The Voice of Cyber®

Episode 257 Deep Dive: Min Livanidis | Shaping Responsible AI Policy
First Aired: May 22, 2024

In this episode, we sat down with Min Livanidis – Head of Digital Trust, Cyber, and Data Policy, AWS ANZ, as she provides insights into the intersection of AI, cybersecurity, and public policy, emphasizing their impact on society. From Australia’s cybersecurity strategy to responsible AI policies, we explore the collaborative nature of policy development, the role of diverse perspectives, and the potential for individuals to influence change.

Min Livanidis leads AWS public policy across some of Australia’s most pressing technology areas, including cybersecurity, artificial intelligence, and critical infrastructure. Min lead AWS’s collaboration with the government during the development of the 2023-2030 Cybersecurity Strategy. She is currently leading AWS’s engagement around safe and responsible AI in Australia, working closely with Minister Ed Husic and industry to develop best practice regulation frameworks. In 2023 she appeared at the Senate Inquiry for the use of Generative AI in the Australia Education Sector. Min regularly engages with the most senior level of government on key policy areas including AI, cybersecurity, privacy, data and digitization strategy, electronic surveillance, critical and emerging technology, and critical infrastructure.

Outside AWS, she is Non-Executive Director of the Oceania Cyber Security Centre, a registered charity developed in partnership with the eight Victorian universities, the Victorian Government, and Oxford University to deliver cyber maturity assessments for Pacific Island nations; Non-Executive Director of the Australian Cyber Collaboration Centre, established by the South Australian Government with a focus on domestic cyber capacity building and home to key partnerships with the MITRE Corporation and NATO; and an Industry Professor with the School of Information Technology at Deakin University, affiliated with the Centre for Cyber Resilience and Trust (CREST).

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Min Livanidis [00:00:00]:
AI just like cybersecurity is something that’s going to be relevant to every part of society. Being able to develop a robust policy ecosystem around that, that allows us to really harness all the benefits of these technologies while mitigating the risks. That’s what needs to be at the core of all of these policy discussions. There are clear intersections with AI policy and almost every other area of policy as well, which makes it another really good analogy and almost sister issue to cybersecurity.

Min Livanidis [00:00:38]:
The primary target for ransomware campaigns is security and testing and performance and scalable. Police can compliance. We can actually automate those

Karissa Breen [00:00:46]:
take that data and use it. Joining me today is Minh Livenidis, Head of Digital Policy Public Policy from Amazon Web Services as known as AWS. And today, we’re discussing laying the foundation for a secure Australia. Dae Minh, thanks for finally joining, and welcome.

Min Livanidis [00:01:06]:
Thank you for having me, Carissa. I’m happy to meet you.

Karissa Breen [00:01:08]:
So public policy. Now when I saw you last, we talked about public policy. So maybe let’s start there. Can you help our audience understand and and maybe define what this means?

Min Livanidis [00:01:19]:
Yeah. Sure thing. Cybersecurity itself, public policy has quite a lot of definitions out there about what it is and isn’t, but in its simplest form, public policy is about what governments choose to do or not to do and why, and the consequences of those decisions. At its heart, it’s government identifying a public issue or a problem and choosing a type of response to raise certain objectives or obtain a specific result. And I think what’s really important here is that although the definition of public policy in the sense of what it is centers around government, there are multiple players or stakeholders involved. Firstly, there’s capital G government. That’s the executive at at the federal level in Australia. That’s obviously the Albanese government.

Min Livanidis [00:02:08]:
There is also the parliament as the legislature, and then there’s small g government in the forms of agencies and departments that comprise the public sector ecosystem. But then we also have external players. So media like yourself are key stakeholders for how these issues are communicated and really form a big part of how these public policy conversations play out. There are also non governmental entities in civil society, as well as academia. And of course industry has a voice and that’s the role I play with AWS. My role with AWS very much focuses on more technical aspects of public policy. So I take care of things like cybersecurity, critical infrastructure, artificial intelligence, privacy, etcetera.

Karissa Breen [00:02:58]:
So you said before there are multiple definitions of public policy. Where do you think that stems from? Why do people have different views on public policy?

Min Livanidis [00:03:06]:
That’s very much an academic question, but ultimately policy is a label for a series of activities. And if we take the cybersecurity strategy as a really good illustrative example of policy Through the data bridges that took place in the latter half of twenty twenty two, minister O’Neil identified cybersecurity as a key issue. Government had already done that through the appointment of Claire O’Neil as the cybersecurity minister, as well as minister for home affairs. But she announced very quickly after those incidents that we needed a new cybersecurity strategy for the country. And if you unpack what that means, cybersecurity strategy at that national level, isn’t altogether that different from how we would conceive of a corporate strategy or a corporate cybersecurity strategy. You have a vision statement. You have a set of objectives in the context of Australian government cybersecurity strategy. It’s the 6 shields, and then you have a set of actions that sit under each of those objectives to help you realize a certain outcome.

Min Livanidis [00:04:15]:
And those are the measurables that we have attached to the public policy space as well. But in terms of what public policy is and isn’t, it very much interweaves between the political aspects or political dimensions of policy, where governments choose to make a decision or they choose not to, which is also valid decision conscious, non action. What levers you choose to pull, whether or not they bill proposal that you put up to parliament actually gets through. These are all public policy mechanisms, but how you would define the policy itself can sometimes actually depend on the outcome that’s attached to it, or indeed can become clear in retrospect. So you take a set of actions in response to something, and that articulates itself as a policy overall.

Karissa Breen [00:05:00]:
What does a good sort of public policy look like in Australia, more specifically in your eyes, with your background, with your experience? And do you think people even know what good looks like?

Min Livanidis [00:05:11]:
Public policy is an interesting base in the sense that it’s never something that has a clearly defined beginning, middle, and end. Anybody that studied public policy would be familiar with the policy life cycle and that, you know, it starts nominally with the idea of issue identification policy analysis, then right through to the articulation of outcomes and assessments. And so the cycle continues. In reality, it’s not linear like that. There are a lot of concurrent activities that take place. That’s not to make a judgment call over whether an outcome is good or bad. There are multiple ways that we can describe success in the policy space, and that really comes down to the outcomes that are attached to these issues. Cybersecurity is a really great example of that because it’s a problem that is entrenched in all aspects of society.

Min Livanidis [00:06:07]:
So we’re talking about a societal issue that impacts citizens as individuals through to small businesses, medium businesses, large enterprises, like an AWS and critical infrastructure providers, the Australian government itself. And then there’s the national security component of that as well. So it is really quite a complex and layered policy ecosystem, but one where there is an opportunity for a lot of really collaborative policymaking, lot of co design processes and where an entity like an AWS can have a really important voice as genuine technical experts in this field.

Karissa Breen [00:06:46]:
Okay. So there’s a couple of things that you said, which is interesting. You said a lot of concurrent activities happening. What what what is a concurrent activity? What, what does that look like?

Min Livanidis [00:06:54]:
So if we take again, for example, the cybersecurity policy, there were the data breaches that took place later half of twenty twenty two. Minister O’Neil started a process of consulting on a new cybersecurity strategy, But at the same time, the government introduced a set of measures relating to the privacy act in terms of the enhanced data breach scheme, new powers for the office of the information commissioner, and several other activities that supported a program of work, including the appointment of the cyber coordinator. So that demonstrates that the activities around that particular policy, although there was a development process for the strategy in place, the government didn’t wait to take action to address what it saw as an immediate requirement or an immediate need. And that’s where you see those concurrent activities start to come into it.

Karissa Breen [00:07:48]:
And that makes sense. One of the things I’m curious to know is with all these activities, how do we hold people accountable? Now I have interviewed people on the show around. Great. We can come out. We can say all these wonderful things. How do we keep people speak to the fire in ensuring that they hear the actions, but have they been actioned? When? How long is the timeline? Is that something that is part of public policy? Is it something that people can understand where things are at in terms of if we look at the cybersecurity strategy, for example?

Min Livanidis [00:08:21]:
There’s multiple ways to start to dice this up. There’s the accountability in terms of the delivery of the cybersecurity strategy and that accountability ultimately sits with government and the various government departments that are attached to it. The national cyber coordinator has a really important role to play as part of that process as the central cog for government to be able to articulate its priorities and ensure that accountability internally. In terms of corporate accountability, there are the expectations that are articulated through the corporations act, and we also have guidance that’s been distributed by the Institute for company directors around what good corporate governance looks like in a cybersecurity sense. And there’s accountability mechanisms being built into that. There is the data breach notification scheme. There are the critical infrastructure notification requirements and the various registration processes, all of the accountability mechanisms that have been built into that legislation as well. So you see it coming through at multiple layers.

Min Livanidis [00:09:29]:
And then within organizations, there is the articulation of governance standards, risk management, and then policies that support the corporate ecosystem. All of these things have a really important role to play in developing those ultimate outcomes, which we hope will be more robust cyber security and increased cyber resiliency across the entirety of the Australian ecosystem.

Karissa Breen [00:09:52]:
Now I asked that previous question because I’m curious then to understand, would you say with your experience, we as in Australia is doing a good job in the public policy arena at the moment?

Min Livanidis [00:10:05]:
I think Australia’s been extremely proactive when it comes to cybersecurity policy. A lot of countries internationally, they’re looking to what Australia has been doing as part of this process to say, what are some options that are available to us? And this is something I like to say about Australia. We are small enough that we can have this really quite close knit cybersecurity community and ecosystem, and that articulates into how we engage with government and how government engages with us. We develop these really robust policies and programs of work that support these policies, but we’re also big enough that Australia can have quite an outsized impact in the sense that other countries can look to us and say, Hey, this policy worked over there, or the design of this policy worked over there. Is this something we can adapt to our environments? We’re seeing that cybersecurity policy. We’re certainly seeing that with critical infrastructure policy as well.

Karissa Breen [00:11:04]:
Do you think Australia looks to other countries to say, hey. You guys are doing a great sort of work here in the public policy space as well? As much as people are drawing inspiration from us as Australians, would we sort of draw inspiration from other countries as well?

Min Livanidis [00:11:18]:
Yeah. Absolutely. And I think that’s a benefit of a company like an AWS, something we can really bring to the table as part of these discussions is that international perspectives. We obviously have a footprint globally. We engage with governments globally on exactly these issues. So if we’re seeing something that’s worked really well over in the UK, we can speak to the Australian government about our experience through that process. And obviously the Australian government has their own relationships with these governments as well, that they’re able to draw from as they’re developing these policy proposals.

Karissa Breen [00:11:54]:
So in terms of what you said earlier with public policy, you’ve got, you know, companies like AWS. You’ve got MediaLikeSelf. You’ve got, you know, the industry. How do people understand where the front door is? Like, how do they know who to go to? If I’m sitting there saying, alright, Minh, I have a got a problem. I want help to get you to help institute some change. How do people go about that? And the reason why I asked that question is simply because I speak to a lot of people in this industry at the cold pace, yes, in Australia, but globally as well. But I’m her focus here on Australia. People are saying, you know, government’s not doing this, or I wish we’d got this more for security start ups, or what about this? And I don’t really have an answer for that.

Karissa Breen [00:12:35]:
So I’m hoping that you can help maybe navigate that for me and for people who are listening to this interview that, you know, if someone’s got something that they think is valuable, how do they go about it?

Min Livanidis [00:12:47]:
It’s a really important question for a lot of entities. A lot of entities don’t have a a dedicated public policy or government relations team that are able to keep track of all of these developments. So we’re very fortunate in that respect. The key thing to keep an eye out for typically at the beginning of any of these sorts of processes, you’ll see a consultation paper be distributed through one of the government departments. That consultation will be open for a certain period of time will involve being able to provide a written submission, but it will also involve the opportunity to be involved with round tables. Being able to provide that sort of direct feedback to the members of the department that are doing that work in the background to develop these policy proposals and assess all of those inputs. If it’s something that then requires a legislative amendment or a bill or a set of proposals that will then probably be consulted again, which we’ve just seen with the legislative consultations that came out as part of the cyber strategy, provides all entities with another opportunity to provide their inputs as part of the process. Once a bill reaches parliament, if it gets referred to a committee for an inquiry, again, there are opportunities to actively engage and provide feedback as part of the process.

Min Livanidis [00:14:12]:
The important thing is to really stay plugged in and attuned to what’s happening within your ecosystem. That may be achievable more readily through industry associations and memberships, or it may be achieved through institutions like ASA, the ACS, those sorts of entities that also keep track of these developments. And then there’s a lot of great free resources out there as well. A lot of legal houses, big legal houses have great pages that keep track of these sorts of policy developments and try to articulate it in a way that’s digestible for entities of all sizes as well. The important thing is find a resource, stay plugged in. It doesn’t have to be extremely difficult or sophisticated. You just need to find what’s out there.

Karissa Breen [00:14:59]:
And do you think some of the public policy stuff, you said the word operative word digestible. Do you think some of it is sort of a little bit convoluted for people to understand?

Min Livanidis [00:15:07]:
I do think that there is a opportunity to simplify in this space and particularly for a area like cybersecurity, where we see simplification, these concepts being so central to success in this area. When I was developing, the AWS submission to the cybersecurity strategy, which you can find online on the home affairs website, I was very conscious with language as part of that process and really wanting to speak to cybersecurity in a way that resonated with everybody that read that document, not just cybersecurity professionals that understand what STIX taxi means in terms of threat intelligence. Needing to go beyond that, to really speak to the people that are at the heart of this issue. And that was the foundation of the the vision zero model that I developed with reference to car safety as a, as a really good analogy for a public policy issue that was recognized and was adopted nationally. And you’ve seen the outcomes of that policy strategy develop over time. And we’ve got about 30, nearly 40 years of that strategy being in existence to see its results. Talking about these things in a simple way that allows people to engage with the process really lets them feel empowered to be a voice in that process and that their voice is valid in that process. It’s really crucially important to developing a cybersecurity strategy and cybersecurity ecosystem that meets the needs of everyone from individuals right through to large enterprises.

Karissa Breen [00:16:44]:
In terms of feeling like it will feel valued in terms of their voice, do you think in some of these forums that you’re involved in terms of public policy, do you think people, as in maybe smaller organizations, don’t feel a part of that voice? Maybe they don’t have a dedicated person like yourself to be able to go and have these discussions like like you’re having. Do you think that there is this element of people not feeling like they’re being heard in the industry? Maybe because they’re small or they don’t know how to go about it or maybe they are. They don’t, can’t communicate as strongly, perhaps you think there is that side of it?

Min Livanidis [00:17:17]:
I think there is probably something to be said for that purely in the sense that these things can very much be a resourcing and awareness issue. I do know that government, as part of this consultation process, we’re very active in wanting to get perspectives from small business. And we’ve seen that in, I believe it’s pillar 2 of the cybersecurity strategy that very much focuses on the needs of small business and how to right size cybersecurity for small business players. So I think because government took such a conscious interest in small business in particular, we’ve seen a real development of fairly robust set of policies that are designed to support that ecosystem. Outside my role at AWS, I also sit on the board of the Australian cyber collaboration center. That’s got the CUSP program, which is all about uplifting cyber security for small businesses in a way that’s affordable and achievable, and really speaks to their issues in terms of how they use security and what their actual risk profile is. Even how a small business interacts with technologies really can be extremely variable. So you should never assume that there’s a one size fits all approach to this.

Min Livanidis [00:18:39]:
And I think that’s been reflected through the programs that have come out of our strategy as well.

Karissa Breen [00:18:43]:
So with public policy generally, what do you think gets maybe missed or overlooked that you you’ve sort of seen in your, in your years of doing this?

Min Livanidis [00:18:52]:
I don’t know that I would say things have been overlooked so much as you might have differences of opinion in where there is a particular emphasis. I know that after this strategy came out, there was always a bit of LinkedIn chatter about these things, but there was a bit of chatter about the absence of adequate support for startups, which is something else that’s able to be addressed separately, but they, you know, some people felt that that wasn’t explicitly called out enough. Others wanted more explicit guidance or, you know, compliance elements to be included as part of the program. Everybody has a different perspective on where that balance should be. And that’s something that is a real challenge for government in releasing these policies, because you need to fine tune your approach for the needs of all life stakeholders. That’s why the consultation process is really so important, but ultimately government decides what are the things that they want to emphasize to realize the outcomes that they have set? What are their set of objectives? And that’s what gets articulated as part of that policy process.

Karissa Breen [00:20:03]:
Okay. So there’s a couple of things in there which is interesting. So I’m just going to assume that no matter what policy is put forward, there’s always gonna be someone that complains. Their voice wasn’t heard. This was overlooked. We need more money here. There’s too much money on that other thing. Do you think there’s always gonna be that? There’s always gonna be someone that perhaps doesn’t like what the end result is?

Min Livanidis [00:20:23]:
I think that’s the nature of the beast to a certain extent. And again, that’s not a judgment for me of whether that’s right or wrong or whether what. I think

Karissa Breen [00:20:32]:
it’s just human nature though.

Min Livanidis [00:20:34]:
Yeah. It’s, it’s human nature. It’s, it’s that sense of the perspective that I have wasn’t entirely reflected through this process, and that’s going to lead me to reach a set of conclusions. That may be perfectly valid from that person’s perspective or that entity’s perspective. That doesn’t mean that they’re right or wrong, or that government is right or wrong, but it does demonstrate the challenges inherent to the public policy process process, particularly for an area like this, where I think people have especially strongly held views, especially if you’re a practitioner in this space and, you know, you and I, are both former cybersecurity practitioners that are now still engaged with the cybersecurity community from a different perspective. I’m doing it from that public policy perspective. You’re doing it from the media perspective and doing deep dives into these issues that really matter to in particular senior executives in this space. We all have different perspectives that we bring to it.

Min Livanidis [00:21:31]:
I think having been a practitioner, having also previously worked in government and now working in the public policy space, it’s given me that genuine sense of empathy across the board, empathy to government in the sense that these are really complex issues that they need to be able to articulate it in a way that is digestible across not just the cybersecurity practitioner space, but more broadly. And then for cybersecurity practitioners that feel the challenges of working in these environments day in, day out, wanting to see their perspective represented in a way that they think reflects the reality that they experience. And these are all perfectly valid opinions and points of view. So it’s a, it’s a very fine needle to thread. And I don’t think there is ever going to be a situation where you can definitively say you’ve got it 100% right or wrong. It’s always going to be more complex than that. And to be honest, that’s why I enjoy it. It’s not binary.

Min Livanidis [00:22:32]:

Karissa Breen [00:22:33]:
let’s get to the consultation process. What does that look like? Just so people are not really, maybe perhaps people aren’t aware. I don’t think many people actually are aware of public policy, meaning the how the mechanics, the complexity of it at all in this space.

Min Livanidis [00:22:45]:
There are quite a number of things that happen in the background as part of any of these sorts of, consultation processes. The most obvious element is that you get the discussion paper, which is a primary artifact as part of the consultation that will typically pose a problem to you or a hypothesis or some statement of a perspective around an issue in the cybersecurity case. It’s you know, we’re seeing X number of threats. This is the value to the economy over time. This is why we need to take action. So it’s like a pause for a call for action statement, always. Then you typically get into an analysis of the issues and they’ll attach a set of questions around that. What do you think of X? What do you think of Y? And then, you know, you’re invited to put in a submission as part of the process.

Min Livanidis [00:23:39]:
So if you go to any departmental website, home affairs, attorney general’s department, etcetera, they will typically have a consultation hub where you can see consultations they’ve done in the past or that are currently open. And then unless you ask for it to remain private, they’ll publish those responses. So all of the responses that home affairs will have received as part of the cyber strategy consultation, they’re now available online. You can go and read about what all the different entities and individuals who shared their views on that had to say. From there, there are typically a set of town halls or round tables that take place. A lot of conversations and these things happen over the course of months. It’s not by any stretch, a really quick process. And that’s because you’ve got a lot of issues to work through and through the consultation process, you may identify something that you hadn’t necessarily thought of before, or somebody’s brought a really interesting perspective that you want to explore more.

Min Livanidis [00:24:45]:
You start doing deep dives as, as part of that process. So there’s a lot that goes into it and a lot of really deep thinking that happens along the way. And then from there is through that process, the department will take all of the inputs that they’ve received and start developing the actual primary deliverable, which is the strategy itself. And that’s, I think a really important thing to remember as well, that you’ve got the minister in their office, but then you’ve also got the department and the public servants that staff that department. And there is a clear sort of division of responsibilities in that sense. So it’s the department that does the primary work of holding the pen on these documents and actually producing the outcomes. The minister obviously works very closely and the minister’s office works very closely with the department, and the minister ultimately signs off on that as the, that counter hall minister, but it’s very much collaborative even within government itself.

Karissa Breen [00:25:47]:
So you said before things take months, which I assumed it would. But how so hard is it from your understanding to institute changes to the public policy? If I had an idea, I went through the process that you just explained, what would happen? Now I know it depends, and there’s all these things, the liberation, there’s meetings, and there’s people. But do you think perhaps people and when I mean people, like, you know, whether they’re practitioners or just everyday people, do you think that they think it’s harder than what it is, so therefore they don’t bother to try to have a seat at the table, have a voice? Do you think there’s a bit of that in there? Because they think, oh, it’s all too hard. I couldn’t be bothered going through the process because they think it it it just won’t actually move the needle at all.

Min Livanidis [00:26:30]:
Yeah. I think there’s there’s probably a bit of that I don’t want to say cynicism about the process, but I do think that people probably are not sure how much of an influence they can actually have as part of the process. But I think the key thing to remember here is we’ve all got the opportunity to have that voice as part of these consultations and for your voice to be heard, you need to use it. So I actively encourage anybody who really feels passionately about these things, these issues to engage with these policy processes.

Karissa Breen [00:27:04]:
I was just curious. Do you think people feel overwhelmed by the process considering, you know, these things don’t happen in a day? They take months, years. Do you think people sort of just think, well, I’m too busy now. I tried to start the process, but now, you know, I’ve got other things going on in my life, and I’m I’m not gonna follow it through?

Min Livanidis [00:27:22]:
I think if you’re a smaller entity who is very pressed for time, that the level of consistency needed to engage directly with these processes, yes, that that probably can be really quite time consuming. The important thing I think with cybersecurity is that we are a community of practitioners. You know, if I go through even, even for your podcast career, sir, I go through and look at the guests that you’ve had on. I know probably 50% of those people. That’s, that’s a really cool thing. That’s one of the strengths that we’ve got in Australia on this front. So as much as we say that cybersecurity is a team sport, so is public policy. We’ve all got the ability to obviously have that voice and, and, and have that level of influence or, or try to have that level of influence.

Min Livanidis [00:28:13]:
But I think the key thing as well is we are part of a community and you can look to your peers and look to the people around you to say, this is my perspective on this. This is why this really matters. And there is a very good chance that the people or the entities that you were talking to who are within your ecosystem are going to also advocate on your behalf. And I see that pretty regularly as part of the conversations I have with other pockets of industry, you know, through the work that I do as part of the trusted information sharing network, that’s run by home affairs. And I chair the, I co chair the data center group. I sit on the resilience expert advisory group. I get to talk to a lot of different critical infrastructure entities through those positions, but I also get to talk to entities that you might not think about in terms of critical infrastructure resilience or cybersecurity and whatnot. I got to share the stage with the CEO of Foodbank last year, brought this fabulous perspective to what resilience means for them and how cybersecurity impacts them.

Min Livanidis [00:29:22]:
And then I was able to take that forward and say, actually, these are really important points that need to be reflected here. Can I get some more information from you so I can take that forward? Make yourself known as part of the ecosystem. Talk to people like me, who you know are actively engaged in this space. You don’t have to try to do it all alone.

Karissa Breen [00:29:42]:
Yeah. Those are great points. And I think that’s, what’s really important about getting you on the show so you can dissect the process. I think people out there do think it’s hard or it’s impossible. You gotta know someone how does it work. So would it be a fair assumption to say I mean that people do need a little bit be a bit more proactive, whether they come and approach you, they are being a bit more proactive and going direct. Do you think maybe people just they just didn’t know?

Min Livanidis [00:30:04]:
I think it’s a bit of everything. Public policy, like any conversation, and ultimately it is a set of conversations that will ultimately result in decisions and actions. The perspectives that you put forward, they need to be precise. They, they need to be said to be heard. They need to be heard to be taken into account and to be taken into account. And, and then to I’m completely jumbling where I was going with this as a metaphor, but you see where I’m going with this. You’ve got to say something for it to be heard and ultimately acted upon potentially. And you can’t take, you can’t take your perspective, not being acted upon as a rejection.

Min Livanidis [00:30:46]:
I’ve, it doesn’t mean that your perspective wasn’t valid. It doesn’t mean that it wasn’t heard. It would have been considered as part of the process. And then through the balancing that needs to get done to ultimately make these decisions, decide on a set of desired objectives and measures. What you’ve said may well have contributed quite heavily into that decision. But from the ultimate perspective, actually we did consider that and based on their assessment of these variables over here, we decided that that wouldn’t work or it wouldn’t have been the most effective mechanism, but it is something that will be considered as part of this process. So you should never take the absence of something as failure. It’s still important to have it factored you do the analysis of competing hypotheses.

Min Livanidis [00:31:44]:
We put forward a hypothesis and you have to try to prove it, and you also need to try to disprove it. That is the foundation of good intelligence analysis. It’s also the good foundation of any analysis. You can’t just go with what you think is right. You also need to challenge your own thinking. And that’s another reason why these perspectives that we all provide to government as part of these processes are so important to provide that challenge, the analysis of competing hypotheses.

Karissa Breen [00:32:12]:
Do you think the word considered rattles people a little bit, though? It’s like, oh, well, we considered it, which is sort of like, we didn’t reject it. We kinda looked at it. Is that maybe that gets people on the back foot?

Min Livanidis [00:32:25]:
It might, but I would just be speculating on that

Karissa Breen [00:32:28]:
front. So then in terms of I wanna institute some change, I hit you up, you are like, that’s a great idea. How long does something sort of take to to change? And I know that’s a very broad question. I’m just curious to know. I know it doesn’t take a day or a week, but how long does it like? Is it years? Is it centuries? Does it ever change? Because, you know, I’ve heard people saying, like, I’ve been campaigning this for, like, 30 years across, you know, other other, you know, other sort of, sectors. But what what is a real sort of number here?

Min Livanidis [00:33:03]:
Well, if we, again, then you take the, the cybersecurity strategy as the example, that’s set out into 3, 2 year horizon periods and those horizons go out to 2030. So along the way, there would be a set of initiatives that are rolled out over that period of time. And then you start to look at the net sequence of events. For the actual changes to start happening, we’re already seeing those things. Making moves now, the implementation of certain types of activities, like the awareness programs and campaigns that have come out as a consequence of the strategy. We’ll see various things happening through, I don’t know the mechanism exactly yet, but probably cyber where increased advice will start to be released over the period. And we’ve seen that recently as well. The, the ACSC in partnership with the 5 eyes plus released their guidance on the cybersecurity aspects of AI as, as one really good example, but you start to see these things roll out over time.

Min Livanidis [00:34:09]:
I think because it happens incrementally, it gives the illusion of slowness, but that illusion very much the duck floating along water and the legs of flapping away underneath. There is a lot of work that goes into these things that on their face value, you can seem really quite simple, but to get all of these mechanisms of government moving, to get industry partnerships moving and to roll out these societal programs across small businesses, NGOs for individuals, These things take time, but when you consider that they’re being done on a national scale, it’s also happening reasonably quickly. So we don’t need to sit back and think that this is going to take a period of decades to achieve all of these things. It will all happen and materialize over the next 5 years in this particular space.

Karissa Breen [00:35:00]:
I’m gonna switch gears now, and I did wanna touch on AI so maybe, you know, we can touch on that slightly now. But I am aware of AWS’s collaboration with industry and government to build a strong foundation for AI and security. So maybe sort of high level means taught me, like, walk me through this, and then how does this sort of look?

Min Livanidis [00:35:26]:
The AI policy or responsible AI policy is responsible AI policy is, is it’s the issue of the moment. It is the tech policy issue. And we really saw. The interest in that spike with the release of generally available generative AI. But the conversation about responsible AI has been happening for quite a number of years. So in that respect, you know, when you’re saying that these things can take some time, yes, they absolutely can. Often it’s the looks like any change management program, really, there is the point in time where there is a recognized or broadly agreed point where you say, right, we need to focus on this, and this is why. For AI, it was generative AI.

Min Livanidis [00:36:11]:
That was the catalyst for all the action that is followed. This is a fascinating one because it is something that’s clearly relevant to Australia domestically. And there are a lot of processes that have kicked off domestically to address responsible AI as a core tech policy issue. The government, released their interim response to the responsible, safe and responsible AI consultation in January. And that’s where they highlighted and broadly outlined the set of actions that they were going to take on that front. Following from that, Mr. Husic announced the expert advisory panel who is working with the department of industry and science on a AI regulatory strategy. And they’ve also highlighted broadly how they’re going to tackle that, which is a sort of industry vertical approach that recognizes that AI is higher or lower risk, depending on context and depending on use case and working through a set of mechanisms to best govern that.

Min Livanidis [00:37:16]:
And through that as well, we also have the national AI center committed to delivering a voluntary standard for safe and responsible AI as well. And those are just the domestic elements of what’s happening in this space, but there’s no boundary to these sort of tech issues. So this also comes into the international domain where the Australian government is engaging very closely. The safety summit that was originally convened by the UK is now going to be hosted in Korea next, where there were a set of agreed principles as part of the Bletchley declaration. We’re also engaging with the G7 process in terms of safe and responsible AI. The OECD also has a set of policies or mechanisms in place to help govern the development of AI and realize its economic potential. So there’s a lot of complexity at play here. And then we also have international standards that sit underneath all of these other mechanisms.

Min Livanidis [00:38:14]:
Active engagement in this space is really, really important because AI just like cybersecurity is something that’s going to be relevant to every part of society. If you engage with technology, you are going to be engaging with AI in some way, just exactly the same as you’re engaging with cybersecurity in some way, whether consciously or not. Being able to develop a robust policy ecosystem around that, that allows us to really harness all the benefits of these technologies while mitigating the risks. That’s what needs to be at the core of all of these policy discussions. And that’s the approach that the Albanese government again, has been pursuing as part of this process. There are clear intersections with AI policy and almost every other area of policy as well, which makes it another really good analogy and almost sister issue to cybersecurity. So it’s a good thing. I find all of this stuff really interesting.

Min Livanidis [00:39:12]:
Otherwise I’d be in trouble because it’s, it’s a fascinating space to work in and there’s no shortage of things to learn about along the way as well. I’m constantly reading about these issues and finding out new things. It’s an exciting time to be working in this space, I guess.

Karissa Breen [00:39:28]:
Yeah. And you are right, especially with the relatively new emergence of the the gen AI and everything that’s happening, especially now the dick fakes. I was in an interview just before this one talking about that in elections. So there’s you know, I’m not expecting, like, government necessarily have an answer, but it is about industry perspective. And that takes a bit of time to do it, you know, to do it properly. It would doing the right thing would be it does take a bit of time to do it properly. So in line of everything now, where do you where do you think we go from here now as an industry? What are what are your sort of thoughts for the rest of 2024?

Min Livanidis [00:40:02]:
I think as industry, we’ve got an incredible opportunity this year to really be conscious in how we talk about cybersecurity and how we talk about safe and responsible AI being very deliberate and conscious that how we talk about these things absolutely impact broader societal perceptions of these issues. For cybersecurity in particular, and again, this is something I emphasize endlessly. And I know I heard, Phil Rodriguez, one of my colleagues when he was on your podcast, talk about these things really simply. I think that’s an excellent example of how you need to speak about security policy, AI policy, all aspects in tech policy in a way that has genuine meaning to people, because ultimately we’re not just securing things, we’re securing the world that we live in. And the world that we live in is fundamentally digital. So we need to be actively engaged with these processes. We need to be able to invite responses from all pockets of society, from all pockets of the business community, from all pockets of NGOs and particular perspective that they bring to these issues. And the way industry talks about it has a big role to play in that.

Min Livanidis [00:41:26]:
I think something that you’ll often find with me and it’s very deliberate choice when I’m talking about cybersecurity. I never use the word attack ever. And that’s an extremely conscious choice on my part. Cause I want it to be something that you can engage with in a way that is inviting. And there’s nothing really inviting about the word attack. There’s nothing inviting about being attacked either, but we also need to be realistic about that words have meaning and that the way we discuss these things absolutely impacts people’s perceptions of the level of control that they can even have over their own security profile.

Karissa Breen [00:42:06]:
So, I mean, do you have any closing comments or final thoughts you’d like to leave our audience with today?

Min Livanidis [00:42:11]:
I would just really encourage everyone. If you’ve got the interest in policy dynamics surrounding cybersecurity, there are great resources available to you to be able to do that or to even understand tech policy in general. Yeah. The tech policy design center run out of ANU have developed really useful tools to help people navigate the policy process. They’ve also got their tech policy Atlas that gives you an understanding and overview of all the different policies that exist across different geographies, that’s a great place to start, stay plugged in, whether it’s through industry associations, whether it’s just through a simple newsletter with policy developments. So you’re at least kept up to date with what’s happening and you’re up to date with a tenor of conversations around these issues. And when you do see the opportunity to contribute, if there is a perspective that you’ve got that you want to share, absolutely encourage you to share it. And if you don’t feel confident in sharing it directly, reach out to somebody within your ecosystem.

Min Livanidis [00:43:21]:
It could be somebody like me in an AWS. It could be your account manager, one of your third party SAS providers, anyone who you feel comfortable talking to about this process and, and getting that perspective across. I would absolutely encourage you to engage.

Karissa Breen [00:43:45]:
Thanks for tuning in. For more industry leading news and thought provoking articles, visit to get access today.

Share This