COMMERCIAL IN CONFIDENCE FINAL REPORT Impact Analysis of CSIRO Cybersecurity Research Prepared for CSIRO August 2020 THE CENTRE FOR INTERNATIONAL ECONOMICS www.TheCIE.com.au The Centre for International Economics is a private economic research agency that provides professional, independent and timely analysis of international and domestic events and policies. The CIE’s professional staff arrange, undertake and publish commissioned economic research and analysis for industry, corporations, governments, international agencies and individuals. © Centre for International Economics 2020 This work is copyright. Individuals, agencies and corporations wishing to reproduce this material should contact the Centre for International Economics at one of the following addresses. CANBERRA Centre for International Economics Ground Floor, 11 Lancaster Place Canberra Airport ACT 2609 Telephone +61 2 6245 7800 Facsimile +61 2 6245 7888 Email cie@TheCIE.com.au Website www.TheCIE.com.au SYDNEY Centre for International Economics Level 7, 8 Spring Street Sydney NSW 2000 Telephone +61 2 9250 0800 Email ciesyd@TheCIE.com.au Website www.TheCIE.com.au DISCLAIMER While the CIE endeavours to provide reliable analysis and believes the material it presents is accurate, it will not be liable for any party acting on such information. Contents Summary 1 1 Challenges and risks 6 What’s at stake 6 Need for risk management capability and governance 10 Solution: build resilience, shared awareness, and human capacity 11 2 Impact pathway for Data61 Cybersecurity 14 Inputs 14 Outputs: What Data61 cyber delivers 16 Outcomes 24 Too early to estimate net benefits but the value case is clear 29 References 32 BOXES, CHARTS AND TABLES 1 Multidimensional impact pathway for CSIRO Cybersecurity 3 2 Key outcomes and impacts of Data61’s Cybersecurity programs 5 1.1 Potential economy-wide impact of digital disruptions 8 1.2 Annual average cost of the consequences of cyberattacks 8 1.3 Summary of data insights from the 2019 Cost of a Data Breach Report 9 1.4 Multidimensional impact pathway for CSIRO Cybersecurity 13 2.1 CSIRO’s investment into major cyber security groups 14 2.2 Increasing funding dominance of key programs over time 15 2.3 High-Assurance Cyber Military Systems 21 2.4 Trustworthy Systems (TS) 22 2.5 Data Airlock 23 2.6 R4 – The re-identification risk ready reckoner 23 2.7 Major customers for FY 18-20 Revenue 24 2.8 Cost recovery by cybersecurity group 25 2.9 Significant Cybersecurity publications 26 2.10 Publication productivity of key team researchers 27 2.11 Invited keynote and plenary talks (2018–19) 28 2.12 Estimated economic returns from Trustworthy Systems 30 2.13 Key outcomes and impacts of Data61’s Cybersecurity program 31 Summary CSIRO’s Data61 (Data61) Cybersecurity represents an exemplar in CSIRO research: clear causal links between research excellence, and meeting the specific needs of government and industry to address large scale challenges and avoid potentially large scale societal and economic costs. The impact pathway identifies clear links between collaborative, capability, and capacity building activities; new technologies and solutions with immediate and wider application; and an ability to unlock significant digital, data and Artificial Intelligence capabilities to boost productivity and growth. Addressing problems that otherwise pose significant risks to Australia Global connectivity poses a major challenge to the protection of privacy and trust, with costly disruptive potential, with US$170 billion1 spent globally to minimise cybersecurity risks. 1 Cybersecurity Ventures, ‘Cybersecurity Market Report Q4 2015’, Cybersecurity Ventures, 2015, , accessed 27 July 2020 2 Actual report cannot be sourced in the public domain. References to the estimate have most recently reported in Australian Criminal Intelligence Commission, ‘Cybercrime’, Australian Criminal Intelligence Commission, 2019, , accessed 3 June 2020. 3 AustCyber, ‘Australia’s Digital Trust Report 2020’, AustCyber, July 2020, , accessed 30 July 2020 At its most severe, cybersecurity incidents cost are estimated to cost the Australian economy up to $1 billion per year.2 Australian sectors most reliant on cyber connectivity generate annual gross revenue of more than $500 trillion, and account for nearly 670 000 Australian jobs. For these sectors, the loss in GDP from one week of cyber downtime due to cyber invasion is estimated at $5.6 trillion, with a loss of 32 000 jobs.3 Levels of risk and cost need to be addressed, as businesses and governments rely on accurate and thorough data to protect their information and digital assets. This is complex, with cyber risk assessment challenged by fast-evolving threats and data limitations, which are difficult to address when organisations are unwilling to share relevant information, and/or are unaware of their vulnerabilities to data loss and privacy- invasive actions. Solution: build resilience, shared awareness, and human capacity Since 2016, CSIRO’s Data61 has been undertaking a range of initiatives to boost research, commercialisation and connectivity outcomes across Australia’s cyber industry, and drive the development of new cybersecurity architectures. The cybersecurity program now includes over 47 activities across focused cyber themes, including: ■ boosting cyber security research and collaboration ■ cyber ecosystem activities ■ commercialisation of cyber solutions ■ improving Cyber Security Skills, and ■ deepening connections with international partners. Over 60 cybersecurity researchers and engineers have been funded to support projects to improve cyber research and technology commercialisation over the past three years. Between FY2018 and FY2020, $33.8 million in funding has been invested by CSIRO in its three major cyber security groups within the Software and computational Systems (SCS) research program.4 These groups have delivered new platform technologies and associated products that are actively being trialled and adopted by researchers, industry, and all levels of government, in Australia and internationally. Key outputs of the team include: 4 Trustworthy Systems, Distributed Systems Security, and Information Security and Privacy. Includes salary, on-costs and operating costs. ■ novel science and technological solutions ■ new partnerships and collaborations ■ risk assessments for government to improve preparedness and response to cyber attack ■ leadership and guidance forums and materials for cyber initiatives ■ new training and development opportunities, and ■ elevated CSIRO and Australia’s international reputation. The impact pathway for CSIRO Cybersecurity expands from impacts associated with discrete technology partnerships to changes in the cyber security system and capacity in Australia. An overview of its multidimensional nature is illustrated below. 1 Multidimensional impact pathway for CSIRO Cybersecurity SHORT TERM Partnerships that solve cybersecurity problems MEDIUM TERM Building cybersecurity awareness and industry technical capacity LONGER TERM Increased cybersecurity preparedness for Australia INPUTS CSIRO internal funding Government agency funding for projects Industry funding for projects OUTPUTS Collaborative partnerships New product and research road maps to provide strategic direction Risk assessment reports New t echnologies that protect business and government systems PhD training opportunities in cybersecurity New uses and applications for platform technologies Ongoing new partnerships Training programs for industry Graduated PhD students with research outputs CSIRO and Australian reputational excellence in cybersecurity Systems in place to protect against evolving risks Stakeholder awareness of risks and solutions OUTCOMES Stakeholder collaboration More research capacity and ca p ability Better information qual ity due to improved data analytics Use/adoption of outputs (processes, technologies Improved cybersecurity protection for individuals and organisations Economic resilience, enhanced productivity, GDP growth IMPACTS Reduced harm to individuals (privacy breach) and organisations (IP theft, reputational and stock price risk, fines) More efficient use of skills and resources Reduced waste/downtime Improved sovereign and national security benefits Increased labour and capital productivity Stronger more productive economy Improved societal outcomes Source: CIE. Valuing Data61 Cybersecurity In its short history, Data61 Cybersecurity has enhanced CSIROs contribution to Australia’s cybersecurity innovation and protection, leveraged additional government and industry investment, and brought stakeholders together to achieve more through collaboration and dispersion of cybersecurity capacity building than would have been achieved otherwise. This includes leveraging substantial investment into Australia’s cybersecurity preparedness, with numerous contracts with clients to provide commissioned work to address industrial and agency needs. Over 2018-2020, contracted revenue for the three cyber groups has amounted to 27.9 million in nominal terms. With additional cybersecurity-related funding for Data61 from the National Innovation and Science Agenda (NISA) of $19.8 million over three years allocated to the three cyber groups, this results in all cyber groups covering their labour and overhead costs, and generating additional research capacity for CSIRO. Across the three cyber groups, a cost recovery rate of 178 per cent is achieved, ranging from 115 per cent for Trustworthy Systems to 235 per cent for Distributed Systems Security. The public dissemination of publications from the research team have been embraced globally, generating an estimated $844 000 annually as works are cited by the cybersecurity research community.5 5 Calculated by the CIE, as described later in this report. Data61’s Cybersecurity groups are still in their infancy, and growing as fast as their staff capacity can sustain. With the PhD scholarships program and upskilling of industry, cybersecurity capacity will grow, and with it, demand from government and industry to improve cybersecurity preparedness across the country. The rapid uptake of demand for cybersecurity expertise, and the leveraged commitment to substantial funding of research points to a research program that is highly valued on multiple fronts, with the capacity to materially impact on the resilience of the Australian economy. The logic of the impact creation model for Cybersecurity is illustrated in chart 2. 2 Key outcomes and impacts of Data61’s Cybersecurity programs Monetary value of Data61 Cybersecurity ■ $27.9 million in client revenue over 3 years for the 3 major cyber groups. With the addition of NISA funding, results in cost recovery rate of 178 per cent ■ Income gains for supported PhD scholars in cybersecurity ■ Productivity gains for Australian business and government ■ Dissemination of valued research worth $870k p.a. Improved research effort ■ Strategic research partnerships and joint research projects across cybersecurity community ■ Increased investment in cyber research leveraged from external sources Efficient and effective innovation ■ Insights from shared data ■ Minimising research fragmentation ■ Access to larger datasets for analytics ■ Mission and outcomes focused research tailored to specific partner/client requirements ■ Improved societal outcomes ■ Safer more trusting society ■ Increased employment prospects and security ■ Increased businesses with cybersecurity preparedness ■ Additional exports ■ Better policy 1 Enhanced quality and quantity of cyber research 3A Discovery begets Discovery 7 Greater cybersecurity awareness and technical capacity 2 Enabled collaborations and partnership mechanisms 6 Strategic relationships built that attract future funding and cement a Security Innovation Network 3 Enhanced data analytics capabilities with simultaneous data protection Geo-strategic advantages ■ Improved bilateral and multilateral relations ■ Increased opportunity for trade and capital flows ■ Strengthened institutions to protect national and international security Improved knowledge of risk exposure, security vulnerabilities, and cyber readiness ■ Cybersecurity skills in industry 5 Improved international standing and reputation 4 Cyber and privacy safer technologies and systems Productivity gain for government and business ■ Greater adaption of cybersecurity technologies in industry ■ Minimised resources spent on identifying and resolving cyber threats ■ Streamlined and automated processes to improve business efficiency ■ Increased data analytics capabilities as data is more accessible New technologies and solutions ■ Business systems secured ■ Road maps to identify root causes and solutions Data source: CIE. 1 Challenges and risks Since 2016, CSIRO’s Data61 (or Data61) has been a driving catalyst in Australia’s cyber research agenda, and is already beginning to realise Australia’s potential to be a regional and global leader in cyber research and technology commercialisation. Its approach is highly collaborative, including partnerships with Australian and international governments, companies, universities, and networks to bring the best minds and mission-driven solutions to Australian needs and challenges, and ensure Australian governments and companies have early access to emerging technologies and capabilities. Research investments are being made across cyber-aligned fields including trustworthy systems, distribution system security, data security and privacy, AI and cyber security, and human central cyber security to demonstrate at scale the use of new cyber techniques and architectures in the local environment. What’s at stake Global connectivity facilitated by information and digital technologies brings enormous opportunities for business and society. However, it also represents a major challenge to the protection of privacy and trust, and has the potential to destabilise, disrupt and corrupt information systems and infrastructure at a large economic and social cost. The 2018 Symantec Security Response estimated that globally there are an average of 5200 Internet of Things attacks per month.6 In early 2018, Meltdown and Spectre put industry on global alert of an in-built insecure default that allows attackers to bypass security control and steal data if exploited.7 Data61 had played in integral role in discovering Spectre and Foreshadow, a variant of Meltdown that bypassed Intel’s secure vault to expose data.8 6 Davis, D., ‘Internet of Things Cyber Attacks Grow More Diverse’, Symantec-enterprise-blogs, 2019, , accessed 6 June 2020. 7 Australian Cyber Security Centre, ‘ACSC statement on reports of Intel Active Management Technology (AMT) security issue’, Australian Signals Directorate, 2018, , accessed 6 June 2020. 8 Chelvan, C., ‘Foreshadowing attacks: cybersecurity researchers save the day’, CSIRO scope, Aug 2018, , accessed 10 Aug 2020 A 2019 report by Dell Computing found that of 307 companies suffered hardware breaches, 52 per cent experienced loss of sensitive data, 39 per cent incurred financial loss due to system downtime, and 32 per cent suffered financial loss due to remediation efforts.9 9 Forrester Consulting, ‘BIOS Security – The Next Frontier for Endpoint Protection Report’, Dell Technologies, 2019, < https://www.dellemc.com/ja-jp/collaterals/unauth/analyst- reports/solutions/dell-bios-security-the-next-frontier-for-endpoint-protection.pdf>, accessed 6 June 2020. 10 The Office of Australian Information Commissioner, ‘Notifiable Data Breaches Statistics Report: 1 January to 31 March 2018’, OAIC Notifiable data breaches, July 2018, < https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches- statistics/notifiable-data-breaches-statistics-report-1-january-to-31-march-2018/>, accessed 4 June 2020 11 Culnane, C., Rubinstein, B., and Teague, V., ‘Health Data in an Open World’, Corenell University arXiv Organisation, 2017, , accessed 6 June 2020. 12 CSIRO Data61 Cyber Security Strategy, 2019, p 1 13 Actual report cannot be sourced in the public domain. References to the estimate have most recently reported in Australian Criminal Intelligence Commission, ‘Cybercrime’, Australian Criminal Intelligence Commission, 2019, , accessed 3 June 2020. 14 AustCyber, ‘Australia’s Digital Trust Report 2020’, AustCyber, July 2020, , accessed 30 July 2020 In Australia, the Office of Australian Information Commissioner 2018 report on Australian data breaches found nearly 25 per cent of data breaches occurred in the health sector, which is highly vulnerable to re-identification risk and thereby significant financial and reputational ramifications.10 To assess Australia’s exposure to health data risks, researchers from the University of Melbourne successfully re-identified the longitudinal medical billing records of 10 per cent of Australians, equivalent to around 2.9 million people to demonstrate the relative ease in re-identifying Australian patient medical data without permission using an undergraduate-computing-level skill set.11 Given these challenges, Australian and international demand for cybersecurity solutions is strong, with an estimated US$170 billion spent globally to minimise cybersecurity risks.12 Costs of cyber intrusion and risks Cyber intrusion has a direct deleterious economic impact, typically associated with denial of service assaults and malicious insiders. The 2019 Australian Cyber Security Review found that cybersecurity incidents cost the Australian economy up to $1 billion per year.13 In 2020, it was estimated that Australian sectors most reliant on cyber connectivity generate annual gross revenue of more than $500 trillion, and account for nearly 670 000 Australian jobs.14 For these sectors, the loss in GDP from one week of cyber downtime due to cyber invasion is estimated at $5.6 trillion, with a loss of 32 000 jobs. Worse still, the rate of losses accelerates as the period of cyber downtime extends (table 1.1). 1.1 Potential economy-wide impact of digital disruptions Sector 1-week attack 4-week attack GDP ($m) Jobs GDP ($m) Jobs Digital activity -4 965 -27 174 -29 788 -163 042 Cyber security -283 -1 541 -1 700 -9 248 Online retail -290 -2 690 -2 002 -18 558 Digital health -27 -189 -174 -1 202 Solar power generation -10 -43 -63 -281 Space industry -27 -178 -178 -1 189 Hydrogen manufacturing -0.16 -1 -1 -5 Total -5 602 -31 816 -33 906 -193 525 Note: Note that the scenarios were designed in terms of timescale only. Source: AustCyber, ‘Australia’s Digital Trust Report 2020’, AustCyber, July 2020, , accessed 30 July 2020 International studies that publish more specific data on cybersecurity costs tend to report lower costs, albeit still substantive, and are of major concern for Australia and internationally. The Ninth Annual Cost of Cybercrime Study estimated that the average annual cost to a country from cyberattacks is US$13 million. The most costly type of attack is from malware (US$2.6 million annually), and the most costly consequence was to business disruption (US$4 million annually), mainly due to denial of service (table 1.2). 1.2 Annual average cost of the consequences of cyberattacks Business disruption Information loss Revenue loss Equipment damage Total cost by attack type US$2019 US$2019 US$2019 US$2019 US$2019 Malware 0.5 1.4 0.6 0.1 2.6 Web-based attacks 0.3 1.4 0.6 2.3 Denial of service 1.1 0.2 0.4 0.1 1.7 Malicious insiders 0.6 0.6 0.3 0.1 1.6 Phishing and social engineering 0.4 0.7 0.3 1.4 Malicious code 0.2 0.9 0.2 1.4 Stolen devices 0.4 0.4 0.1 0.1 1.0 Ransomware 0.2 0.3 0.1 0.1 0.7 Botnets 0.1 0.2 0.1 0.4 Total cost by consequence 4.0 5.9 2.6 0.5 13.0 Note: Numbers may not add due to rounding. Source: Bissell, K., and Lasalle, R., ‘Ninth Annual Cost of Cybercrime Study’, Accenture Security North America, 2019, , accessed 4 June 2020. Across all countries, the total value at risk from cybercrime is estimated to be US$5.2 trillion over the next five years, based on value at risk globally from direct and indirect cyberattacks over the 2019-2023 period. The IBM Security Cost of a Data Breach Report in 2019 found that the probability of experiencing a data breach over two years was 29.6 per cent, which has increased by close to a third over the past five years. The reported average cost of a data breach is US$3.92 million, with an average breach size of 25 550 records, and the average time to identify and contain a breach being 279 days (314 days when caused by malicious attack).15 15 IBM Security, ‘IBM Security Cost of a Data Breach Report 2019’, IBM, 2019, < https://www.ibm.com/security/data-breach>, accessed 5 June 2020. 16 U.S. Food & Drug Administration, ‘Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication’, 2017 Safety Communications, 2017, , accessed 3 June 2020. Average costs are 95 per cent higher in an organisation where there is no security automation deployed, and in Australia (as is the international average) 48 per cent of organisations do not have security automation deployed. A comparison of costs for Australia vis-à-vis the global average are summarised in table 1.3. Not captured in these estimates are the financial costs associated with risks to assurance of underlying service reliability for life–or mission–critical systems or functions. For instance, in 2017, the US Food and Drug Administration identified that many medical devices – including St. Jude Medical's implantable cardiac devices – contain configurable embedded computer systems that are unsafe from cyber invasions and exploits. Malfunctions such as battery depletion and incorrect pacing or shocks, due to intrusion into such a life-critical system, can cause devastating injury or even death.16 1.3 Summary of data insights from the 2019 Cost of a Data Breach Report Australia Global average Average cost of a data breach US$2.13 million US$3.92 million Average cost of a data breach that takes more than 200 days to resolve Not reported US$4.56 million Average cost of a data breach that takes less than 200 days to resolve Not reported US$3.34 million Average cost of a megabreach (more than one million records) Not reported US$3.92 million Average cost per record breached US$110 US$150 Direct expenses US$50 Not reported Non cash outlays needed for breach resolution US$60 Not reported Cost per health record breached US$429 US$645 Source: IBM Security, ‘IBM Security Cost of a Data Breach Report 2019’, IBM, 2019, < https://www.ibm.com/security/data-breach>, accessed 5 June 2020 There are also high potential risks of cyberattacks to embedded systems. Complex in nature, embedded systems are typically used in automobiles, mobile phones, industrial machines and medical equipment. For example, embedded systems in consumer vehicles entail cruise control, backup sensors, suspension control and airbag systems, hence cyber invasion can have potentially severe consequences. In 2015, trial research showed vulnerability of the Jeep SUV being hacked via its Sprint cellular network, with attackers able to gain full control of entire vehicles with speedup, slowdown and veer-off.17 17 Bonderud, D., ‘Eight Crazy Hacks: The Worst and Weirdest Data Breaches of 2015’, Security Intelligence, 2015, < https://securityintelligence.com/eight-crazy-hacks-the-worst-and-weirdest- data-breaches-of-2015/>, accessed 3 June 2020. 18 2020 Cyber Security Strategy Industry Advisory Panel, ‘Industry Advisory Panel Report for Australia’s 2020 Cyber Security Strategy’, Department of Home Affairs of Australian Government, July 2020, , accessed 30 July 2020 The immediate adverse impacts of untrustworthy systems include software defects, system failure, leakage of sensitive information, financial costs, and in embedded systems, damage to property, injury, or loss of life. Immediate financial costs include user incidents and repair costs for bugs, and costs associated with delayed service introduction. Longer term costs include the development or exacerbation of: ■ loss of reputation and future business ■ legal actions ■ injuries and fatalities ■ crime ■ loss of employment, and ■ loss of public service and essential services. Need for risk management capability and govern ance Faced by emerging cyber threats with evolving scope, scale and sophistication, the 2020 Cyber Security Strategy Industry Advisory Panel outlined key strategic priorities and identified best practice from an industry perspective. The 2020 Cyber Security Strategy is clear-sighted about opportunities and barriers on cyber risk management, development of trustworthy digital market, and shared awareness of cyber treat. In particular, the 2020 Strategy recommends18: ■ to develop treat-identifiers for a digital technology market where security is built in across the supply chain, leveraging Australia’s global leadership in cyber policy development, as well as support by major national agencies – the CSIRO and Defence Science and Technology. ■ to increase investment in cyber security research and development ■ to improve collaboration with the cyber industry to shape cyber security standards and align market-wide practise with a transparent and secure digital supply chains ■ to promote partnerships between the institutions and the industry to share real-time treat information for preparedness. Hence, levels of risk and cost need to be incorporated into a cybersecurity risk management and government framework, as businesses and governments rely on accurate and thorough information to protect their information assets. Despite its importance, a comprehensive cyber risk assessment is challenged by fast-evolving threats and data limitations. One important constraint is the ability to assess the probability and cost of a security incident when organisations are unwilling to share relevant information, and/or are unaware of their vulnerabilities to data loss and privacy-invasive actions.19 19 Taylor (2015), ‘Potential Problems with Information Security Risk Assessments’, Information Security Journal: A Global Perspective, vol. 24, pp.1-8, 2015. Part of a successful cyber defence includes human capabilities in recognising risk, provisioning for their mitigation, and devising dynamic solutions that can adapt to changing needs. S olution: build resilience, shared awareness, and human capacity Since 2016, Data61 has been undertaking a range of initiatives to boost research, commercialisation and connectivity outcomes across Australia’s cyber industry, and drive the development of new cybersecurity architectures. The cybersecurity program now includes over 47 activities across focused cyber themes, including: ■ developing new scientific and technological solutions ■ boosting cyber security research and collaboration ■ cyber ecosystem activities ■ commercialisation of cyber solutions ■ improving Cyber Security Skills, and ■ deepening connections with international partners. Enhanced research and collaboration A core strategy of the cyber security program is to boost cyber research capability and collaboration in Australia, including with the Australian Centre for Cyber Security, Australian Cyber Security Growth Network (AustCyber), and CyberSecurity CRC. Key research areas include: ■ Trustworthy Systems — building on the formally verified seL4 operating system kernel to architect systems with critical components isolated from uncritical, untrusted ones ■ Distributed Systems Security — designing security for distributed systems, including in areas such as IoT ■ Data Security and Privacy — identifying and quantifying risks of data privacy and security vulnerabilities and developing privacy-preserving technologies ■ AI and Cyber Security — using AI to solve cybersecurity problems and designing secure and safe AI systems, and ■ Human Centric Cyber Security — focusing on vulnerabilities and threats centred around humans: usage, user and usability. These activities are already increasing collaboration across Australia’s cyber ecosystem, and aligning activity around Australia’s key cyber challenges and opportunities. Several research outputs and technologies have already been developed, and are being trialled by governments and industry for potential future deployment. Through NISA’s Platforms for Open Data (PfOD) initiative, Data61 is also supporting Commonwealth Government Departments to explore and deploy secure data sharing and analysis technologies. The impact pathway for CSIRO Cybersecurity is multidimensional, ranging from impacts associated with discrete technology partnerships to changes in the cyber security system and capacity in Australia. An overview of its multidimensional nature is illustrated in chart 1.4 and described further in Chapter 2. 1.4 Multidimensional impact pathway for CSIRO Cybersecurity SHORT TERM Partnerships that solve cybersecurity problems MEDIUM TERM Building cybersecurity awareness and industry technical capacity LONGER TERM Increased cybersecurity preparedness for Australia INPUTS CSIRO internal funding Government agency funding for projects Industry funding for projec ts OUTPUTS Collaborative partnerships New product and research road maps to provide strategic direction Risk assessment reports New technologies that protect business and government systems PhD training opportunities in cybersecurity New uses and applications for platform technologies Ongoing new partnerships Training programs for industry Graduated PhD students with research outputs CSIRO and Australian reputational excellence in cybersecurity Systems in place to protect against evolving risks Stakeholder awareness of risks and solutions OUTCOMES Stakeholder collaboration Use/adoption of outputs (processes, technologies More research capacity and ca p ability Better information quality Economic resilience, enhanced productivity, GDP growth IMPACTS More efficient u se of skills and resources Reduced waste/downtime Increased labour and capital productivity Stronger more productive economy Improved societal outcomes Source: CIE. 2 Impact pathway for Data61 Cybersecurity In its short history, Data61 Cybersecurity has enhanced CSIROs contribution to Australia’s cybersecurity protection, leveraged additional government and industry investment, and brought stakeholders together to achieve more through collaboration and dispersion of cybersecurity capacity than would have been achieved otherwise. The value of cybersecurity expertise from Data61 is evidenced by high demand for commissioned projects, which for the three cybersecurity groups covers over 189 per cent of all program costs (comprised of $ 47.7 million in direct client revenue and NISA cybersecurity-related funding). The public dissemination of publications from the research team have been embraced globally, generating an estimated $870 000 annually as works are cited by the cybersecurity research community. Inputs CSIRO has invested in over 60 full time equivalent (FTE) cybersecurity researchers and engineers to support projects to improve cyber research and technology commercialisation over the past three years. Between FY2018– FY2020, $25.2 million has been invested by CSIRO in its three major cyber security groups (table 2.1). 2.1 CSIRO’s investment into major cyber security groups Distributed Systems Security Trustworthy Systems Information Security and Privacy Total $’000 $’000 $’000 $’000 Operating costs FY18 594.9 365.0 15.3 975.2 FY19 1 390.6 294.3 24.8 1 709.7 FY20 1 187.6 240.2 54.4 1 482.2 Total operating costs 3 173.1 899.6 94.4 4 167.1 Salary cost FY18 987.8 3 120.1 339.0 4 446.9 FY19 1 569.8 3 881.3 1 825.3 7 276.4 FY20 3 533.6 3 953.2 1 901.8 9 388.5 Total salary costs 6 091.1 10 954.6 4 066.0 21 111.7 TOTAL 9 264.2 11 854.2 4 160.4 25 278.8 Source: CSIRO unpublished. Funding across the portfolio has increased in each year, although the focus on project work and the involvement of external funding sources has seen funding fluctuations at the group level, with Distributed System Security, then Trustworthy Systems, experiencing the strongest overall growth in funding of all the groups (chart 2.2). 2.2 Increasing funding dominance of key programs over time 0.0 1.0 2.0 3.0 4.0 5.0 FY 18 FY 19 FY 20 $m Distributed Systems Security Trustworthy Systems Information Security and Privacy Source: CSIRO unpublished Key non-CSIRO sources of funding comprise: ■ co-investment funding from Science and Industry Endowment Fund, Defence Science & Technology Group, Cyber Security Research Centre Ltd.,, Department of Transport, Asian Office of Aerospace Research, and Intersective Pty. Ltd. ■ CSIRO strategic funding to conduct research in broad cyber areas, such as from Department of Finance, Australia Competition & Consumer, The Department of the Prime Minister, Australian Prudential Regulation, and PwC, and ■ service and consulting commissioned work for Hensoldt Cyber GmbH, HRL Laboratories, LLC, Rockwell Collins Inc, The Boeing Company Inc, Cyber Security Research Centre Ltd, United Technologies Corporation, Department of Customer Service, Department of Foreign, Australian Federal Police, Department of Industry, Science, and US Army International Technology and others. Outputs: What Data61 cyber delivers All the programs within the Data61 cyber portfolio have delivered new platform technologies and associated products that are actively being trialled and adopted by researchers, industry, and all levels of government, in Australia and internationally. Key output domains across the Data61 cyber portfolio include the following: ■ new partnerships and collaborations ■ risk assessments for government agencies to improve their preparedness and response to cyber attack ■ leadership and guidance forums and materials for cyber initiatives ■ new training and development opportunities, and ■ elevated CSIRO and Australia’s international reputation. New research partnerships Important partnerships to date include: ■ a three year strategic partnership (now extended for an additional three years) with the Defence Science and Technology Group (DST Group) for research collaboration in the areas of cyber and electronic warfare. This partnership has resulted in: – the commencement of 23 joint research projects with 15 universities in areas including cyber influence and data analytics, sensing to effects, autonomous systems, and system design for resilience – a networking forum held between Data61, DST Group and AustCyber in November 2017, attended by 80 participants from a wide range of universities and industries. The networking forum developed into a full-fledged the cybersecurity for defence conference. The first one was planned for March/20 but had to be postponed due to COVID19. – two Data61- DST Group Cyber Summer Schools (a third was postponed due to COVID19) providing 150 Australian research and academic leaders with access to international and local thought leaders in defence cyber, and – an early exploration of cyber security risk modelling for Australia’s maritime ports to assess the convergence of cyber physical and logical cyber threats impacting the industry and national security. ■ partnering with the Attorney General’s Department and CERT Australia to explore a Cyber Threat Information Portal to support government to industry threat intelligence sharing ■ partnering with the NSW Government to deliver targeted projects in: – Cybersecurity governance and management — developing a strategic roadmap for the protection of New South Wales’ critical infrastructure – Internet-of-Things security — exploring deployment of a lightweight public-key encryption scheme and multi-level authentication protocol – cross-agency cybersecurity collaboration — exploring the potential for the use of blockchain to support cross-agency process coordination, and – threat intelligence data analytics — using advanced models for threat intelligence analytics, in a NSW context ■ partnering with the ACT Government to establish the Canberra Cyber Network (CCN) — a collaboration between ACT Government, ANU, UNSW Canberra, UC and CIT, to promote best practice policy and behaviour in government and business ■ working with the Victorian Government to grow Data61’s Victorian Cyber and Innovation Centre in Melbourne and establish it as a focal point for industry to research collaboration and network building ■ working with the Queensland Government to understand cyber readiness, security vulnerabilities and to explore the establishment of a secure data sharing framework within government, and ■ collaborating on projects with States’ internal data analytics groups, including the NSW Data Analytics Centre (DAC) and Victorian Centre for Data Insights (VCDI) and SA’s Office of Data Analytics to support the sharing of sensitive information across government. Data61 is also strengthening its international reputation for cyber excellence through partnerships such as: ■ collaboration with DARPA and Rockwell Collins on a joint “Cyber Assured Systems Engineering (CASE)” project, trialling Data61’s mathematically proven seL4 system software and architecture in defence applications ■ a multi-million, multi-year collaboration with a major European cybersecurity company and RISC-V Foundation on critical system security ■ joining various national networks and forums such as Australia-Israel cybersecurity dialogue, Prime Minister’s round table on cybersecurity, working group for Academic Centre of Excellence on cybersecurity and AustCyber, and ■ Memorandum of Understandings (MOUs) or other collaboration with various international universities on cybersecurity such as MIT, CMU, Purdue, NIST, University of Pittsburgh, University of Texas at San Antonio, TU Munich, Uni Augsburg, Uni, Chalmers Uni, Cambridge, Imperial College London, Singapore research ecosystems (NUST/NTU/A*Star) and IIT Bombay. Risk assessments for agencies In just three years, Data61 has established itself as a trusted advisor on privacy-enhancing and secure data sharing and associated technologies. Over 30 privacy risk assessment have either been undertaken by Data61 and/or using its technology and tools for diverse data assessment use cases, and more than ten government departments and agencies have been provided with a Re-identification Risk Metric and Privacy and Re-identification Risk assessment. For instance, Data61 has: ■ worked with Australian Bureau of Statistics to prototype software enabling public data platforms to interactively access aggregated data, drawn from unit record datasets ■ supported the Department of Social Services (DSS) in generating a synthetic social security dataset, allowing data to be openly released, whilst maintaining data privacy ■ worked with DSS and the Australian Institute of Health and Welfare to develop and test software and a user interface to enable auditable data extraction and delivery into a secure environment for policy and research purposes by authorised users ■ developed prototype technology for Department of Industry, Innovation and Science use in conducting web-based data analytics of BLADE data (business longitudinal), while preventing spontaneous recognition, and ■ worked with the Queensland Office of the Information Commissioner, with Data61 acknowledged in the report tabled to the Queensland Parliament, which noted ‘We engaged CSIRO’s Data61, the data science and digital specialist arm of the Commonwealth Scientific and Industrial Research Organisation, to assist with this section of the report. Data61 are experts in de-identification and re-identification risk analysis. They have specialised analytic tools that quantify the re-identification risk ‘score’ of de-identified data. We used these risk scores, and Data61’s supporting analysis, to inform our findings in this chapter.’ 20In addition, many sections of its published guideline is directly linked to recommendations provided by Data61.21 20 The Queensland Office of the Information Commissioner, ‘Privacy and Public Data’, Queensland Office of Information Commissioner, July 2020, p.25 , accessed 29 July 2020 21 The Queensland Office of the Information Commissioner, ‘Privacy and de-identified data’, Queensland Office of Information Commissioner, July 2020, < https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy- principles/anonymity/privacy-and-de-identification>, accessed 29 July 2020 22 See https://research.csiro.au/distributed-systems-security/cyber-common-operating-picture- ccop/ 23 See https://research.csiro.au/distributed-systems-security/artificial/ 24 See https://research.csiro.au/distributed-systems-security/deception/ Leadership and guidance forums and materials for cyber initiatives Data61 is also actively supporting a number of broader cyber initiatives, including: ■ leading as an industry and research provider to the Cyber Security CRC, joining 18 industry participants and 6 research partners, and co-leading initial projects for the CRC in security automation and orchestration, example projects include: – Cyber Common Operating Picture (CCOP) — A Platform for Gathering, Analysing, and Visualising Cyber Security Data22 – SMART SHIELD Artificial Intelligence Assisted Holistic Anti-Phishing System23 – Deception as a service — apply cutting edge machine learning and artificial intelligence to generate realistic computer systems and assets for the purposes of deceiving intruders who make their way into a system24 – Automated Identity and Access Management — development of an intelligent support for identity and access management task within enterprise IT Systems with dynamic business environments,25 and – Automatic Assessment and Protection of Personal Information in Data Sharing — development of an automatic tool to analyse the robustness of Personal Information Factor (PIF) by considering the effects of re-identification attacks. ■ having developed and launched a Cyber Security Industry Roadmap in collaboration with CSIRO Futures and the AustCyber, aimed at identifying cyber requirements for Australia’s growth sectors. 25 https://research.csiro.au/distributed-systems-security/automated/ Data61 is also supporting Australian organisations to grow their cyber awareness and skills, including through: ■ the Cyber for Directors program, developed in conjunction with the Australian Institute of Company Directors (AICD) to lift digital literacy of Australian business leaders. To date, AICD and Data61 have delivered ten courses under the program with 1579 attendees ■ two blockchain reports developed for the Department of Treasury and Finance to inform on the opportunities and security and privacy risks of deploying blockchain based technologies and systems and working on a new version with Australian Computer Society (ACS) for an industry and skilling report ■ publishing a De-Identification Decision-Making Framework, in partnership with the Office of the Australian Information Commissioner (OAIC) to guide Australian businesses on managing re-identification risk ■ partnering with Fintech accelerator Stone & Chalk on a number of cyber focused initiatives including the 2017 Fintech Cyber Summit, and ■ partnering with the Silicon Valley Innovators Network (SINET) in the delivery of the 2017 and 2018 SINET61 Summit, with each Summit drawing approximately 250 high level international and local participants. Training and development opportunities Data61 has provided new training opportunities for Australian to develop world class skills in cyber security. This includes: ■ support for over 80 Data61 Cyber PhD Scholarships in collaboration with Australian universities, and ■ Over 20 undergraduate and graduate scholarships and associated supervision effort in relation to the Cyber Security CRC. New technologies To progress opportunities to commercialise new cyber technologies and solutions, Data61 has developed around eleven cyber technologies — six in the pilot phase, two undergoing trials, three in pre-commercialisation phase, and some already adopted and in use by clients. Examples include: ■ working in collaboration with DST Group to developed and commercialise the Cross Domain Desktop Compositor (CDDC) prototype, which improves productivity in Defence and provides a means to securely access multiple isolated networks. CDDC has won three State iAwards in SA and the National Award for R&D, and has entered into the Defence Innovation Hub to continue the commercialisation process ■ discussions with prominent defence industry leaders on the potential to collaborate in the use of formal methods for automated cyber assured systems verification ■ working with a large EU-based cyber security organisation to explore commercialisation of anomaly detection techniques and user behaviour analytics for the Enterprise market ■ working with a major international airline manufacturer on Secure and Modular Internet of Things (SMIT) technologies, trailing Data61’s lightweight authentication protocol and architecture for use the manufacturer’s supplier network. SMIT was recently open sourced to benefit Australia SME for global supply chain integration. https://www.smit-project.com/ ■ working with Australian Federal Police (AFP) on Data Airlock which enables data analytics in secure enclave and protects human investigators from harmful data, and ■ partnering with Australian company Kollakorn, to provide biometrc authentication techniques to their CertainID product. Examples of some of the deliverables Examples of some of the particular technologies produced as a result of the Data61 cyber research program are showcased in boxes 2.3, 2.4, 2.5, and 2.6. 2.3 High-Assurance Cyber Military Systems The High-Assurance Cyber Military Systems project adopted a fundamentally different, formal methods-based approach to enable semi-automated code synthesis from executable, formal specifications. Its aim was to raise the technical bar and lower the development cost for high-assurance cyber- physical systems. With partners, Defense Advanced Research Projects Agency (DARPA), Rockwell Collins, Galois Inc, University of Minnesota, Boeing, HRL, MIT, University of Illinois, Carnegie Mellon University (CMU), Princeton University, and US Army's TARDEC, CSIRO embedded Data61’s world's most verified and fastest operating system kernel, seL4, on a range of unmanned and autonomous systems. It was demonstrated that mathematically assured software does protect against cyber-attacks.26 ULB Beyond defence, the project provides core technologies for protecting a wide range of cyber-physical systems from attacks, including civilian aircraft, implanted medical devices, cars and other transport systems, robots and industrial plants. The successful demonstration of the software formally verified that it had reached the maturity to be embedded on real-world systems. This has triggered significant uptake of the technology in a wide range of industries, as demonstrated by the number of presentations on the industry use of seL4 by various companies at the recent seL4 summit in November 2018.27 GVR-Bot 26 The HACMS project @ Data61, see https://ts.data61.csiro.au//projects/TS/SMACCM 27 The first annual seL4 Summit was held on November 14-16, 2018 at the Hilton Washington Dulles Airport, Herndon, see https://www.sel4-us.org/summit. 2.4 Trustworthy Systems (TS) The TS group has achieved significant breakthroughs to resolve untrustworthy systems by well-designed microkernels and successfully delivered tech-transfer projects to deliver software, tools, frameworks and platforms for cost-effective production of trustworthy systems. The microkernels are engineered to reduce the size of kernel of the operating system (OS) – the most critical part of software systems for codes to run in privileged mode – to the absolute minimum. Restricted privileged execution with less LOC lowers security risk and brings about stability for entire multitasking systems. The main microkernels – L4 embedded and seL4 microkernels – are engineered and produced to improve the performance and security of software systems. L4 embedded was early adopted by Qualcomm, a leading manufacturer of wireless communication chips for mobile phone and other devices. The kernel technology was marketed as OKL4 and by 2008, it has achieved a deployment of greater than half a billion units per year. A version of this kernel now protects the secure enclave of all iOS devices. Building on 15 years of experience with L4 microkernel, a new microkernel called seL4 was developed. It is the first-ever operating system kernel with a machine- checked formal, mathematical proof of absence of implementation defects. A key limitation of traditional combination of testing, code inspection and engineering processes that a critical system has built on for functioning, is an incomplete coverage of all behaviours and inputs of a non-trivial systems. The TS group uses a formal, mathematical model and proof to enable the machine-checked formal verification of a microkernel. It allows the reasoning about all possible behaviours of a system, thereby bringing about guarantees of absence of defects. Complementary to this development are breakthroughs in machine-checked code-level proof of isolation properties for a general-purpose OS kernel, worst-case execution time analysis of multitasking OS kernel, and security disclosure of timing attacking. The TS group continues to build on the seL4 technology as a secure foundation and implement trustworthy systems. One highlighted effort was through the High- Assurance Cyber Military Systems program, where the TS group collaborated with US companies including Boeing to transition the seL4 technology to cyber-attack resistant autonomous vehicles. Another key project using seL4 technology was performed in Australia where the TS group collaborated with Australia’s Defence Science and the Technology (DST) group to develop a device allowing users to visualise information from multiple networks of different classification levels on the same monitor. The most significant uptake and adoption has been in the United States, with Australia in the early adoption stage of the research and technologies. 2.5 Data Airlock Protecting sensitive data – such as images and video captured during legal investigations – against illicit data processing and transmission has always been important and led to limitations of R&D in analytics of sensitive data. To enable safe and reliable use while keeping security of sensitive data under control, Data61 of CSIRO, in collaboration with Australian Federal Police (AFP) and Monash University, has developed a data analytics platform called Data Airlock. The platform keeps sensitive data in secure vaults and allows researchers to develop manually vetted algorithms against the data in isolated environments, the airlocks. Researchers are able to receive updates during executions and vetted outputs for evaluation. The platform also enables partially trusted third parties to host the system securely. AFP has adopted Data Airlock for better identification and utilisation of sensitive data. Other agencies from various domains such as Department of Home Affairs and NSW Police also show their interest in uptakes of this technology in their context. Data Airlock will be further developed by additional cryptography and differential- privacy algorithms – especially for healthcare sector – and more adaptivity for analytics of all types of sensitive data. 2.6 R4 – The re-identification risk ready reckoner Data re-identification poses substantial privacy risks to individuals as well as data owners. R4 is an information theory based risk assessment tool – developed by the Information, Security and Privacy (ISP) group – to assist data custodians with evaluation of levels and origins of re-identification risks for better decision making on data and relevant risk treatments. At R4 standard techniques including binning and perturbation are directly applied to one or more attributes. Modified versions of these attributes and their risks analyse are also enabled to see potential impact of transformations. R4 is adopted to conduct privacy risk assessments for agencies such as Transport for NSW, Department of Health and Australian Taxation Office. It is currently under advanced licensing negotiation for commercialisation. Outcomes Leveraged investment into Australia’s cybersecurity preparedness Data61 has executed numerous contracts with clients to provide commissioned work to address industrial and agency needs. Over 2018-2020, contracted revenue for three cyber groups has amounted to $27.9 million. In addition, the three cyber groups have received funding from NISA of $19.8 million over three years, given the alignment of research outcomes with the national science agenda. Key contributors of revenue are displayed in table 2.7. Excluding NISA funding, the top five revenue contributors are Defence Science & Technology Group, Hensoldt Cyber GmbH, Rockwell Collins Inc, United Technologies Corporation, and The Boeing Company Inc. They have contributed more than $20.5 million. 2.7 Major customers for FY 18-20 Revenue Customers Revenue Percent of total $ % Defence Science & Technology Group 11 840 598 42 Hensoldt Cyber GmbH 3 197 985 11 Rockwell Collins Inc 2 165 256 8 United Technologies Corporation 1 822 367 7 The Boeing Company Inc 1 521 279 5 Cyber Security Research Centre Ltd 1 263 709 5 Australian Federal Police 1 123 000 4 Asian Office of Aerospace Research 1 013 953 4 Department of Customer Service 747 000 3 HRL Laboratories, LLC 537 058 2 Other 2 706 098 10 Total 27 938 302 100 Note: Total Revenue here includes program-level revenue of $12.2 million. Excludes NISA-Data61 funding of $19.8 million. Source: CSIRO unpublished Key revenue generators by program is shown in table 2.8. With the addition of NISA funding, this level of revenue covers all investment costs in these groups, with a combined cost recovery rate of 178 per cent, ranging from 115 per cent for Trustworthy Systems to 235 per cent for Distributed Systems Security. 2.8 Cost recovery by cybersecurity group Program Costs FY18 Revenue FY18 Costs FY19 Revenue FY19 Costs FY20 Revenue FY20 Cost recovery FY18-FY20 $m $m $m $m $m $m % Distributed Systems Security 1.58 7.84 2.96 5.55 4.72 8.37 235 Trustworthy Systems 3.49 4.19 4.18 4.90 4.19 4.60 115 Information Security/Privacy 1.85 4.40 1.85 3.33 1.96 4.56 217 Annual total 6.92 16.43 8.99 13.78 10.87 17.53 178 Note: Annual total costs include salary and operating costs. Annual total revenues include $27.9 mil generated by the cyber groups and their collaborative program-level revenue, plus NISA-Data61 funding of $19.8 million over three years. Source: CSIRO unpublished Strengthened intellectual capital The CSIRO Data61 cluster of programs has had an immediate and enduring effect on building Australia’s intellectual capital in cybersecurity. This occurs on multiple fronts: ■ through the research of key program team members ■ PhD opportunities afforded to new researchers, and ■ upskilling of industry to understand and manage their risk exposure. Value of published work Researchers involved in the Cybersecurity programs have a large volume of published material and associated citations, which is a measure of the value of knowledge output and built intellection capital from the programs. A substantial amount of researcher time is dedicated to the publication of publicly available materials and keynote speaking addresses in international public forums, which add to the stock of cybersecurity intellectual capital in Australia. Significant research publications and citations are summarised in tables 2.9 and 2.10. One indicator of the effectiveness of information dissemination by CSIRO Data61 Cybersecurity researchers is the citation of published work. While this is just a subset of the uptake of research findings, it remains indicative of the value of research outputs, nonetheless. In total, the Cybersecurity team account for over 162 517 citations, or 81 501 in the past five years alone (table 2.10). On average, this is 16 300 citations every year across the group. In line with the approach adopted by Florio, Forte and Sirtori (2015),28 the value of citations can be deemed equivalent to the value of researcher time and the time taken 28 Florio, M., Forte, S. and Sirtori, E., 2015, ‘Cost-benefit analysis of the Large Hadron Collider to 2025 and beyond’, arXiv:1507.05638v1, available at: https://arxiv.org/abs/1507.05638 to read citations. Assuming it takes a researcher one hour to read and cite a paper,29 $844 000 is generated annually through Data61 Cybersecurity-associated citations. 29 Consistent with the assumption in Florio et al. (2015), as discussed by: Schopper, H., 2016, ‘Some remarks concerning the cost/benefit analysis applied to LHC at CERN’, Technological Forecasting and Social Change, available at: http://isidl.com/wp- content/uploads/2017/08/E4668-ISIDL.pdf 2.9 Significant Cybersecurity publications Author(s) Year Publication Wu, N., Farokhi,F.,Smith, D.andKaafar, M.A. 2020 The Value of Collaboration in Convex Machine Learning with Differential Privacy. IEEE Symposium on Security and Privacy, San Francisco 2020 (Core A*) Ahmed, Il-Youp, Huh, Kwak, Oh and Kim 2020 Void: A fast and light voice liveness detection system. Usenix Security 2020, 2685-2703. Kocher, Horn, Fogh, Genkin, Gruss, Haas, Haburg, Lipp, Mangard, Prescher, Schwartz, Yarom 2019 Spectre attacks: Exploiting speculative execution, IEEE Symposium on Security and Privacy, pp. 19-37, San Francisco, May, 2019 (CORE A*); and InIEEE Symposium on Securityand Privacy, pages 19–37, San Francisco, May 2019. IEEE. Muhammed F. Esgin, Raymond K. Zhao, Ron Steinfeld, Joseph K. Liu, Dongxi Liu 2019 MatRiCT: Efficient, Scalable and Post-Quantum Blockchain Confidential Transactions Protocol. ACM Conference on Computer and Communications Security 2019: 567-584 (CORE A*) Ikram, M., Masood, R., Tyson, G., Kaafar, M.A., Loizon, N. and Ensafi, R. 2019 The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading. Proceedings of the 2019 World Wide Web Conference (WWW '19) (CORE A*) Esgin, Steinfeld, Liu, J. K., Liu, D. 2019 Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications, Crypto, 2019,115-146 (CORE A*). Ge, Yarom, Chothia, Heiser 2019 Time Protection: The Missing OS Abstraction. EuroSys 2019: 1:1-1:17 Lai, Patranabis, Sakzad, Liu, J. K., Mukhopadhyay, Steinfeld, Sun, Liu, D., Zuo 2018 Result Pattern Hiding Searchable Encryption for Conjunctive Queries. 25th ACM Conference on Computer and Communications Security (CCS) 2018: 745-762. (CORE A*) Klein, Andronick, Kuz, Murray, Heiser, and Fernandez 2018 Formally verified software in the real world. Communications of the ACM, 61:68–77, October 2018 Sun, Yuan, Liu, Steinfeld, Sakzad, Vo, Nepal 2018 Practical Backward-Secure Searchable Encryption from Symmetric Puncturable Encryption. 25th ACM Conference on Computer and Communications Security (CCS) 2018: 763-780. (CORE A*) Yan, Sui, Chen, Xue 2018 Spatio-temporal context reduction: a pointer-analysis-based static approach for detecting use-after-free vulnerabilities. 40th International Conference on Software Engineering (ICSE) 2018: 327-337 (ACM SIGSOFT Distinguished Paper Award, CORE A*) Masood, R., Zhao, B.Z.H., Asghar, H.J. and Kaafar, M.A 2018 Touch and You’re Trapp(ck)ed: Quantifying the Uniqueness of Touch Gestures for Tracking. Proceedings on Privacy Enhancing Technologies, pp.122-142. Masood, R., Vatsalan, D., Ikram, M. and Kaafar, M.A. 2018 Incognito: A Method for Obfuscating Web Data. In Proceedings of the 2018 World Wide Web Conference on World Wide Web, pp. 267-276. (CORE A*) Lyons, McLeod, lmatary, and Heiser 2018 Scheduling-context capabilities: A principled, light-weight OS mechanism for managing time. In EuroSys Conference, Porto, Portugal, April 2018. ACM Perrier, V., Asghar, H.J. and Kaafar, D 2018 Private Continual Release of Real-Valued Data Streams. The Network and Distributed System Security Symposium, NDSS 2019 (CORE A*) Source: Tessellate 2019, Appendix B. 2.10 Publication productivity of key team researchers Author Program Citations in past 5 years h-index in the past 5 years Liming Zhu 4 271 35 June Andronick Trustworthy Systems 1 882 14 Gernot Heiser Trustworthy Systems 6 749 35 Gerwin Klein Trustworthy Systems 2 976 20 Rob van Glabbeek Trustworthy Systems 2 214 24 Michael Norrish Trustworthy Systems 2 243 15 Kevin Elphinstone Trustworthy Systems 1 985 12 Carroll Morgan Trustworthy Systems 1 552 20 Tony Hosking Trustworthy Systems 1 641 14 Yuval Yarom Trustworthy Systems 5 867 25 Surya Nepal Distributed Systems Security 5 019 33 Josef Pieprzyk Distributed Systems Security 2 696 24 Seyit Camtepe Distributed Systems Security 2 071 21 Shiping Chen Distributed Systems Security 1 913 19 Dali Kaafar Information Security Privacy 2 982 31 Brian Anderson Information Security Privacy 18 540 52 Eliathamby Ambikairajah Information Security Privacy 2 576 23 David Smith Information Security Privacy 3 684 25 Julien Epps Information Security Privacy 5 192 32 Vijay Sivaraman Information Security Privacy 2 486 28 Sanjay Jha Information Security Privacy 2 962 27 TOTAL 81 501 Source: The CIE. This excludes value derived from dissemination of insights through keynote speaking addresses, which have been numerous in the last two years alone (table 2.11). 2.11 Invited keynote and plenary talks (2018–19) Name June Andronick FM 2019 keynote SecDev 2019 keynote Surya Nepal Keynote/Invited Talk, Australasian Conference Information Security and Privacy (2016-18) Keynote Speaker at 11th International Conference On Security Of Information and Networks, September 2018 / Cardiff University, Cardiff UK. Keynote Speaker at the International Workshop on the Internet of Things Cybersecurity and Safety, University of Canterbury, Christchurch, New Zeeland, July 2018. Keynote Speaker. 5th Cyber Security Symposium, International Hotel, Wagga Wagga, July 2018. Organised by Charles Stuart University, Wagga Wagga, Australia Invited Panel Member. 2nd Industrial Internet 4.0 Summit. Harnessing industry 4.0 to advance Australia’s manufacturing sector. 21-22 February 2018, SMC conference and function centre. Keynote speaker ASWEC 2019, Adelaide Keynote Speaker, Singapore Cyber Security R&D Conference 2019 (SG-CRC 2019). Dali Kaafar Invited Speaker at the Future Data Conference, November 21 2018 Sydney. Invited Speaker at GovInnovate – October 9th-11th 2018 in Canberra. Panelist at the IIT Panel – Sydney September 26 2018. Panelist in the Data61 Live event, Brisbane September 18-19. Panelist at the CIFI Conference Sydney – September 13th 2018. Invited Speaker at the Data Privacy and Protection Conference – September 12th 2018 Sydney. Invited Speaker at the Customer Data Privacy and Protection – September 4th–5th in Melbourne. Panelist at SINET61 – August 1st 2018 in Melbourne. Panelist at the Australia-Israel chamber of Commerce event on Cyber security 2017, Plenary Talk at the Optus Data Breach Notification event 2018. Keynote speaker in the WWW Workshop on Computational Methods for CyberSafety (Cybersafety 2017), “Measuring, Characterising and Detecting Fake Social Activity”, April, Perth 2017. Invited Talk in the Global Summit for Future Networks, Security and Privacy of the SDN-NFV Data Plane", April Nanjing 2017. Webinar for the AICD Australian Institute of Company Directors. Data Privacy: What you need to know about privacy preserving technologies and data sharing", March 2017. Invited Talk in the Dagstuhl Seminars series, Online Privacy in the era of Facebook, Dagstuhl 2013. Plenary Invited Talk at the 26th IEEE Annual Computer Communications Workshop (CCW 2012), Invited Talk at the Cyber Security, Forensics and Cyber-Crime Prevention Colloquium, “Geolocalisation of Botnet Mothership Command & Control Servers". Montreal, October 2011. Panelist in the Cyber Security, Forensics and Cyber-Crime Prevention Colloquium, Montreal, 2011. Invited Talk at the Workshop on Social Networks Security, “The 10 rules of Inference Techniques from an information security perspective”, KAIST, Seoul 2011. Invited Talk at the Forensics Lerti Seminars, “Peer to peer monitoring from your laptop”, June 2010. Invited Seminars at several Prestigious institutes, organisations and universities including Concordia University (2010, 2012, 2014), UC Berkeley (2015, 2016), NYU Polytech (2014), UCL (2015, 2016), Huawei Research Centre (2012, 2013), Tsinghua University (2011, 2012, 2014), CMU (2015). Liming Zhu Panelist, "Risk and Security with blockchain and DLTs", ADC Blockchain Summit, Mar/2019 Invited talk, "Distributed AI and Smart Contract: Implications to global financial stability", at Financial Stability Board (FSB)'s Financial Innovation Network (FIN) meeting, Jan/2019, HK. Keynote, "Distributed Trust: How Data-Driven Applications, AI and Blockchain is Impacting Service Oriented Computing", ICSOC, Nov 2018, Hangzhou, China. Panelist, "Best in class regulatory initiatives across the globe", Money 20/20, 2018, Hangzhou Panelist, "Industry 4.0 and Cybersecurity", Industry 4.0 Leaders Summit, HK, Oct 2018 Talk + Panelist, "Staying Relevant in the Analytics Age", Data Analytics Seminar 2018 Panelist, "cybersecurity for medical devices", TGA workshop, Sept 2018 Guest of Honour at private luncheon, How Blockchain can help Industry, Berlin, Sept 2018 Name Invited talk/Panelist: "Blockchain and Cybersecurity", OECD Blockchain Policy Forum, 2018 Panelist, "The Business of Blockchain", USyd business school Affinity series event, July 2018 Keynote, "How automation and artificial intelligence can digitally transform the procurement profession", CIPS, July 2018 "Introducing Cyber-Physical Security Industry Frameworks", ASIS breakfast series, May 2018 Panelist, "Cyber Resilience: change and adapting as leaders", National Public Sector Managers and Leaders Conference, Mar 2018 Keynote, "Automating Cybersecurity and Compliance", The Australian Cyber, Fraud and Risk Summit, Mar 2018 Expert Witness, parliament enquires on "Growing presence of inauthentic Aboriginal and Torres Strait Islander 'style' art and craft products and merchandise for sale across Australia" , 2018 Keynote, "Data Economy: the Cornerstone of Smart Business", GMIC + Sydney, Dec 2017 Panelist, "Cybersecurity: is your business prepared for the next unknown threat?", Australia-Israel Chamber of Commerce, Nov 2017 Keynote, Intersecting fintech and cybersecurity, Nat. Fintech and Cybersecurity Summit, 2017 Source: Tessellate 2019, Appendix C. To o early to estimate net benefits but the value case is clear Data61’s Cybersecurity programs are still in their infancy, and growing as fast as their staff capacity can sustain. With the PhD scholarships program and upskilling of industry, cybersecurity capacity will grow, and with it, demand from government and industry to improve cybersecurity preparedness across the country. Data61’s Cybersecurity programs are an excellent example of an exemplar in CSIRO research: clear causal links between research excellence and meeting the specific needs of government and industry to address large scale challenges with potentially large scale costs to society and economy when not addressed well. A case study on the economic value of one of its research groups is showcased in box 2.12. 2.12 Estimated economic returns from Trustworthy Systems A 2019 research impact evaluation of CSIRO Trustworthy Systems (TS) estimated the triple bottom line impact of TS worldwide, and the benefits provided to Australia by avoiding and minimising the cost of challenges to Trustworthy Systems. Over the 2018-2028 period, it was estimated that TS research generated benefits between $93.2 million and $275.6 million in net present value terms due to the application of seL430 into industry, government and defence, and a reduction in the direct and indirect costs of data breaches in Australia. This was comprised of: ■ economic benefits from the commercialisation of the Cross Domain Desktop Compositor (CDDC) technology, which uses the seL4's verified isolation and information security capabilities, worth $8.6 million to $23.6 million in present value terms depending on the level of adoption (no change in demand through to an increase in domestic and international demand), and ■ reduced costs for data breaches in Australia, worth $84.6 million to $252.0 million in present value terms, depending on the percent of Australian data breaches that will be subject to adoption of seL4- enabled software systems (10, 20, or 30 per cent) Source: CSIRO 2019a, Understanding the value and real-world impact of the Trustworthy Systems group’s research and technology, Research Impact Evaluation, CSIRO. 30 The seL4 microkernel platform and tools include the CAmkES component platform, which protects critical systems from software failures and cyber-attacks. The rapid uptake of demand for cybersecurity expertise, and the leveraged commitment to substantial funding of research points to a research program that is highly valued on multiple fronts, with the capacity to materially impact on the resilience of the Australian economy. The logic of the impact creation pathway for Cybersecurity is illustrated in chart 2.13. 2.13 Key outcomes and impacts of Data61’s Cybersecurity program Monetary value of Data61 Cybersecurity ■ $27.9 million in client revenue over 3 years for the 3 major cyber groups. With the addition of NISA funding, results in cost recovery rate of 178 per cent ■ Income gains for supported PhD scholars in cybersecurity ■ Productivity gains for Australian business and government ■ Dissemination of valued research worth $870k p.a. Improved research effort ■ Strategic research partnerships and joint research projects across cybersecurity community ■ Increased investment in cyber research leveraged from external sources Efficient and effective innovation ■ Insights from shared data ■ Minimising research fragmentation ■ Access to larger datasets for analytics ■ Mission and outcomes focused research tailored to specific partner/client requirements ■ Improved societal outcomes ■ Safer more trusting society ■ Increased employment prospects and security ■ Increased businesses with cybersecurity preparedness ■ Additional exports ■ Better policy 1 Enhanced quality and quantity of cyber research 3A Discovery begets Discovery 7 Greater cybersecurity awareness and technical capacity 2 Enabled collaborations and partnership mechanisms 6 Strategic relationships built that attract future funding and cement a Security Innovation Network 3 Enhanced data analytics capabilities with simultaneous data protection Geo-strategic advantages ■ Improved bilateral and multilateral relations ■ Increased opportunity for trade and capital flows ■ Strengthened institutions to protect national and international security Improved knowledge of risk exposure, security vulnerabilities, and cyber readiness ■ Cybersecurity skills in industry 5 Improved international standing and reputation 4 Cyber and privacy safer technologies and systems Productivity gain for government and business ■ Greater adaption of cybersecurity technologies in industry ■ Minimised resources spent on identifying and resolving cyber threats ■ Streamlined and automated processes to improve business efficiency ■ Increased data analytics capabilities as data is more accessible New technologies and solutions ■ Business systems secured ■ Road maps to identify root causes and solutions Data source: CIE. References Ahmed, M. E., Youp, I., Huh, J. H., Kwak, I. K. (2020), Taekkyung Oh and Hyoungshick Kim. Void: A fast and light voice liveness detection system. Usenix Security 2020, 2685-2703. AustCyber (2020), ‘Australia’s Digital Trust Report 2020’, AustCyber, July 2020, , accessed 30 July 2020 Australian Criminal Intelligence Commission (2019), ‘Cybercrime’, Australian Criminal Intelligence Commission, 2019, , accessed 3 June 2020 Australian Cyber Security Centre (2018), ‘ACSC statement on reports of Intel Active Management Technology (AMT) security issue’, Australian Signals Directorate, 2018, , accessed 6 June 2020. Australian Government (2016), Cost-Benefit Analysis; Guidance Note, Department of the Prime Minister and Cabinet – Office of Best Practice Regulation, https://www.pmc.gov.au/sites/default/files/publications/006-Cost-benefit-analysis.pdf. Bissell, K., and Lasalle, R., (2019), ‘Ninth Annual Cost of Cybercrime Study’, Accenture Security North America, 2019, , accessed 4 June 2020. Bonderud, D., (2015), ‘Eight Crazy Hacks: The Worst and Weirdest Data Breaches of 2015’, Security Intelligence, 2015, < https://securityintelligence.com/eight-crazy-hacks-the-worst-and- weirdest-data-breaches-of-2015/>, accessed 3 June 2020. Chelvan, C., (2018) ‘Foreshadowing attacks: cybersecurity researchers save the day’, CSIRO scope, Aug 2018, , accessed 10 Aug 2020. CSIRO Data61 (2019), Cyber Security Strategy. CSIRO (2019a), Understanding the value and real-world impact of the Trustworthy Systems group’s research and technology, Research Impact Evaluation, CSIRO. Culnane, C., Rubinstein, B., and Teague, V., (2017) ‘Health Data in an Open World’, Corenell University arXiv Organisation, 2017, , accessed 6 June 2020. Davis, D., ‘Internet of Things Cyber Attacks Grow More Diverse’ (2019), Symantec-enterprise-blogs, 2019, , accessed 6 June 2020. Chelvan, C. (2018), ‘Foreshadowing attacks: cybersecurity researchers save the day’, CSIRO scope, Aug 2018, , accessed 10 Aug 2020. Florio, M., Forte, S. and Sirtori, E., (2015), ‘Cost-benefit analysis of the Large Hadron Collider to 2025 and beyond’, arXiv:1507.05638v1, https://arxiv.org/abs/1507.05638. Forrester Consulting (2019), ‘BIOS Security – The Next Frontier for Endpoint Protection Report’, Dell Technologies, 2019, < https://www.dellemc.com/ja-jp/collaterals/unauth/analyst- reports/solutions/dell-bios-security-the-next-frontier-for-endpoint-protection.pdf>, accessed 6 June 2020. Ge, Q., Yarom, Y., Chothia, T., Heiser, G. (2019), Time Protection: The Missing OS Abstraction. EuroSys 2019: 1:1-1:17. IBM Security (2019), ‘IBM Security Cost of a Data Breach Report 2019’, IBM, 2019, < https://www.ibm.com/security/data-breach>, accessed 5 June 2020. Ikram, M., Masood, R., Tyson, G., Kaafar, M.A., Loizon, N. and Ensafi, R. (2019). The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading. Proceedings of the 2019 World Wide Web Conference (WWW '19) (CORE A*). Klein, G., Andronick, J., Kuz, I., Murray, T., Heiser, G., Fernandez, M., (2018), Formally verified software in the real world. Communications of the ACM, 61:68–77, October 2018. Lai, S., Patranabis, S., Sakzad, A., Liu, J. K., Mukhopadhyay, D., Steinfeld, R., Sun, S., Liu, D., Zuo, C., (2019), Result Pattern Hiding Searchable Encryption for Conjunctive Queries. 25th ACM Conference on Computer and Communications Security (CCS) 2018: 745- 762. (CORE A*). Lyons, A., McLeod, K., Almatary, H., Heiser, G. (2018), Scheduling-context capabilities: A principled, light-weight OS mechanism for managing time. In EuroSys Conference, Porto, Portugal, April 2018. ACM. Muhammed F. Esgin, Raymond K. Zhao, Ron Steinfeld, Joseph K. Liu, Dongxi Liu (2019a), MatRiCT: Efficient, Scalable and Post-Quantum Blockchain Confidential Transactions Protocol. ACM Conference on Computer and Communications Security 2019: 567-584 (CORE A*). Muhammed F. Esgin, Raymond K. Zhao, Ron Steinfeld, Joseph K. Liu, Dongxi Liu (2019b), MatRiCT: Efficient, Scalable and Post-Quantum Blockchain Confidential Transactions Protocol. ACM Conference on Computer and Communications Security 2019: 567-584 (CORE A*). Muhammed F. Esgin, Raymond K. Zhao, Ron Steinfeld, Joseph K. Liu, Dongxi Liu (2019c), Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications, Crypto, 2019,115-146 (CORE A*). Perrier, V., Asghar, H.J. and Kaafar, D. (2018). Private Continual Release of Real-Valued Data Streams. The Network and Distributed System Security Symposium, NDSS 2019 (CORE A*). Schopper, H (2016), ‘Some remarks concerning the cost/benefit analysis applied to LHC at CERN’, Technological Forecasting and Social Change, http://isidl.com/wp- content/uploads/2017/08/E4668-ISIDL.pdf. Taylor, R. (2015), ‘Potential Problems with Information Security Risk Assessments’, Information Security Journal: A Global Perspective, vol. 24, pp.1-8, 2015, , accessed 6 June 2020. Tessellate Communication (2019), ‘Data61 Cybersecurity industry Development Program: Evaluation Report, Commercial-in-Confidence, July 2019. The HACMS project @ Data61, see https://ts.data61.csiro.au//projects/TS/SMACCM The Office of Australian Information Commissioner (2018), ‘Notifiable Data Breaches Statistics Report: 1 January to 31 March 2018’, OAIC Notifiable data breaches, July 2018, < https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches- statistics/notifiable-data-breaches-statistics-report-1-january-to-31-march-2018/>, accessed 4 June 2020. U.S. Food & Drug Administration (2017), ‘Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication’, 2017 Safety Communications, 2017, , accessed 3 June 2020. Wu, N., Farokhi,F.,Smith, D.and Kaafar, M.A. (2020), The Value of Collaboration in Convex Machine Learning with Differential Privacy. IEEE Symposium on Security and Privacy, San Francisco 2020 (Core A*). THE CENTRE FOR INTERNATIONAL ECONOMICS www.TheCIE.com.au