Top tech company's IP was looted by China, so it plans to hack back

Scenario 2: The Internet of Rogues kill confidence

Earlier in the day, the game offered a scenario in which several hacks on the internet of things had led to real-world consequences, including civilian deaths, that had undermined public confidence in all online services.

In that scenario I was assigned to the Denial of Benefits team and we got to work on a plan that would make vendors think twice before releasing insecure-by-design products to market.

The group's thinking here was that criminals are harder to deter and that going after the source of the resources criminals exploit would eventually have the effect of making it harder to make a living as a criminal hacker.

To encourage vendors to do the right thing, we envisaged a security rating label to be applied to internet-capable products, plus a consumer education scheme so that shoppers understood that a one-star gadget was not a sensible purchase.

We hoped vendors would strive for five-star ratings, but also suggested a legislative stick for those who fail to deliver. Fines, import bans and more were on our menu.

Those ideas dovetailed with most of the other teams, although one suggested internet service providers and telcos be compelled to monitor all internet traffic for malware fingerprints. That didn't go down well.

Cool heads, established instruments

I went into the day expecting some participants would offer StartupLand-grade “Blockchain will solve it” chatter.

I'm pleased to report the two groups I participated in approached the scenarios with far greater depth. It was also pleasing to hear that conventional policy responses are held to be adaptable enough to address threats like those posed in the two scenarios we played.

Less encouraging was lack of specific knowledge among many participants: at one point I found myself having to explain how the Android patches can take months or years – if ever – to reach handsets. Once participants realised that even Google hasn't gone out of its way to create a secure ecosystem, brows furrowed as the security problem took on more dimensions.

RAND has conducted the game on the East and West coasts of the United States. Reports on those two games, plus the Australian edition, will soon be made available.

I'll make sure we bring them to your attention.

A final observation: If you get a chance to this kind of game, jump at the chance for two reasons.

Firstly, you'll have a very stimulating few hours. Secondly, my experience at this game led me to believe that the challenges of online security just can't be solved by one group in isolation. You owe it to all of us to share your expertise. ®