E&OE
On 17 December 2024, auDA CEO Rosemary Sinclair AM spoke on the Department of Home Affairs' Cyber and Infrastructure Security Centre podcast, Critical Conversations, with Deputy Secretary Hamish Hansford about auDA’s role operating critical .au domain name system infrastructure.
Hamish Hansford: Welcome back for another episode in Critical Conversations. My name's Hamish Hansford. First of all, I'd just like to acknowledge the traditional custodians and owners of the land in which we all meet on, today. I'm meeting on the lands of the Ngunnawal people. I'm the Deputy Secretary of Cyber and Infrastructure Security in the Department of Home Affairs, looking at all things critical infrastructure and cyber security. And with me today is Rosemary Sinclair of auDA.
Rosemary, lovely to have you online.
Rosemary Sinclair: Thanks, Hamish. Glad to be here.
Hamish Hansford: Well, Rosemary, you're a pretty successful individual. I might just start by getting listeners to have a bit of a sense about you and your career to date, because you're pretty accomplished and I have read that you've won awards. So why don't we start by you giving us a sense about yourself and your career to date?
Rosemary Sinclair: Great, thanks, Hamish. That's a lovely opportunity and a great way to start the podcast. My career really spans the communications sector. I've had a little foray into the energy sector and higher education and then came into the role at auDA. So I've really been very fortunate to see the whole communications and media technology explosion, really. And when I think about where I've been and when I've been there, it's always been at a time where an industry is about to be fundamentally disrupted. And so my key role has been to bring stakeholders around the table to work with people, to get them to understand what that deep change might mean for them and their sector, and how best to manage it. And of course now we're managing the energy transition for digital transition, and I would say we've got a whole skill set to learn around cyber security. So, fortunately for me, I wound up at auDA just at the very right time of profound and important change, and I was able to make a real contribution to it.
Hamish Hansford: Sounds like it, Rosemary. And you're right, we're going through a whole range of explosions in the digital environment, including artificial intelligence and quantum, and it just seems like the challenges and opportunities are endless. And we've really been thinking about that in our critical infrastructure security month throughout the month of November, really trying to bring visibility to infrastructure across the country and how we can make it much more resilient in the face of some of those digital explosions that you're talking about. At the heart of some of our critical infrastructure in Australia is a really important part. And that of course is the organisation that you represent. Would you like to tell people about what organisation you lead, and what it's all about?
Rosemary Sinclair: Thanks, Hamish. The organisation I lead is called auDA, but people would know us really by the little .au at the end of websites, that people rely on, and email addresses that people use. And our role in Australia's digital economy is to make sure that .au is a trusted domain that Australians and indeed global internet users can have real confidence in. We're what is called a country code top level domain, so .au, .uk, .nz. We're one of those. But in fact, we're the seventh largest country code in the world and we have three responsibilities. The first is to ensure that Australia's .au is stable, reliable, and secure. The second is to administer a licensing framework for .au, which underpins people's confidence in it. And the third is to advocate particularly internationally for a very particular model of how the internet is run. And that is called the multi-stakeholder model.
Hamish Hansford: Wow. It's a pretty big responsibility that you've been leading over the last couple of years, and I kind of think about what would happen if .au didn't exist, and you kind of take a step back and really realise about how many things you would not be able to rely on in your everyday life. Even this podcast, on Cisc.gov.au is one particular example, but everything from banking, right through to some of the services that people rely on every day, it really is a consequential part of our ecosystem as critical infrastructure, isn't it?
Rosemary Sinclair: Absolutely. And one of the interesting metrics that I use when thinking about just how critical, is the number of times people access their mobile phones every day, and generally what they're doing when they're doing that is going to a website or sending or receiving an email that ends in a .au. So if that wasn't there, if that .au service wasn't available securely and reliably, then life as we know it would come to a grinding stop.
The other interesting metric that I have in my head, Hamish, about how important .au is, is what happened during Covid. So I took this role up in the first couple weeks of Covid and I said to the technical team here, have we got enough capacity so that when everyone in Australia moves everything they are doing, online, we'll be there to support them. And we absolutely had and have multiple times the capacity needed to do that. But during that covid time, we saw 200,000 Australian small businesses that had never seen the need for a website or an email address, jump online. And partially I saw that also as an indicator of the innovation that's possible in the Australian economy, supported by technology. And I think there's going to be more of that, and we have to be ready with our cyber security posture for that degree of change.
Hamish Hansford: We sure do. You're right. I think back to Covid, and we fundamentally changed the way in which we worked. I worked in a place where you were there five days a week and instantly everyone was online trying to engage in a different way and using so much more data at home and engaging with the world online. So you're right, it was a fundamental change. And I guess, was it a pretty exciting time to start as the CEO of auDA, given what you had to face? You probably look back a couple of years after and say yes, but at the time, I'm sure it was pretty daunting.
Rosemary Sinclair: It was a daunting time. It was a time of great uncertainty and complexity, and we were all making decisions on the run, about a much more integrated society, and we were thinking about how to keep our economy afloat. And I remember those terrible pictures of the line of people outside Centrelink offices before the financial support was made available. And it was in that context that when we started to see the registration of the domain names rise very, very quickly. And this was a global pattern that we thought, it's not going to be as bad as it could have been without .au and the online ways of doing things. So it was a real demonstration to me of the power of digital transformation. But that brings with it, Hamish, as you know, from where you sit, so many complexities and challenges that we now have to grapple with.
Hamish Hansford: That's really fascinating that you got such an early insight into the Australian economy and what would happen based on registrations. And I suppose I, like you, I was looking at the lines and wondering how the economy would survive what was going to be a potentially significant period of time for so many Australians that were out of work. But it's kind of fascinating to think that you saw early signs of recovery and adaptability and had potentially much more hope than some other people looking at it from our perspective. So that's really kind of fascinating. I guess the flip side, and you've touched on it, is security and resilience. Can you talk us through what you're doing at auDA, particularly when you saw the volume of increase in domain names? How are you thinking about security?
Rosemary Sinclair: We think about it in many different ways, and I would say the key thing about security at auDA is that it's absolutely embedded in everything we do. And when I'm talking to some of my colleagues in other sectors, I can see that other sectors are on a journey where at the moment, security's a bit of a bolt-on, it's a bit of a new thing, we've got separate incident response plans and risk management plans, and we're writing them and learning them, learning how to operate with them. But at auDA, security is uppermost, starting with our strategy. Our strategy is all about a trusted and secure .au and we've got some very specific actions in the strategy. We then go to our risk framework, and we've taken a very particular approach to security in our risk framework. We're not saying that our objective is to stop cyber threats, because we're not going to be able to do that.
Our whole focus is how we respond to the threats that we know are coming at us every day, really. Then we go from that even to our statement of values, where we say that we have three values, one is contributing, the second is better together, and the third is striving for excellence. So it's a continuous improvement. And the thing that strikes me is that this is all, if you like, governance architecture, Hamish, for a culture of security. Then of course we run into all the discussions about legislation and regulation, and sometimes I worry that some people are overemphasising compliance and not really understanding that what we all need to create is a culture of security in the very same way that we created a culture of sun safety and a culture of road safety. It's as important as those two areas were to Australia in the past. Cyber security is that important and will take that much of effort to make that change over the next five to 10 years.
Hamish Hansford: Sure will. I often get asked the question, how do you tell if a company or an agency in the government is doing a good job on security? And I think you've touched on a really important point about culture, because some of the things you can't measure, although maybe you can, is the vibrancy and discussion that you encounter when you walk into a boardroom or a senior management room and you walk out and you're like, they asked the right questions, they were engaged, they understood the risk. And fundamentally, I think a lot of people talk to me and say, when I try and look at Cyber security or security in general, it's very technical and very hard to understand. But actually if you just break it down and ask the right questions and have the culture of being curious and engaging, I think that's such a great way to go. And you can really tell when companies or agencies are doing that. So I really like your perspective on culture.
Rosemary Sinclair: Yeah. And it can be presented as a highly technical area of activity, but if we think about the all hazards approach, then you've got people, you've got physical and natural security or hazards, you've got supply chain hazards, and then of course you've got cyber security and information as a very technical and specialist area. But I look for signs in a really simple way. So for example, with people and physical security, I really look to see if people are paying attention about who's coming through the front door. I look to see how long it takes people to do the monthly training that we do it out, and not only staff, but also board. When we're doing a supply contract, part of our assessment is a security by design assessment. So there are many parts of it that don't require you, Hamish, to speak or think in zeros and ones, that are really about good governance and good process. And I find that that's a good way into this whole area for new people. And then we can add on the very technical information security, cyber security, and there are very well known standards and procedures for managing those elements of our security posture.
Hamish Hansford: There sure is, and I really like that framing, because people often ask, I think, me, where do I start? And I always say, start with a conversation and start asking the right questions. And I suppose you've had such a distinguished career in telecommunications technology, energy education, and so I think you've got a unique perspective about how to manage change in organisations, particularly from an all hazards perspective. So I really value your thoughts in sharing with us how you've been able to do that, in auDA but just your observations generally, because there's a lot of risk out there and a lot of issues to focus on. I guess the question is, where do you start? I've given you my perspective, but what's yours?
Rosemary Sinclair: Well, I start with the fact that our economy and society is very, very integrated, and people understand that. We do research here at auDA each year, Digital Lives of Australians, and one of the other underpinnings in my thinking, Hamish, is that the community knows, the community is well aware of quantum computing and artificial intelligence and robotics and a whole range of things that seem terribly complicated. They're looking forward to the benefits of those technologies, but they are already alive to the challenges and cyber security risks of those technologies. So starting with that awareness is the best place to start.
But the second thing is you've have to find things that people can do. And long reams of paper and complicated policies aren't really going to help anybody. It's, what can I do? So the material that's available for small businesses and individuals, step-by-step, passwords, patching, third parties, breaking that down to things that people can understand and do, is the first step of action. And then people feel that they're more in control and they're more open to more complicated conversations. And we really need to be having some quite complicated conversations, particularly with small business. And what we see here when we're looking at DNS abuse cases is that out-of-date software or old software on old websites is a key vulnerability. So there needs to be targeted campaigns that support people to deal with those particular issues. But in answer to your question, starting the conversation, I think I'm saying continuing the conversation, and I would say over a long time. It's going to be a big effort over a long time.
Hamish Hansford: Sure is. And I guess we were looking at your Annual Report the other day, and I really liked the theme because it picks up on starting and then continuing a conversation, but actually working with others, as well. And the key theme for the report is, "Shaping .au: A multi-stakeholder approach." So can you talk us through why that theme was chosen, and how does that really underpin the work to benefit internet users globally?
Rosemary Sinclair: The multi-stakeholder approach has been a key underpinning to the development of the internet. And of course, we all know that the internet has just unlocked so much innovation and economic growth and social connection that it's worth protecting. At the moment, there's a very big discussion going on globally, where some would say the internet should be run by governments.
And we're saying no, the multi-stakeholder approach has been the best way to run the internet and it is the best way to continue to run the internet. So that's why we focused on multi-stakeholder approach, this year. What the multi-stakeholder approach means is that voices around the table are equal voices and the process is an open, transparent process, not one where people put in submissions and then we're not quite sure what happens to those submissions, a draft comes out and then we respond to the draft. So, multi-stakeholder approaches are characterised by very high degrees of accountability and transparency. Sometimes that means delay, and so speed being of the essence these days, it's very important that the multi-stakeholder model evolves and doesn't stay where it has been for 25 years. But that's the reason that we put emphasis on it in that Annual Report. And then when I saw the [Australian Signals Directorate's] Annual Cyber Threat Report come out with its emphasis on geopolitics and state actors and criminal actors, in fact, I really felt that our emphasis on the multi-stakeholder approach this year was very well placed.
Hamish Hansford: Very well timed, as well. And I think that approach really does lend itself to having outcomes that everyone supports, that are really embedded in co-design and collaboration. So that's fantastic to see. And in April this year, auDA put out really interesting report about future scenarios, really looking at what the internet might look like, 20 years from now. So I thought we'd end the podcast by exploring into the future, and for you to give us a sense about how organisations can use the report about what the future of the internet might look like, 20 years from now, and what we might be able to picture.
Rosemary Sinclair: Happy to do that, and grateful, Hamish, for the opportunity to spread the word about the Future Scenarios Project Report. It's available on the auDA website and we've put it there as a public resource for anyone who's thinking about the future of technology broadly in their organisation. We really want people to use this report in their own context to challenge their own thinking, and that's why we did it, to challenge our thinking so that we can be sure to be running .au in the best possible way for Australians.
So we spent nine months talking with experts around the globe, including some of the people who were there at the very beginning of the internet, and we asked them to cast their minds forward to 2044 and talk to us about the world that they saw in 2044. And we came up with three scenarios, and their titles are, State of Alert, which is all about security and surveillance. Secondly, Ecological Civilisation, which is all about everybody coming together on a mission, which is to save the planet. And the third is called The Price is Right, which is about the use of corporations and corporate structures to deliver all sorts of services across the board; health, education, defence, you name it, a corporation is delivering it.
And what the scenarios do is describe how technologies might be evolving in these three scenarios. And if I just give two examples, perhaps, one from Ecological Civilisation, for example, we say that this scenario demonstrates inexpensive miniaturised procedures and storage devices embedded in individual items at the point of origin, and that's to improve the granularity of emissions and carbon footprint information. But what that does is describe a much more complex, much more decentralised network, the security of which is going to be much more challenging than anything we have dealt with at the moment. If you can imagine that degree of dispersion and decentralisation, we've got, I think 11 critical infrastructure sectors at the moment. Now we're saying everything's connected. It's quite a different quantum of challenge, Hamish.
Hamish Hansford: It sure will, and you can see what benefits that will bring society. But then coming from the security perspective, you can see what the challenges and vulnerabilities may well be into the future. So I think it's fantastic you've actually thought about 20 years from now, so that everyone can start preparing and planning, how do we start to secure our systems and networks and how do we operate in a much more different environment into the future. So that's going to be fascinating for people who haven't read it, to pick it up and have a read.
Rosemary Sinclair: It's really an interesting challenge. We're going to be using technology for productivity and prosperity and social connection. And the more we do that, the greater the challenge of how to balance those marvellous outcomes with the security that we need for people to feel really confident in their online lives. We just don't think at the beginning of building this skill set, and we need to be ambitious and patient, Hamish, as we do the work that we need to do, to have a secure and prosperous Australia.
Hamish Hansford: Sure do. And over the last couple of years, you've done such a fantastic job at auDA as the CEO, so I just wanted to end the podcast by, first of all, saying thank you for everything, including your thought leadership on the Future Scenarios Report, and for your engagement, particularly with the Australian Government. I've seen us collaborate over the last couple of years and seen both auDA grow, but also the critical infrastructure mission that we've been on for the last couple of years, grow as well. So I just wanted to end by saying thank you for your service, and as we transition to Bruce, I'm sure he'll do a fantastic job too, but you have been such an excellent CEO of auDA, such a great collaborator and one of the reasons why we chose you to be on this podcast today. So maybe I'll just pass over to you, Rosemary, for any final words, and we'll close out our time together today.
Rosemary Sinclair: Thank you, Hamish, for the opportunity and for those kind words. The thing that really motivates me is interesting work that is important to the Australian community, and my time at auDA, particularly at the time that I've been at auDA, through Covid, through the cyber security challenges, building our response has really been such an important combination for me personally of interesting and important work. I've really been delighted to make a contribution, and I'll be keeping an eye on auDA and Dr. Bruce Tonkin, who is the incoming CEO, and of course, you and your team, Hamish.
Hamish Hansford: I'm sure you will. And we look forward to seeing what you do next and for you to keep a careful eye on our work. So Rosemary, thanks so much for your time, and for everyone listening, stay safe and be well.