The Nation: National Cyber Policy Office's Paul Ash
On Newshub Nation: Simon Shepherd interviews
head of The National Cyber Policy Office Paul
Ash
Our next guest is one of the
architects of the Christchurch Call. He's been in every
meeting throughout its development You won't know him -
but the Prime Minister relies on him. Director of our
National Cyber Policy Office Paul Ash joins me
now.
Simon Shepherd - thank you very much for your time. I know you’ve just come back from the United States. Was the Christchurch Call actually your idea?
Paul Ash: Kia ora, Simon, and thank you for the opportunity to talk about the Christchurch Call. Immediately that the attacks happened, we as a team needed to provide advice to the Prime Minister on how we might respond to the attacks and, in particular, the use of online platforms. We provided advice to the effect that we were going to need to look at some form of collaborative and voluntary solution, and we were going to have to work internationally, including with the major tech platforms, as a way of trying to grapple with this problem and come up with constructive solutions.
Was it hard to get the big tech companies on board?
Well, no, it wasn’t, actually. One of the starting points for this was that we came to the conclusion and put to the firms that we didn’t think they wanted this kind of content on their platforms any more than we did, and that resonated with them. The Prime Minister met early on with the president of Microsoft, Brad Smith, when he was in Wellington. They discussed the idea of a Christchurch Call, and Brad, in fact, was instrumental in working with introducing us to the key people across the other companies – with Facebook, with Google, with Twitter and with Amazon – to pull together a core grouping of senior folk from the companies who were keen to work with us on this issue.
Okay. So, let’s fast-forward four months. You’ve been at the UN with the Prime Minister. What was your role there, and what was the most significant thing to come out of the last week?
So, I think three significant things, really, came out of the last week. First, we saw a large number of countries joining the group of supporters of the Call. They looked at the approach, the voluntary collaboration that we’d put in place, and felt that was something they wanted to participate in. And we now have, I think, just over 50 supporters from governments and international organisations working together in support of the things in the Call. Second – that the companies themselves really stepped up to the plate, and over the past four months or so, we’ve worked with them on how we might re-launch the Global Internet Forum to Counter Terrorism, which will deliver a wide range of the capabilities and pieces of work needed to try and put long-term solutions in place. And we’ve worked with countries and with the companies on a crisis-response protocol – what would we do if and when, God forbid, something like Christchurch were to happen again? The third significant piece has been the development of an advisory network of civil society organisations that is now over 40- strong and is providing really good input, some of it very direct, to the governments and companies involved on how to address this problem most constructively.
You just mentioned the crisis-response protocol – a plan to respond to events like March 15. Google’s planning to come here to carry out a test later this year, so what can you tell us about that? What will it involve?
So, we really welcome this initiative from Google, and it’s exactly the sort of thing that we hoped to see when we stood up the Christchurch Call – companies, governments, civil society working together. It should involve somewhere around 150 people coming together in Wellington in December to test out some scenarios that might happen online and see how the crisis-response protocol would work in that environment. And in terms of scenarios, we’ll be looking at scenarios that perhaps don’t quite meet the threshold for activating the protocol; a scenario that will look very much like Christchurch; and one that may look at where this kind of problem might go next – where would people look to exploit the internet and social media platforms in similar sorts of instances?
So you’re saying you’re looking at a scenario which could possibly be worse than Christchurch? An even more doomsday scenario?
We’ve had to take a good hard look at not only where we think violent extremist groups and terrorist groups are operating at the moment, but where they might look to take their efforts to exploit online platforms in future, yes.
So does that mean the threat level is rising? I mean, is Christchurch being taken as a blueprint by some of these organisations, and they’re thinking of where they could go next?
Well, Christchurch was unprecedented in the way that it used live-streaming to spread an act as it was happening, but it’s not in isolation. Over the past five to 10 years, we’ve seen terrorist groups and violent extremist groups looking to exploit the internet in various ways. And my sense is that, actually, we’re better equipped at the moment to deal with that than we were before Christchurch. The response protocol, the efforts that the firms have put in – both individually and together – will make a real difference. But as in any risk management exercise, we have to prepare for worst-case scenarios and ensure that we’ve tested what those might look like and had a crack at making sure we have the responses in place should they happen and that we’re looking to reduce the risk of that happening in the first place with the other efforts we’re carrying out.
Have you actually come up with that worst-case scenario, what we could be looking at?
We’re still working that one through, and I probably wouldn’t want to talk about that in public in case it gives people ideas. But in effect, when you’re pulling together an exercise, it’s a case of sitting down and trying to work out – if you were on the other side of the equation, what are the sorts of things you might like to think about, or how would you look to use and exploit social media platforms?
Just in terms of quickly reacting to these events as they’re happening, what about live-streaming? Facebook could have just turned that off if they wanted to. So you’re not getting that level of commitment from the tech companies.
We are seeing a range of measures to try and deal with this kind of content. So, if you look at some of the companies, they’ve looked at the number of verified users that you have to have to be able to use live-streaming. They’ve looked at ways to try and deal with that. The issue here is that this is not a simple fix. You could turn live-streaming off, but then you actually deny that capability to the vast majority of its users, who are those looking to use it for good purposes. The key, really—
Right, okay. Sorry, I was just going to say – the stated goal of the Christchurch Call is to eliminate terrorist and violent extremist content online. So is that realistic, or is this more of a global PR effort?
It’s definitely not a global PR exercise. The key thing here is to try and put in place the range of measures that enable the benefits of the internet to continue to be enjoyed by those who use it appropriately, while constraining the ability of those who would use it for evil or for violent purposes to do so. And that requires a mixture of technical fixes; it requires a mixture of making sure that we have safety nets in place where people do seek to do that; it requires ongoing work. And one of the key issues that – as we worked through with the companies and got to understand their perspective and shared with them ours – became very apparent is that this is not a static threat, that this is an adversarial issue where you have groups of people actively looking to exploit and subvert the controls that companies and governments would look to put in place.
Right. Just quickly – the US hasn’t signed up to this; China hasn’t; no Russia. So how big a barrier is that to the Christchurch Call actually being effective?
We have, I think, now just over 50 countries involved. The European Union’s members are largely signed up to supporting. The countries from around the globe now – from Latin America, from North America, from Asia – are involved.
But the big players aren’t there, are they?
Well, the key thing here is ensuring that we can bring about effective change, and if you look at some of the largest markets for the companies, many of those countries are now on board. We have Japan; we have Indonesia; we have India participating. And in a sense, we’re wanting to make sure that we can work with the companies to deliver effective change, and that’s what we think we’ve seen over the past few months and what we think will be ongoing. In effect, that’s the measure, rather than who in particular has signed up. Are we driving that change?
All right. I just want to move on. You’re talking about what’s next. One of the things that’s next for us is the election, 2020. As the head of cyber policy in the PM’s department, how confident are you in the security of Election 2020?
Well, the integrity of elections sits right at the core of democratic societies and protecting the way of life that we all enjoy in democratic societies – making sure that elections are able to be held in a free and fair way. Cyber security is critical to that, and in the last election, measures were put in place to ensure that we could lift the cyber security that was wrapped around the electoral infrastructure and around the support that political parties had if they needed it. Looking ahead, we’ve certainly seen evidence of interference in elections worldwide. We have relevant agencies working on making sure that good information security measures are in place. We know that commercial providers are involved in that too, and as we head into next year’s election, it will be important to ensure that all of those involved are focused on cyber security and making sure that any efforts to subvert the process that sits at the core of our democracy are dealt with.
Sure. What is the next urgent step for you in terms of protecting the sanctity of our next election?
Well, if we look at the last election, a set of principles and protocols were put in place on how support might be provided. Across government at the moment, agencies are working together on ensuring that we’ve got the right level of support in place. Much of that, though, sits with the Electoral Commission and the electoral commissioner herself – in terms of the integrity of the electoral process and keeping that secure – and actually with the political parties involved and making sure that they have kept their platforms secure.
All right. Paul Ash, head of the cyber security— or cyber policy in the Department of Prime Minister and Cabinet – thank you very much for your time this morning.