dot gov dot au comma, where increased advice will start to be released over the period. And we've seen that recently as well.
The ACSC, in partnership with the five Eyes plus, released their guidance on the cybersecurity aspects of AI as one really good example. You start to see these things roll out over time. I think because it happens incrementally. It gives the illusion of slowness, but that illusion very much the duck floating while water and the legs are flapping away underneath. There is a lot of work goes into these things that on their face value can seem really quite simple. But to get all of these mechanisms of government moving, to get industry partnerships moving, and to roll out these societal programs across small businesses, NGO's for individuals, these things take time. But when you consider that they're being done on a national scale, it's also happening reasonably quickly. So we don't need to sit back and think that this is going to take a period of decades to achieve all of these things. It will all happen and materialize over the next five years in this particular space.
[00:35:00] Speaker B: I'm going to switch gears now, and I did want to touch on AI, so maybe, you know, we can touch on that slightly now. But I am aware of AWS's collaboration with industry and government to build a strong foundation for AI and security. So maybe just at a high level, men talk me like, talk me through this, and then how does this sort.
[00:35:24] Speaker A: Of look, the AI policy or responsible AI policy is the issue of the moment. It is the tech policy issue, and we really saw the interest in that spike with the release of generally available generative AI. But the conversation about responsible AI has been happening for quite a number of years. So in that respect, when you say these things can take some time, yes, they absolutely can. Often it's the, it's like any change management program, really. There is the point in time where there is a recognized or broadly agreed point where you say, right, we need to focus on this. And this is why, for AI, it was generative AI that was the catalyst for all the action that has followed. This is a fascinating one, because it is something that's clearly relevant to Australia domestically, and there are a lot of processes that have kicked off domestically to address responsible AI as a core tech policy issue. The government released their interim response to the responsible, safe and responsible AI consultation in January, and that's where they highlighted and broadly outlined the set of actions that they were going to take on that front. Following from that, Mister Husig announced the expert advisory panel, who is working with the Department of Industry and Science on a AI regulatory strategy. And they've also highlighted broadly how they're going to tackle that, which is a sort of industry vertical approach that recognizes that AI is higher or lower risk depending context and depending on use case, and working through a set of mechanisms to best govern that. And through that as well, we also have the national AI centre committed to delivering a voluntary standard for safe and responsible AI as well. And those are just the domestic elements of what's happening in this space. But there's no boundary to these sort of tech issues. So this also comes into the international domain, where the australian government is engaging very closely. The safety summit that was originally convened by the UK is now going to be hosted in Korea next, where there were a set of agreed principles as part of the Bletchley declaration. But we're also engaging with the G seven process in terms of safe and responsible AI. The OECD also has a set of policies or mechanisms in place to help govern the development of AI and realize its economic potential. So there's a lot of complexity at play here. And then we also have international standards that sit underneath all of these other mechanisms. Active engagement in this space is really, really important because AI, just like cybersecurity, is something that's going to be relevant to every society. If you engage with technology, you are going to be engaging with AI in some way just exactly the same as you're engaging with cybersecurity in some way, whether consciously or not, being able to develop a robust policy ecosystem around that. That allows us to really harness all the benefits of these technologies while mitigating the risks. That's what needs to be at the core of all of these policy discussions, and that's the approach that the albanese government again has been pursuing as part of this process. There are clear intersections with AI policy and almost every other area of policy as well, which makes it another really good analogy and almost sister issue to cybersecurity. So it's a good thing I find all this stuff really interesting, otherwise I'd be in trouble because it's a fascinating space to work in and there's no shortage of things to learn about along the way as well. I'm constantly reading about these issues and finding out new things. It's an exciting time to be working in this space, I guess.
[00:39:28] Speaker B: Yeah, and you are right, especially with the relatively new emergence of the genai and everything that's happening, especially now, the dick fakes. I was in an interview just before this one talking about that in elections. So there's, you know, I'm not expecting like government necessarily have an answer, but it is about getting industry perspective, and that takes a bit of time to do it, you know, to do it properly. It would, doing the right thing would be. It does take a bit of time to do it properly. So in line of everything now, where do you think we go from here now as an industry, what are your sort of thoughts for the rest of 2024?
[00:40:02] Speaker A: I think as industry, we've got an incredible opportunity this year to really be conscious in how we talk about cybersecurity, in how we talk about safe and responsible AI, being very deliberate and conscious that how we talk about these things absolutely impact broader societal perceptions of these issues for cybersecurity in particular. And again, this is something I emphasize endlessly, and I know I heard Phil Rodriguez, one of my colleagues when he was on your podcast, talk about these things really simply. I think that's an excellent example of how you need to speak about security policy, AI policy, all aspects of tech policy in a way that has genuine meaning to people. Because ultimately, we're not just securing things, we're securing the world that we live in. The world that we live in is fundamentally digital. So we need to be actively engaged with these processes. We need to be able to invite responses from all pockets of society, from all pockets of the business community, from all pockets of NGO's and particular perspective that they bring to these issues. And the way industry talks about it has a big role to play in that, I think something that you'll often find with me, and it's a very deliberate choice when I'm talking about cyber security, I never use the word attack ever. And that's an extremely conscious choice on my part because I want it to be something that you can engage with in a way that is inviting. And there's nothing really inviting about the word attack. There's nothing inviting about being attacked either. But we also need to be realistic about that words have meaning, and that the way we discuss these things absolutely impacts people's perceptions of the level of control that they can even have over their own security profile.
[00:42:06] Speaker B: So do you have any closing comments or final thoughts you'd like to leave our audience with today?
[00:42:11] Speaker A: I would just really encourage everyone, if you've got the interest in policy dynamics surrounding cybersecurity, there are great resources available to you to be able to do that, or to even understand tech policy in general. Yeah, the tech policy Design center, run out of ANU has developed really useful tools to help people navigate the policy process. They've also got their tech policy atlas that gives you an understanding and overview of all the different policies that exist across different geographies. That's a great place to start. Stay plugged in, whether it's through industry associations, whether it's just through a simple newsletter, policy developments so you're at least kept up to date with what's happening and are up to date with the tenor of conversations around these issues. And when you do see the opportunity to contribute, if there is a perspective that you've got that you want to share, absolutely encourage you to share it. And if you don't feel confident in sharing it directly, reach out to somebody within your ecosystem. It could be somebody like me in an AWS. It could be your account manager, one of your third party SaaS providers. Anyone who you feel comfortable talking to about this process and getting that perspective across, I would absolutely encourage you to engage.
[00:43:41] Speaker B: This is KVcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
This episode is brought to you by Mercsec, your smarter route to security talent Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out more at Merck today.
