In December 2016, RAND and the National Security College at The Australian National University partnered to facilitate a cyber security–focused 360o Discovery Exercise in Canberra. The exercise used plausible scenarios to explore the challenges Australia faces in securing cyberspace by placing pressure on government authorities, industry capabilities, users’ tolerance for malicious cyber activity, and the ability to develop interdisciplinary solutions to pressing cyber security challenges. The scenarios considered the security of the Internet of Things and intellectual property theft against a backdrop of evolving international norms of behaviour in cyberspace. This was the third in a series of cyber security exercises developed by RAND. The two prior exercises were conducted in the United States—in Washington, D.C., and at the University of California, Berkeley, near Silicon Valley.1 Like these prior events, the Australian exercise provided a rich set of observations and options to strengthen cyber security and enforcement while protecting the benefits afforded by a free and open Internet. However, the solutions proposed by exercise participants and discussed in this report need further development. For example, the solutions do not yet assign clear roles and responsibilities, may require new authorities for government agencies, and have not been subject to a detailed analysis of their effects and challenges to implementation. Participants represented the public and private sectors, academia and think tanks, industry associations, and the media. The exercise was conducted under the Chatham House Rule, allowing us to quote participants without attributing quotes to individuals or their organisations. The exercise provided specific insights for Australian cyber security policy—specifically, how to build on Australia’s C O R P O R A T I O N