GovHack: a lesson in optimism

elevenM Senior Consultant and Victorian State Director of GovHack, Jordan Wilson-Otto explains why it’s important to maintain a sense of optimism about the future of technology and society.


It’s judging time for GovHack, the largest open data hackathon in the southern hemisphere. Looking through this year’s submissions, I’ve been thinking about how GovHack’s mission of optimism, civic engagement and empowerment presents a partial answer to the hard questions we raised in our recent post about parenting, privacy and the future.

When we talk about technology, it’s easy to focus on the things that can go wrong. Few things in this world don’t have secondary effects, and we need to think about the implications of the systems that we are building and using so that we can harness their benefits while anticipating and mitigating their downsides.

Undue focus on benefits can lead to bad outcomes, but undue focus on harms can lead to bad outcomes too. If we can’t imagine a more equitable, sustainable or humane world, or a world where technology has made life better and not worse, then there can be no progress. The best we can hope for is stasis, or perhaps the return to some imagined golden age.

But optimism is hard. Almost all the modern narratives about technology are dystopian. Automation is coming for our jobs, algorithmic bias is perpetuating inequalities and killer robots are just around the corner. Meanwhile surveillance capitalism leads to our every online move being tracked, while spy agencies look on and hackers and trolls wait in the wings ready to pounce. And we’re powerless to respond, disabled by an increasingly polarised and dysfunctional political discourse, powered by social media.

So the solution falls to the individual – we’re taught to fear and protect ourselves from technology. We need to watch out for scams, not reuse passwords, be careful what we download or where we browse, and not click links in emails. We’re supposed to read privacy policies, scrutinise permissions, install add blockers, delete cookies and somehow keep track of the changing data practices of the thousand different apps and online services that we use.  We need to look out for trolls, and be alert to the threats of cyber bullying, online harassment and other forms of online abuse.

I think we owe it to ourselves to inject a bit of optimism every once in a while. It’s not all that important how we do it. Maybe read some utopian science fiction, watch some Star Trek, or just consider how far we’ve already come as a species. For me, this is where GovHack comes in – it’s a perfect lesson in optimism. An annual refresher on civics and the power of community, and a reminder that the shape of our technology and our world is not a given, and that technology is just a set of tools that we can build and apply as we need, to the problems we choose.

GovHack is a free, weekend-long creative competition that takes place across Australia and New Zealand. It’s a ‘festival of ideas, using open government data to make our communities better places’. Competitors have 46 hours to make something cool with open government data.  What people make is really up to them. It could be an app, some kind of informative visualisation, a prototype gadget, a game, a story, an artistic display or anything else they can think of.

Projects vary from the whimsical to the deeply practical, and from simple to highly technical. You can see some of this year’s projects here, but some highlights include:

  • Are you really going to drive tomorrow?’, which uses AI to predict days when a user’s commute is likely to be particularly congested, and prompts the user in advance to consider other options.
  • Ripple effect’, an interactive story about everyday encounters that shows users how simple choices that you wouldn’t associate with water, affect the supply and distribution of water.
  • Once upon a crime’, a song about Australian convicts and their history, which draws on multiple data sources about Australian convicts.
  • Insight without sight’ sought to make open data more accessible for visually impaired people by providing a way of using sound to convey data in a graph, combined with a new way to access open government data through a voice command interface with Queensland’s Open API.

Sometimes projects go on to be successful start-ups, or lead to lasting improvements or new and better ways of doing things in government. But for the most part, GovHack projects don’t last beyond the weekend. And that’s ok – in fact, that’s kind of the point.  You’re not going to fix the world with a song and a story. We know this. The problems we face are real and will require both expertise and sustained commitment to solve, if they can be solved at all. But songs and stories are so nice. And they represent a willingness to engage with data, with government, and with the rest of our community to think about the world we live in. A willingness to play with ideas and try to imagine something new.

That idea of ‘play’ is important here too – paradoxically, it can be the license not to solve the world’s problems that gives us the creative freedom that we will need to solve the world’s problems.

So, in working on the big problems, let’s not limit ourselves to avoiding harms. Let’s take a lesson from GovHack on the value of play and all things surprising and tangential. Let’s remember that our current technologies and ways of thinking are just one way of doing things – the right solutions might be just around the corner, if only we give ourselves license to get there.

The unfairness of cyber awareness

elevenM Principal Arjun Ramachandran explores why cyber awareness matters, despite the prevalence of seemingly unstoppable sophisticated cyber-attacks.



“Deserve got nuthin’ to do with it. It’s his time, that’s all.”
– Snoop, The Wire.

We want to believe our behaviours solely determine the outcomes we get. But it’s not always the case, especially in the complex cyber realm.

The brilliant US drama The Wire made an artform of summing up life’s hard truths in pithy one-liners, delivered in the language of the street. In Season 5, drug gang member Snoop is asked by a junior gang member whether a target really “deserves” to be “hit”. Her response (above) lays bare the unfairness at the heart of the adversarial drug war.

Cyber security too, ain’t always fair. The existence of a committed, human adversary is a significant and differentiating feature of cyber risk that those of us involved in the field should keep in mind.

Especially in the areas of security training and education. We often seek inspiration from areas like public health, where highly-acclaimed campaigns have raised awareness of the risks of smoking and sun cancer, driving down public exposure to these activities and vastly reducing the incidence of bad outcomes.

But these areas don’t have a human adversary. In cyber, for all of our awareness and reduction of risky behaviours, it remains the case that a determined, highly-sophisticated attacker could still get at a company’s crown jewels by persistently probing for small areas or moments of weakness.

The attack on the Australian National University is a shining example, recently and evocatively labelled a “diamond heist” by its vice-chancellor, rather than a “smash and grab”.

“It was an extremely sophisticated operation, most likely carried out by a team of between five to 15 people working around the clock”. – ANU vice-chancellor Brian Schmidt

While it may be true that a well-educated and aware workforce might not “deserve” to get hacked, Snoop’s street wisdom and the ANU hack suggest that increasing the awareness of end users may still not be enough to prevent the most sophisticated attacks, such as those by highly-skilled state-sponsored attackers.

And awareness on its own stands to be defeated. The UK’s National Cyber Security Centre points out that people-focused activities such as education must come with technical controls, as part of a multi-layered approach. That’s a sentiment recently echoed by the Australian Government.

“But like all other forms of security, awareness is a complement to, not replacement for, the availability of secure features. For example, drivers are provided with a seat belt in addition to education about the importance of road safety and incentives to use the seat belt. And the same expectations and requirements we have where safety is paramount should apply in cyberspace” – Australia’s 2020 Cyber Security Strategy – A call for views

But we also can’t throw the baby out with the bath water.

In our travels, we occasionally come across a certain bluntness or defeatism about cyber awareness. Because of the success of and attention given to state-sponsored attacks, education and awareness is labelled “ineffective”, technical controls are deemed all that matter.

In our view this is a severe over-correction.

It pays to remember that there exists a broad swathe of attackers – not every attacker coming for a small business (or even an enterprise) is bankrolled by a rogue state and has access to an arsenal of zero-day exploits.  

In fact, many are commercially-motivated cybercriminals of varying levels of ability, plying their trade using commodity tools purchased off underground marketplaces. They can be as sensitive to cost pressures as the CEO of a cash-poor business. Anything that makes it harder (ie costlier) to achieve their goals may be enough to deter these actors to move on to another easier, more cost-effective target.

One of the ways we help businesses do this – such as through our recently developed learning packages – is by raising employees’ awareness to the risks and also providing actionable advice on how they can make the average cyber attacker’s life that little bit more frustrating. Maybe a stronger password, or a healthier skepticism to dubious emails will do the trick.

While technical controls might overtake end-user awareness as the best response to a specific cyber threat (eg. some now argue multi-factor authentication should be prioritised as a response to phishing), when that happens an effective awareness program can re-deploy the fruitful conversation it has established with staff to the next evolving area of risk (for eg. how staff use cloud services).

In this way, over the long term awareness activities also continually embed a sense of responsibility and ownership in a workforce, acting as a precursor to and an enabler of a secure culture.