Malcolm Turnbull is best known as the 29th Prime Minister of Australia. Serving from 2015 to 2018, he developed a cybersecurity strategy that, even today, is described as “world leading” for its time. He laid the groundwork for a law enforcement encryption-circumvention policy enacted just after he left. And he continues to raise the profile of cybersecurity issues from outside of government during a time when those issues can sometimes be left to the wayside.
But beyond his government role, Turnbull has a long history investing in technology, both before and after his political run. He most recently was appointed to the board of Kasada, an Australian automated-threat protection service fighting credential stuffing by making distributed bulk login attempts less more work than worthwhile. And that’s a fitting role for Turnbull, whose policies to create an Australian cybersecurity industry improved the viability of local startups.
This summer, Turnbull appeared on stage with Alastair MacGibbon, head of CyberCX, a megastructure of recently merged Australian cybersecurity firms, to say that the Australian government should purchase from the burgeoning Australian cybersecurity industry rather than global competitors. It was a move that appeared to some to be about shoring up supply chains and to others about propping up domestic firms.
SC Media spoke to Turnbull about why it was important to build a domestic cybersecurity industry and the effects of an extremely permissive encryption policy on business.
This summer, you appealed to Canberra to buy local when purchasing cybersecurity equipment to help sustain the growing Australian cybersecurity industry. Why is it so important to build a domestic industry? Is it reducing dependencies on foreign supply chains?
That’s a real issue. But there are other reasons. You go back to the National Innovation science agenda in 2015, you know my thesis then and remains that we're living in a time when the pace and scale of change is utterly unprecedented and it's being driven by technology overwhelmingly. And so these are very exciting times. I used to say, there's never been a more exciting time to be an Australian and I think that's true. But you've got to reject notions of "not invented here" or "we've always done it this way."
The major focus of the cybersecurity strategy which I laid out in 2016 was obviously cyber safety and we established a number of institutions and agencies to promote that. But there is a big opportunity in cyber for Australian technology and innovation. We actually have really outstanding cyber schools in this country – a lot of it associated with or graduating from the Australian Signals Directorate, which is our equivalent of the NSA or GCHK in the U.K. ASD is a pretty remarkable agency. Given its size relative to say NSA, it bats way, way above its weight.
You've got to be prepared to be on the front foot all the time and be prepared to look at new ways of doing things. That’s kind of my life story. I’ve started a lot of companies and helped found a lot of companies over the years including our first big internet company back in the nineties, but that is critical. Innovation is what drives productivity and productivity is the key factor in economic growth. There's a real national purpose there and so Australian Innovation is vital.
Then, what’s held Australian cybersecurity back in the past?
We used to be very short of venture capital in Australia for tech. In fact, back in the nineties, before I joined Goldman Sachs, I had my own investment banking business. And with Ozemails, this internet company we started, we literally couldn't raise any money for it in Australia of any consequence.
The technical founder was a guy called Sean Howard and he used to say to me “How come you can't raise any money for Ozemail here, but you have no problem raising money for your gold project in Siberia?” Because, if you think about it, a gold mine in Siberia would define risk – that's like eleven out of ten. There just wasn't money for technology. That's all changed and there is now deep venture capital resources in Australia - not as deep as they are in the U.S., naturally, but there is venture here.
One of the objectives of the NISA [National Innovation and Science Agenda] back in 2015 was to encourage that. We both set up new funds and you know provided incentives for people to establish funds. It's just absolutely critical.
The startup economy is an unequivocal benefit, right? The only people that lose from startups are investors, if the company doesn't perform to expectations. But everybody else benefits – the founders benefit from learning, people get skills. It's just a huge asset to any society and from a government point of view, you've got to recognize that and give it all the support you can.
With Kasada, are you able to see any of the success of creating that kind of culture change?
Sam Crowther, Kasada’s founder, actually started at the signals directory, albeit as a schoolboy. If any of us think we had some pretty brilliant accomplishments Sam always puts them into perspective – when all of his schoolmates were delivering newspapers or doing people's gardens or, you know, working at Woolies, Sam was cracking codes for the at the signals directorate. So, yeah, there's a lot of innovation in Australia.
To put it another way, Sam Crowther and Kasada embody everything that I wanted to achieve with the NISA and the cybersecurity strategy.
Without that shift in venture capital, what would happen to all that local innovation?
When I joined Goldman Sachs in '97, I was intrigued that Goldman had for a long time been hiring more young people from Australia than they could ever use in their Australian business. And I made a few inquiries, and the other investment banks were doing the same. And the reason for that was, you can take an Australian and plomp them in pretty much any part of the world and they're going to be by and large at ease; they've grown up in a very multicultural environment.
Australians are very global. We always have been. And Australians are very good travelers in this sense. We are a very multicultural society, about 30 percent of the people who call Australia home were born outside of Australia.
But is that a drain on the local talent?
Well, yes. I get the point you're making. But – and COVID has affected this – at any given time we used to estimate there are about a million-plus Australians living overseas. So around, five percent of the population. Now, some of them are students, some of them are people that have married foreigners and gone to live overseas, but a lot of them are Australians working in business we think that's a good thing.
I think it's good to know it's great to have Australians working internationally and then coming back and Americans coming here.
Australia passed a law in 2018 allowing law enforcement to gain access to devices in order to circumvent unbreakable encryption. That law specifically does not require algorithmic vulnerabilities in the encryption, but is controversial nonetheless. How has this affected cybersecurity locally and, now that you’re a part of a cybersecurity firm, do laws like that affect your competitiveness in a global market?
I would say this is a work-in-progress. If you go back to traditional search and seizure which has been with us for hundreds of years, I could go to a court or a magistrate and get a warrant for you to open your safe and if you won't open it some sturdy police officers will come and open it for you.
However, what do we do in an environment where you've got encryption that is designed so it can't be decrypted? The problem is, of course if I have a warrant to open your safe, it applies only to your site. But if I have access to your encrypted data, that is an ability that once obtained by others would enable all of the encrypted messages using those encryption algorithms to be accessed. And therein lies the problem, because on the one hand we do have a vested interest in cybersecurity and hence in encryption, in encryption in situ. But on the other hand, you've got the claims of law enforcement. I think that there is still work to go on that and attitudes differ.
One of the interesting things I remember happened in Silicon Valley while I was in politics around the time of the Snowden revelations was how deep the antagonism is in America both from the left and the right to government. There is a Libertarian tradition of 'don't tread on me' values both on the left and the right. When Apple would not unlock San Bernardino terrorist's iPhone there was not a public outrage against Apple as far as I could see. I mean, there was a workaround achieved of course, which resolved the issue, but it's that's an ongoing challenge. I think the solution to that is not immediately obvious.
Do you see the Australian law as a disadvantage to those on the international stage?
No, absolutely not. No, not at all. There is nothing in the legislation that would require, say Facebook, who owns WhatsApp, to compromise its encryption. It's quite expressed. If you look at the legislative and all the speeches, the second reading speech and so forth, you'll see that's the case. It's really seeking greater assistance.
I don't think you'll see anything further happen with this other than in lockstep with the other Five Eyes. We're probably ahead of the game certainly in respect to telecom security and 5G, but I think everyone's now up to speed on some of the key issues and areas of risk.