Based on Lockstep’s submission on the 2023-2030 Australian Cyber Security Strategy.
The Australian government believes we could be the “most cyber secure nation in the world” by 2030.
I know many of my cyber security peers think this is loose talk, but I think it can be done. At Lockstep we believe that national data protection infostructure is well within reach.
Australia could deploy public-private networks within just a year or two for presenting and verifying known-good personal data, to make citizens and business alike immune to the prevalent forms of cyber-crime. Infostructure leveraging mature mobile wallet technology and two-sided business networks would have greater reach and socio-economic potential than any other cybersecurity uplift currently on the agenda, and yet it is amongst the more achievable objectives within the 2030 timeframe.
This blog condenses Lockstep’s submission to the Department of Home Affairs’ public consultation on the Cyber Security Strategy 2023-2030 which was recently published by the government.
The importance of data
The central role of data in future economies is obvious.
David Tudehope (CEO, Macquarie Telecom) writing for the Australian Strategic Policy Institute (ASPI) in July 2021 stated that “data is effectively the economy’s critical infrastructure”.
Data is itself now a utility as important as energy, food supply chains or transportation. And yet it remains precarious. Data is manipulated by bad actors at a scale unimaginable only 10 years ago, resulting in harms ranging from theft and fraud at unprecedented levels, through infrastructure disruption, to distortion of national elections.
All identity fraud—and perhaps all cybercrime—is actually about bad data.
Data is so critical now, it merits infostructural security so that the economic users of data can be confident where it has come from and what it is intended to be used for. By infostructure we mean organised systems of standards, rules, technologies and governance processes that together protect data as a utility.
To protect data systemically, we must start at the source(s). Government is trusted for so much of our core data, through critical resources such as birth and name change registers, citizenship and immigration records, driver licensing and electoral rolls.
If the mission of government is to both protect and serve the citizenry, then when it comes to data, the most basic role for government could be to make official data available to those who need it, in the most reliable possible way.
A solved problem
Data resilience is a solved problem in payments.
Citizens should have the means to present verifiable facts about themselves as easily and as safely they present their payment details when shopping online.
That transformation alone would do more to undercut organised identity crime than any other proposal we’ve seen. And it’s already underway.
Mobile wallets literally don’t make sense on their own
Mobile wallets are a reality in payments and are being extended to hold all manner of digital credentials. The industry standard technology is known as “verifiable credentials”; multiple Australian public service agencies are well advanced in implementing verifiable credentials solutions.
State and federal Ministers have recently highlighted the potential for a range of government credentials to be digitised and held in a choice of wallets. This is great progress and sets the stage for national infostructure.
And yet a subtle point about interoperability goes unnoticed in the enthusiasm for mobile wallets. Digital credentials only work when the intended receivers know what to do with them and have arrangements in place for their software to recognise and accept approved credentials.
What makes credit cards acceptable?
The criticality of acceptance networks is readily appreciated if you think about using your credit card. You can only use your branded card at merchants who have made arrangements with the particular card brand to accept it.
When a merchant decides to accept credit card payments, they sign on with a chosen card scheme and install terminals and/or e-commerce gateway software to process customer account details. Customers’ cards are useless without these arrangements on the merchant side. It doesn’t matter what sort of digital wallet you might use: it is the merchant’s set-up that determines which cards you can use to go shopping.
Therefore, Australian governments need to consider more than legislation when rolling out digital credentials. Online retailers (actually, their software providers) have a major challenge ahead working out which proofs of age are officially endorsed (or perhaps mandated).
They are a powerful tool, but verifiable credentials do not verify themselves. Wallet technology is necessary but not sufficient for interoperable verifiable credentials. To be legible, wallets they must go hand-in-hand with infostructure for (a) approving issuers before loading credentials to a wallet, and (b) processing credentials when presented to parties depending upon them.
What would a cyber secure country look like?
A cyber secure nation will treat data as an asset, as important as clean drinking water or stable electricity supply.
Lockstep suggests that a cyber secure nation would feature widespread uniform digitally secure data handling.
State governments wish for digitised qualifications and licences to be interoperable nation-wide, but employers and training organisations (and software vendors too) cannot be left on their own to make separate arrangements for digital credentials to be processed online. We risk losing the economic dividends of digital transformation in a rat’s nest of bilateral administrative decisions.
A cyber secure nation will no longer tolerate ad hoc point-to-point data connections and unverified data flows—just as it is illegal to make unlicensed electricity and gas connections. Instead, a cyber secure nation would build public platforms that bring data issuers and data users together under transparent rules and regulations.
An action plan
Lockstep’s Cyber Security Strategy submission goes into more detail about short-to-medium term actions, including:
- Continue the transformation to digital wallets in citizen service delivery.
- Appreciate that wallets and verifiable credentials do not work at scale without underpinning infostructure that makes the meaning of all data machine-readable, clear, and dependable.
- Infostructure in general is core business to government and a safe place to act. Examples include telecommunications networks, Medicare and PBS payments, e-passports, electronic conveyancing, and the NBN.
- Private-public partnerships can build and operate the new data protection infostructure, incrementally.
- Nearly immediate options to “Click to Prove” official data, beginning perhaps with Medicare numbers.
- Services Australia could develop an API and web service for any other organisation to ingest and verify Medicare numbers from mobile wallets. Healthcare providers could invite their patients to “Click to prove” their details digitally. Verifiable patient Medicare numbers is one way to curb common and costly forms of provider fraud.
- Such APIs and web services could then be expanded (while driver licences and the like are rolled out to verifiable credential wallets) and made available to any AML-governed entity for digital identification in account opening.
Lockstep has gone further to model a two-sided network architecture for verified data distribution. You can follow our work here on the Data Verification Platform.