Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and today I have the privilege to sit down with a longtime friend and colleague, Ambassador Tobias Feakin. Dr. Feakin served as Australia's inaugural Ambassador for Cyber affairs and critical technologies and has been a
longtime proponent of cyber issues for as long as we've been working together. So, really excited to have Ambassador Feakin visiting from down under and look forward to today's discussion. Toby, thank you so much for joining us today. Absolute pleasure, Frank. So I thought we should start with the discussion around the threat environment in the region. And Australia's taken a number of steps. You, you were a big proponent of a number of
the steps that they've taken. Can't have a discussion without bringing up China in the region. But tell me how you sort of saw the threat picture, that threat environment, and how it changed when you were in that role as ambassador. Yeah, it's a
really good question. And something that Australia continually has to balance is this kind of multifaceted relationship with China, which is not telling anyone. They don't know, but it's balancing the economic ties that you have with such a behemoth in the Asia Pacific and globally economically, alongside a growing understanding of security risk. Okay. It's almost like the. The age old concerns that any leadership or senior official has to guide their country through.
How do you balance those and come out somewhere in the sweet spot in the middle? And I would say, you know, during my time in the ambassador role, I certainly arrived in government, and I would say the period between 2016 through 2022, I would say, you know, you could term it the security first policy. In many respects, it was the understanding that maybe the balance had been tipped a bit too far in favor of the economic side and that a lot of our security architecture was
perhaps undercooked. And part of that realization was really recognizing the cyber threat from China and vocalizing that to the public, making a broader awareness of what that threat looked like, how it manifested, and making that quite public, which was very new. And there was a lot of nervousness at the time about the idea that you would talk
more openly about cyber adversaries, whoever they were, but especially China. And it took a while, but we did get to the point of being able to publicly attribute a set of activities to China. And it was the cloud hopper incident, which, you know, for the nerdy ones who are listening here, I'm sure There's a few. Yeah. And
obviously you'd remember it, Frank. That was the first time that Australia come out publicly and said things about China and how their Ministry of State Security were operating in cyberspace. So. Sorry. No, no. So I. I'd be curious. I. It's good to see
public acknowledgment. Why was that important? Well, simply, first and foremost, the fact that it
had never been done. Yeah. And, you know, don't underestimate the bravery of a government system to be able to put things on the record. You know, often a lot of what happens in government goes on quietly behind the scenes and there's so much of it that the public will never, ever see. But the sense that this was a significant enough threat to broader businesses and the public was important in making sure that they were bought into that conversation. So not least of all to raise awareness,
but also to protect your critical infrastructure, your businesses. Because at that point we'd got much better at sharing threat intelligence and threat signatures. And that in of itself was no small step because we were converting incredibly classified material. You know, you would get stuff landing on your desk which had all sorts of weird and wonderful code words on. It, sometimes from allies, right? Yeah, absolutely. And you'd sit there scratching your head,
thinking there's something really important that industry need to know here. How do you strip out the material that would make it that classified and make sure that this is actionable from wherever you are in society. So part of that is being able to vocalize what the threat is so others can defend themselves better. And therefore, as a
nation, you're much better defended. So that was clearly part of that security first approach that was starting to take place, or did take place for a majority of the time that I. Was in the role and clearly significant from an op tempo and
threat perspective, or we would still be keeping this pretty quiet in the security service world, right? Yeah, absolutely. And if anything, to rush forward to very recent events, it
struck me, you know, I was outside of government at this time and you see the way that the Vault Typhoon issue has kind of sent shockwaves and it should do. I mean, I mean, I say that and so many incidents, I sit there thinking, yeah, this will really change the game. Everyone's going to suddenly up the bar of what they're doing in cybersecurity. And so often I'm left a bit disappointed because
it doesn't seem to resonate strong enough. But Volt Typhoon, again, the idea that you would be publicly talking about pre positioning on critical infrastructure assets by another nation state. I mean I raised my eyebrows because that is really quite significant issues you're talking about there. That's the real danger zone. Right. And so for me that shows how adventurous, if you like, China has become in what it's prepared for. Calculated. Calculated, absolutely.
Yeah. And we'll pull the thread on Vol Typhoon in a second. But I also
want to sort of get a sense of regionally and more often you see reports coming out with the seals of our five eyes partners, but also increasingly South Korea, Japan and others. And I'd be curious, where did some of your regional partners and how critical was that in your role as ambassador to bring regional partners on board and the like? It was an absolute fundamental part of the job was bouncing around
the Asia Pacific, engaging with partners to talk to them about what their issues were, what the threat environment was as far as they saw it and as far as possible share information about what we were seeing. And that was super important to build awareness and then to see were there ways that we could assist in upskilling, in upgrading cybersecurity. There's nothing more powerful than a regional partner being able to see for
themselves with their own capability what's going on on their network. And that tied in very heavily to the kinds of capacity building work that we would do in the region. It was all about trying to create helping country create capability and visibility of what's going on because that informs strategic decision making beyond the cyber domain. Right. And the bigger game, if you like, that that's going on out there. So it's vice
all trust, right. At the end of the day, a lot of technical and technological elements and components, but if you lack trust, it's all kind of moot and irrelevant. Right? 100%. And I would say a part of that security first approach during 2016
was absolutely reaching out to partners and just raising awareness as to what was going on from our point of view and what was going on domestically in Australia and trying to find out what was going on with partners. And what I would say has happened now as we, you know, in 2024, you see a much better awareness of what's going on on domestic networks around the Asia Pacific and understanding more clearly of what that threat looks like, how it manifests. And I say there's still a
bit of a journey to go on in terms of responses. But you mentioned it. I mean one of the really fant fantastic things that's happened recently is the APT40 attribution led by Australia, but joined by South Korea and Japan. Now, my memory from when I initially started working on trying to bring this broader partnership approach to vocalizing the threat in the region was a distinct nervousness from countries like that. It was
not the way of doing business. And understandably Australia too was going through that until
they did lean forward. Right? We did, absolutely. And still remember the nervousness at the
time of when we did that. But it was an important step to take and it's great to see partners doing that. And I think a really important aspect of that attribution and this gets into the wheeze. But again, we've got some nerdy folk who will be digging into the weeze of this. Right. Which is great. It's good.
Embrace your nerbdom, everyone. It's the best way. The only way is when you look at the attribution, it was done through intelligence channels, which is a slight shift from the way that attributions were done during my time, which was much more through foreign ministries. Foreign ministry is still playing a clear role, but it was done through distinct technical detail. And that means that those linkages now are much more shored up between
agencies in our region. And it means that there's a more fluid information flow which can only be super helpful again in creating awareness, building trust. To your point, Frank, which is especially vital when you're into the very secret world. And that means, I think, that you will only see more confidence going forward for other countries in the region to join attributions to say what they're seeing within their own networks and not
to. Call out laggards, but who do you think did it Right, in terms of
regional part and capacity building programs and who maybe needs a little bit of work?
Do you mean in particular countries who is doing well? Or do you mean which country is. Providing the best support, not providing the best support in the region? I'm
talking about. Well, I mean, one thing to say about the region is it's really
important as a broader framing statement that economics. Play a big role in. Right, exactly. And you're dealing with a region where you have some of the least connected and economically underprivileged countries almost in the world. Right. But then you're also dealing on the other hand, with some of the most sophisticated, highly connected, highly technological advanced countries anywhere on the planet. And that does create a bit of a kind of. Yeah, challenge.
Absolutely. How do you frame that? And it does create this kind of winners and losers scenario. And it creates complexity because you do have China playing very distinctly in there with the price point Argument of, you. Know, and we're going to get the
supply chain. Oh yeah, great. I'm really glad about that. I was hoping we would.
So that's what you're in the game with. You've seen some fast movers who I would say. Let me talk more about that middle ground. Okay. The guys who are moving fast. I think you've seen some really helpful upshifting capability from countries like Indonesia, Malaysia, Thailand and you see the models that they're following and in many respects it's been close observers and watchers of what countries like the US have been done doing.
Models like cisa, like Australian, Australian Cybersecurity center, ncsc. And they're starting to copy that model. They see it as a valid, useful way of upskilling their own capability for government. And so for me, they're starting to move strongly one area which is still, if you like, a weak spot and requires ever more of our attention. I spent a lot of time in the Pacific Islands and you know, part of their journey
is to become ever more connected for their economic well being. But you know, that does bring an awful lot of nasties with it. And that was something we were trying to manage. You know, we, we were building and going into the infrastructure piece. You know, we, we built the Coral Sea cable which was linking up Pacific islands.
You're now seeing a vast array of new CA projects coming in through the Pacific and it's great to see that it's in partnership with other governments, with industry partners. So glad to see that. But again, it requires, if you like, that risk management piece which is better cyber security delivered with that increased connectivity. I'm actually glad you
brought up undersea cables. I wasn't planning on going here, but the reality is kinetic attacks on cyber infrastructure, cyber attacks on physical infrastructure that can have a physical and kinetic outcome. We need to start thinking about this much more holistically. Right. So it's not just the zeros and ones and the geeks that we all love and embrace, but it's also physical. And undersea is a tough challenge. Yes, 100%. And I think
it's always an interesting leap of imagination. You know, you go down the pub or. Well, you don't have to go to the pub restaurant. They're in the US too. Yeah, exactly. But you know, the family meal with dinner time, obviously you're going to talk about the Internet. I guarantee you a lot of people would struggle to name the physical infrastructure that underpins it. It's all the Internet. Oh, cloud, you know, kind
of look upwards and imagine where this mystical thing is coming from. And if you ask me one thing that concerns me, if you like the weakest link in, in the actual physical infrastructure that puts this together, it is the undersea cabling. You and me both, and countries. But we, we will. Wow, we're going to go everywhere. I love this, Frank, let's keep it rolling. But for me that's difficult because you are
then very directly into the physical world. It's carrying an extortionate amount of the traffic, a majority of the world's Internet traffic and data and countries have developed distinct capabilities to be able to tap into that. And not least of all, you know, the fact that these cables can be disrupted by natural, natural causes as well. So for me that's a huge risk point and we need more redundancy in terms of cabling
and how that is dealt, how it's monitored. So you brought up earlier Volt Typhoon
and I think when you think about some of the undersea and you sort of mentioned tapping, it's understandable for espionage purposes. Volt Typhoon had zero espionage value. At least what we're seeing right now, it did from an intelligence preparation of the battlefield, but not from an economic or even stealing military secrets. It's pre positioning. Do you think that that opened up new eyes in Australia and elsewhere or were they already well
versed in this and they're like, duh, we knew this was gonna happen. What's your thinking right now? I would say from my time in government, pre positioning was a
conversation that we would have in government, but as I said, it was in very much darkened rooms and highly classified conversations. So I absolutely won't go there in terms
of what we were talking about. But when you see the outing of that the US government was brave enough to put out there in public, it absolutely should concern not just other governments, but it should concern industry because they are the guys, as we well know, who own, operate a majority of infrastructure and they need to know clearly that's the level of threat they're dealing with. You know, we used to talk a lot about SCADA systems, how open they were to Internet facing networks and they
still are. Absolutely. You know, you feel like there's been a bit of a shift in terms of attention on that and securing that weak link in the chain. But when you magnify that to the level, you know, that's the A team that you're sending after to pre position. You're trying to place malicious malware on a network without it being seen or observed. So you're sending your A team to do that. That's not the kind of cowboys in the back room. And so industry need to understand
that that is what they're dealing with in that sector. And I think other countries should be clear eyed in when you're dealing with pre positioning, as you said, Frank, you know, that's there for just in case scenarios. You don't want to be caught, they're not looking to be caught out. But it's there for as and when you get into that horrific God forbid scenario of, you know, on the cusp of warfare.
Because that's where you're getting to if you're attacking directly another country's infrastructure. You know, that's why many diplomats spent so long at the UN talking about critical infrastructure being out of bounds. It's for that exact reason because if you attack another country's infrastructure you get very directly into absolutely international law and what that means for declaration and, and I'm not trying to. A bit of a gray area, isn't it? Absolutely. And
there's still tremendous amount of work to do that for countries. So you brought up
Taiwan. I'm not going to ask you to be a gambler here, but how do you see that playing out? You mean more from a conventional point of view? I
mean I'd certainly say Taiwan gets everything thrown at it. It's often referred to, you know, like Ukraine was always the testing ground for anything cyber malicious that Russia could come up with. They would be testing out that same thing for Taiwan. It's, you know, for years now they've been dealing with sorts of cyber incidents of, you know,
misinformation, disinformation, interference. And I got to see a real kind of firsthand view of that on my visits there, which was eye opening, especially when you think how long ago that actually was now. So it was instructional for me in understanding what that environment looked like. You're talking about I guess, the kind of again, God forbid scenario
of an. Invasion of one sort or another, whether physical or otherwise. Well, I mean it's certainly come to everyone's clear attention now how central Taiwan is to, if you like economy. Well, to our economy, to our technology supply chain, to absolute high end chipsets and the unbelievable, if you like, focus of production that is taking place in that country and on that island. I mean it's been. Which cannot be replicated overnight.
So I am a big proponent of onshoring certain capabilities, but it takes time. It
does take time. But I also think here that the whole Approach from the US on the semiconductor front has been one of the most successful supply chain policies at very least since the end of the Cold War, even maybe before. And that's a strong statement. To me, that is a strong statement. If you look at the shifts that that has made in two years, the sheer amounts of money that have been
invested, but also what that has enabled over two years, it's absolutely phenomenal. When you study where the new centers of gravity are appearing, okay, some of the players are still the likely suspects, the TSMCs, the Samsungs, and we're always going to friendship. That's
actually healthy. Exactly. But it's leading to new investments of large sums of money into
parts of the region that I'm in. In Malaysia, you know, you're seeing new plants established in India and also it's on shoring back into the US market. You know, the US market share in high end chips, it was less than 10% at the beginning of that process. It's now over 10%. And you'll be looking at, I think around 20, 30. You should be up to around 30 plus percent of that. That is phenomenal shift in a market in a very short space of time. So I
think that's been successful. But what's important there is that there's not complacency about creating that air gap. You know, I would predict there's about a five year gap of leadership in that space. You can't afford complacency. If you've created that gap and spent the money, time and effort to create that strategic advantage in a technology space, you then need to capitalize on it equally as fast. Otherwise be prepared for the Chinese
innovation system to work overtime. You know, what do they say? Invention is the mother, necessity is the mother of invention. Right. And certainly you will see their innovation cycle rapidly increase around the restrictions that have been placed on it. And there is some
hubris, I would argue still even in the United States that China are all imitators. They're innovating. They're innovating pretty fast, are they not? Yeah, absolutely. And I think your
point is exactly right, Frank. If you remember, because we're of a certain age and we've known each other this long, these kinds of assessments, you know, if you look back to the early 2010s and some of, I think the quite lazy analysis that was being done on China cyber IP theft, it was along the lines of, well, the hoovering up data. But let's face it, they're not going to know what to do and innovate around that data. I think we've been proven incredibly wrong on that
assessment. Right. And the danger is, is that you could fall into that gap again of saying, haven't we done well? We spent a lot of money, we've created this advantage. Let's have a breather here. But unfortunately, where we find ourselves now in this technological convergence moment of this array of emerging technologies, quantum cyber gaming. We'Re going to
go there. AI thanks, Frank. We'll keep moving on this. But if you look at
that tech convergence, you cannot afford to sit still for one second because it's all moving at such a fast rate that even the developers themselves have no idea where this journey's ending up. But what we do know is from a state perspective, you must be leading the development of those technologies to the final end product. Because if you do, you're at the front of the global power structures of the 21st century. And so it is a race and we need to get there first. And it
has very significant consequences beyond just national interests. Also autocratic, democratic. And I do want to get into that discussion, but before we jump there, my philosophy on that is, is either jump on the bus or you're going to be run over by that bus. It's as simple as that. But before we go to some of the major
geopolitical and technological sets of issues, let's talk supply chain for one second. So I still am under the impression that we don't have full visibility into our supply chains. We all know the big ones, the Huawei's, the, the ZTEs, and clearly some of those sorts of major companies hikvision when it comes to all sorts of cameras and the like. But what has Australia done there to try to get visibility? Do most executives of the equivalent of the Fortune 500 in Australia, are they aware? So to
some degree, did they tell. You, like every time we have a solar winds, it's
almost as if do we even have it in our systems? And I feel like I've seen this movie over and over and over. But it is harder than it because it's multiple layers of supply that you have to go down to. But I,
I think it's a, it's a great question to ask and I think it is one of the zeitgeists of the moment is do you really understand your supply chain? I mean, it feels like we've been talking about supply chain for a long time. A long time. But unfortunately some of these messages take even longer to embed themselves into corporate behaviors and understandings so in reference to Australian industry, it's variable and I
would imagine it's very true also in the US system. But one of the reasons that I think, you know, governments have begun to grow tired of that patchwork quilt of accepting risk. So you are in regulations that are unsteady in that. Right. We need to harmonize to a degree. And I think, I'm not convinced that we will get to a harmonization point because what you are seeing right now, it might come
further down the line. But what's happening right now are that governments are becoming far more interventionless with the policies they take, far more direct in the spend that they will create in R and D. You know, we've just been talking about it in the semiconductor sense in Australia. We've just invested a billion dollars in a quantum computing
facility in Brisbane. But also in terms of the directness of intervention into the market, it used to be, if you sat in a Western country, you would say market forces will create efficiencies, they'll understand risk because it's a hit on the bottom line. No, it's not happened to the degree. And you're seeing that governments now are intervening much more directly. We wouldn't have talked about an issue like, we wouldn't have used
a term like data sovereignty five years ago. Now it's a commonplace part of the lexicon of any Western government. I mean, I spent a disproportionate amount of my time fighting that language at the UN and various other bodies. I mean, honestly. And now we're here and fair enough, you know, that's the path that governments are taking. It's about on shoring of data. It's about sovereignty and ownership of technology. And that comes
directly to your supply chain question. And my senses is that the market is still not quite there where it needs to be. And understanding the entirety of not just your, you know, immediate suppliers, but their suppliers and their suppliers suppliers, because that's expensive and takes a long time for companies to do so. Not every company is willing to go to that degree. Some are and they're fantastic at it. And you know,
thank goodness for those companies. But there need to be more who are going to be diligent in that space. And even those that are diligent, it's tough, right, unless
they have some support from our government and from that in particular from entities that actually could provide the intelligence and information. And let's face it, you know, if we
go back to that market forces piece, if it's going to be financially worth their time as well. And it does come down to a bit of market economics as well. And so if a board, and you know, this is where I work a lot now, if a board decide that, you know, the financial risk and the reputational risk isn't worth their while, well, that's where I would like to be implanted to
help them understand that. Right. And talk them through what that means from a reputational point of view from, you know, not only with their customers but with the government that they're working with. What about critical infrastructure? I think port, when I think of
Australia, ports, rail, so critical to the economy, to shipping and everything else. Are they
there, getting there? Much, much better than they were for, for us in Australia, we had a couple of canary in the coal mine moments, I'm sure, and we're probably thinking about the same ones. There was a Darwin up in the north that had a rather large Chinese contract signed up which was in a very sensitive area of the world. And that was the beginning of the wake up call. But the real hammer, if you like the hammer blow, was around 5G decisions where Australia made the
world's first decision of not allowing high risk vendors into their new infrast builds. And you know, that ethos has continued in Australia in making much more rigorous assessments of not only where does the equipment come from, but where does the money flow from and in that sense, where do the people come from and understanding that mix around
very sensitive areas of infrastructure build. And I think, you know, the next, if you like, area of concern is around areas that China is innovating so wonderfully well around, which is electric vehicles. Right, right. You know, the boom in the Chinese electrical vehicle market creates a very similar problem set. Absolutely. You have cars that are unbelievably connected to the Internet for many of their safety features, but also for many features that
are kind of questionable for why you would need those data pieces. And then the same risk assessment needs to be gone through as are you comfortable as a nation with that kind of risk of data from onshore being piped backed to the country of origin and then the legislative means that are applied to that data in the country. Of origin and whether those countries are required by law, even if the company
didn't want to do so, to turn that information over to their security services? And we're talking about the same country. Absolutely, absolutely. And I find it fascinating looking at
the EU at the moment when they've set themselves hugely ambitious climate targets and a big component of that is around electrical vehicles and the Key player there are the Chinese electric vehicle firms. And how does that rub up against some of the quite stringent measures that you take? Yeah, exactly. And it's this constant balance that you have to make when you're in the government hot seat. How do you weigh up which
area, if you like, gets priority over a period of time? Because I would suggest that where Australia has moved now is more the kind of guarded engagement piece. That's how I describe it from 22 onwards, which is rebalancing, balancing a bit, if you like, the economic piece with China, and again, rightly so, very justified changing some of the, especially the international rhetoric around China, but whilst also trying to push forward with
reviews and understanding of supply chain and some of the issues. Like around electric vehicles, for example. Yeah, if you saw more transparency in business practices in all of that
and how that information can be used and not used, I think that would be fair game. Right. Then they're, they're, then they're just innovating. You absolutely nailed it with
that term, transparency. Because if, if a provider can genuinely give you that, whereas whether it's the consumer of technology and other services, if they can provide transparency about their supply chain, fantastic. But also the providers of this technology, if they can give you true transparency about how the data is used, where it goes, what access controls there are, then it's fair game. Yeah, you can satisfy the requirements on all sides, but
that just frankly doesn't. Exist exist right now. And this may be a silly question
and I should know the answer, but I don't remember. Does Australia have an equivalent of CFIUS, the Committee for Foreign Intelligence, Foreign Investment in the U.S. do you have a. Similar law, Never apologize for what you might feel is a silly question? I
find they're the best questions. We absolutely do. We established a financial review board, the ferb, which didn't have a national security component initially, but. But then did, and this was back in 2017 that that happened alongside a whole raft of other legislations during that, you know, phase that was talking about the security first piece and that really revolutionized the way that industry had to look at money flows. And that's early stage
too, or is. It late early stage? I mean, it tends to be applied. More mid to late. Yeah, mid to late, but. But they're much more stringent now on
managing where the money is flowing from. So big technologies. And there is. Not to
get into an academic discussion, but there is geopolitics and technology. I mean, name your top five that you think, obviously quantum, but I'm not gonna put words in your mouth. What do you think they are? And why is it essential, as you said earlier, we cannot afford to lose this race. Yep, absolutely. Another great question. And absolutely
right. There's geopolitics playing in it. I mean that's what I do now. I mean that's what I'm advising clients on is, you know, how does geopolitics. And remind everyone
the name of your firm? So it's protest our strategy. And what we do essentially
is talk to very senior leaders in industry about decision making, about how they become better equipped at managing and understanding geopolitics and how that relates to technology decisions. Risk,
right? At the end of the day it's risk. It's like any other risk. You have to layer that in. But yeah, but what do you think the big plays are here? So I don't think this would be any surprise to anyone because it's
become such a commonplace part of the tech lexicon and the common conversation. I love the fact that technology gets talked about so much. Now as someone who's invested their entire career, PhD included in looking at new and emerging technologies, it's quite surreal to be in this world. Finally it's arrived. What was your dissertation? Oh, it was non
lethal technologies. So cyber effects. That's how we met first time, right? Exactly, exactly. So I was looking at all sorts of weird and wonderful things like electromagnetic pulse, acoustics, all that sort of thing. It was kind of big things now, directed energy, empathy. So that was where I began my journey in this space. But it's also, you know, managing the translation piece for those that, fair enough, feel uncomfortable with very technical
conversations around technology. It's just important that we're all comfortable with tech and that's not always the case because often it's clouded in very difficult language. Yeah, absolutely. And there's a time and a space for that and it can be really good fun. But not if you're a senior decision maker who needs to be able to get clarity very, very quickly and you're not going to have all the time in the world
to deal with these issues. So you do need that clarity. So you need a translation to ensure that the information you're working with is based on ridiculous amounts of knowledge and understanding and creates then cut through when you do make those decisions effectively. Now there's a really long winded way of getting back to your technologies. So AI
is obviously the zeitgeist of the moment. AI is not ubiquitous thing. We've been using IT masses in industry already but you know, it's the generative AI takeoff that is really caught everyone's imagination. And I'm sorry to cut. You mentioned translation. It's also application. Sure. So technologies can sit around for a long time. It's not until they're applied
and utilized that they can sometimes realize their true benefit and impact. 100. Sorry to cut you off there. I've never had an unspoken thought, you know that. Yeah, of
course, mate, that's absolutely right. And I think I'm just going to riff off that a moment because I think you're so right. And there's an important part of this is whilst we've been talking a lot about national security and risk, businesses need to feel comfortable in the chaos of trying out new technologies and creating right. Pockets of environments and business cases so that they can trial new tech and not be frightened
of it. Because that then would lead to economic loss for our economy. So we need to help companies feel comfortable not just with the risk, but also how they effectively enable it for their own economic well being. AI. Yeah, absolutely. It's right up there. I would say biotech is absolutely enormous and is something, you know, I mean, we're all getting scared to death by what Elon is up to with emergence. With
AI and other. It's like we're psychic. This is like psychic viewing as well we're
doing here because you've got. You got ahead of like where I was going. So quantum, I would say is quite clearly one of those. I would say that the. We're kind of still working out if it's quite going to work in the way that everyone's hoping it will. But nevertheless the chances are we will get there with quantum computing. So that is, we can't afford to lose that one. That is the
ultimate game changer. Absolutely. And then I would just put on top of that the
increased connectivity and speed of connectivity and everything that then flows off the back of that. There's a whole raft of other technologies. But let's stick to those because to your point, it's then about the almost. How would you call it, the virtuous circle of interactions between those technologies and the way that they reinforce and accelerate innovation in each other. I mean, I'm talking about them like they're beings and it may be
one day that we get that right. General intelligence. I mean, it's interesting with that AGI conversation. I watched Terminator 2 the other night and it just took me back to, you know, that's always the reference point. It's like, oh, My God, the machines are going to kill us all. But it took me back to that thought process. I remember when I was in the job, getting up on stage down in Melbourne about 2019 and talking about AI processes and progress and said, said, you know, we're
looking at AGI in what, 50 plus years time. Yeah. And. And I found a load of other people. Pretty much everyone is right. And so I went on a stage recently and I did a bit of background again and my own thoughts on this. Well, what, five years away. Yeah. And it's just radically shifted. And that will only accelerate as these technologies interact with one another and accelerate because they all feed into each other. And I think that then presents. If you're a policymaker, I advocated
for it all the time. But it created a lot of complexity for how you then delivered policy in that space. We need to see them almost as a whole because it's going to present such a multitude of policy question marks and concerns, but also opportunities that governments must get ahead of now. And that's, that's frankly something that
governments aren't great at at times, especially in the tech space. Getting ahead of the policy curve on advanced technologies is not something I would say that governments are brilliant at and. I'm not sure it ever will be. But, but sometimes at our peril,
sometimes it helps innovate because you don't want a stymie, you don't want the cure to be worse than it is. Absolutely right. I'm a firm believer in of setting
left and right of arc and then allowing the developers a bit of space to work in that. And as long as you set that left and right of arc quite clearly and that should include the kind of values that you're expecting. Technology values
principles. And that is my. Not to overstate it, but Democrat. I grew up thinking democracy was the only way and I still think it's the only way. But. But autocratic regimes who know how to turn to technology can have a pretty big vote in this. Right. And ultimately, again, it comes how that information and how that technology is used and whether it's the individual, whether it's the government, whether it's the Communist
Party. Those are all sorts of questions I think we need to think, think through. Hey, Toby, I'm going to shift gears a little bit. So you were the inaugural ambassador for Cyber affairs and Critical Technology and I actually didn't think about that. That's
one of the few that marries those two up and for good reason. But what was it like standing up your office, go Back to day zero, where you have a new entity within a big ministry and department department in a bigger interagency set of issues where just like in the US, you have your ASIO, your domestic security service, your ACEs, your foreign intelligence Service. Bring us back to sort of day one. And what did that look like? How did that feel? I remember landing in the
office and still feeling that overwhelming sense of, oh, wow, I just. I'm in the best job in the world. I'm happy to hear that. Did that last? Yeah, yeah, 100% the entire way through it. You know, of course, there's always bumps and bruises along the way, but still the best job in the world. And it was my privilege to land on that day zero, having the background that I did in, in
the tech space. And that's what I think landed me the role was the. The work that I've been doing on cyber and tech and setting up various different, different organized, like Aspie's Cyber center. And that sort of thing, you know, led me to this place. And the amazing thing was, yeah, that's right. They do good work. That's right. I will claim responsibility. I set that up back in the day too. I
forgot. That's right. And that's really where I found my sweet spot, is understanding the
direction of travel a little bit before others do. I'm not a soothsayer or, you know, I don't have mystic arts. I'm not. I'm not the brightest guy in the room, all those things. But I just understand I have this. Thank you very much. I have this canning ability to just see where things are going. And so that for me was amazing. I landed in the office and genuinely, I, not to tell tales, it was me and kind of one other person who worked to me and
it was just blank sheet. I was told I had to write. Dennis Richardson, who
was. Who is the. The secretary? Francis Adamson. Wow, what a. What a secretary. I
mean, again, privilege to work with Francis. And she's now governor of Adelaide, doing tremendous individual and consummate professional. And she was very gracious in saying, you know, this space, I trust you, the Prime Minister trusts you. Go and get on with it, and I will support you in every way I can. And the good thing that I had, there were two deliverables for the government around me. And it's always important to
remember the deliverables, one of which was delivering me. So the government were like, tick, we've delivered Toby, he's in the job. We've got the ambassador in and the second one was to deliver an international engagement strategy. And that was perfect for me because that's my sweet spot is in creating tech strategy and then helping understand what goes
on. So to your point, though, is once you get into that process in government, I was determined that, yeah, okay, I have my own ideas, so I provided some top lines, but it was about engagement, engagement, engagement with colleagues across government. So we established all the interdepartmental mechanisms, made sure that everyone was included, and said, this is your opportunity, I'm sure, and I know you're all doing great work internationally already. Get
your agenda into this document, which will have great visibility. And that created a momentum and then managed to do fundraising in government. Happens wherever you are in life. Rattled the tin and managed to pull a lot more money out the system we went from. At that point, we had a million dollars to spend on capacity building. You know, by the end of my time in that position, we'd spent well over $100 million. And to me, that's, you know, that's proof of concept and beyond the power
of the work you were doing. And, you know, this is one area where Australia
was ahead of the United States, that there. How many ambassadors are there now, you think, for cyber that have that title? 30 something, maybe, something like that? I don't
know exactly how many, but, yeah, I mean, you know, look, Chris Painter was, if you like, the original equivalent. Yeah. But, you know, in terms of the ambassador. But
it wasn't until Nate and it was elevated to a bureau on the site, Cyber Diplomacy act, which was passed. Recently, and I had some great colleagues. You know, Rob
Strayer was awesome in the role, too, and Nate just, you know, it's one of my few regrets, actually, when I was just about to leave, Nate came into the position. Oh, man, we could have done some damage together. But it was great to pass the baton over. Absolutely. But, yeah, you're right. It was almost like a. Not only a blank sheet inside a department, and, you know, colleagues were so brilliant at coming to the table with, rallying around the position and seeing the value and looking
at ways that we could creatively work together. And so much of that I would never be able to tell the tale of, but so many ways it was visible in the progress that we made with international partners. And in all honesty, one of the reasons I was there was to help mainstream these issues inside government. And a measure of success was a very simple one. So I used to host a bimonthly meeting of all interdepartmental colleagues who had a Hand, if you like, in delivering cyber
and tech issues. And it was across all of government. Across government, yeah, yeah, bring
them in. Yeah, intelligence, world, national security community, but way beyond that as well. Trade,
investment, guys, the whole nine yards. So that you had that understanding of all the equities. So I remember when we first started doing that, maybe what, 10 people would show up and it was probably a very strong national security bent that we had on it. By the end, they're mostly just keeping you in check. Yeah, yeah, probably. No, no, no, no, but, but, no, but also, yeah, I was given such free license to talk that, yeah, of course that creates nervousness in government. But again, there
was a lot of support, so I again was very, very lucky. No, no, it's fine, it's fine. But by the end of it, we were having to keep people out of the room and not, not because they didn't want to hear what they had to say. There was no space, there was no space in the room. You'd have like 50 plus people wanting to come along to these meetings. And I remember sitting there, think, difficult to manage, but actually, you know, that's a measure of success
too. Government has seen different departments have seen the value of engaging internationally and seeing what it could do for the country, for their departments, for their own careers. And so that was genuinely a measure of success. And you know, I think it's awesome now seeing so many different countries with building these capabilities. I'm interested to see where it goes next and I've definitely been putting my mind to a bit of thinking
on, you know, what next for the international tech space. I hope you're right along
those lines and you sort of answered this question, but. And feel free to punt on it if you like, but most proud of and unfinished business. In your previous role was there a day and you gave some great examples of how it did elevate and mobilize, but was there one day where you said, yeah, this is awesome and one day where you said, yeah, we got to do more? So I remember
taking soundings from external colleagues before I went into government and they, they gave me some great sound advice which I'm sure is very common. They said, go into government expecting you can achieve three things and if you achieve one of those, you've knocked it out of the park. I can hand on heart say I lost count of the things that genuinely we achieved awesome. And that is, yeah, okay, I helped with that and maybe help create with some of the idea and leverage to do that.
But it was because colleagues came to the table and they really came to the place. So it's difficult pinpointing if there's one thing that was a labor of love for me. And I was really. I got a really proud, quiet moment and I didn't reach out to anyone. When it happened, it was about cyber sanctions. When I first came in, boom, I said, said, we've got to do this. And six years of trying to get. There, blood, sweat and tears, you got there. And I kept
going, kept going, kept going, got them passed through Parliament. Didn't get to use them before I left. So it's almost like my biggest. I felt so proud when the Australian government announced that they were using this architecture that I'd helped build over six years, but I quietly kept it to myself. So I felt proud. But also it was almost my biggest regret when I left was that we hadn't quite got there.
But, you know, I mentioned the kind of money that we invested, the partnerships we built, you know, all of these positive outcomes that we help partners achieve, whether it be cybersecurity operations center and PNG creating results for the government, whether it be, you know, all sorts of other things than many of which I couldn't talk about. Like,
there were so many proud moments. That's why I say still now, biggest privilege of my life and still always will thank colleagues for the way that they rallied around it. And that is awesome. And yes, this is by definition a team sport. No
one's going this exactly. But you still need to get people on the field. You still need to do the arm twisting, the cajoling and everything else to get people on that field. And like you said, it started with 10 in your tech group and it grew. As you well know, Frank, I have a certain way of doing
business and you know, you may be dealing with incredibly serious issues, but if you want to get people on board, there's got to be some humanity in the way that you deal with everyone. So I hated the moments when it, you know, did get a bit friction building. I just felt by kind of power of personality and my ability, I know I have to bring people along on a journey. It was
brilliant. And others just rallied and kind of went way above and beyond. So it was still, what a privilege to build something like that out over six years and see it flourish now. And, you know, Brendan, doing an awesome job in the role too. Toby, what questions didn't I ask that I should have? Oh, my God, there are so many that you could go into. You could have talked about all of the work that we tried to do on deterrence and never quite seemingly got there.
You and I would never get over that conversation. Because I think it. It would be a lengthy one. Exactly. No, I think we've covered so much in that conversation.
I think there is always an infinite amount that you can talk about, and I think that's the joy of a podcast like yours, is that there will always be new material. There'll always be more to say. Maybe you should just invite me back for a second chapter. Sounds like a definite. Toby, thank you for your time today.
Thank you for your leadership over the years, and thank you for leaving us in a better place than we were. So that's worth its weight in gold. So thank you. Thanks so much. Frank, thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of
topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.