Australia has a challenge of scaling defence capabilities for large cyber attacks

Major General Marcus Thompson says Australia's ability to scale its defence capabilities when it comes to the crunch is what keeps him up at night.
Written by Asha Barbaschow, Contributor

Australian Defence Force (ADF) Head of Information Warfare Major General Marcus Thompson is concerned that while the nation has "good" defence capabilities, those capabilities might not be able to scale if Australia was faced with a large-scale attack in a cyber realm.

Speaking at the Cyber Storm international conference at the University of New South Wales (UNSW) Canberra Australian Defence Force Academy (ADFA) on Monday, Thompson said it's what keeps him up at night.

"If we accept that the opening salvos of the next big fight will play out in cyber space, if they're not already, it's that capacity of the Australian government to respond ... we know we've got good capabilities, but when it comes to scale, I'm a bit worried," he said.

Painting a picture of a table comprised of ministers and agency and departmental heads, Thompson said after probing the Director General of the Australian Signals Directorate on what to do, the next person he believes the Prime Minister will turn to is the chief of the nation's defence force.

"Sure we've got capabilities here, but it is not an environment that someone can parachute into," he said.

Thompson discussed the ADF's approach to "cyber" to try and ensure readiness, labelling the word itself as a "frequently used, poorly understood non-word".

Read more: Cyber blitzkrieg replaces cyber Pearl Harbor

"When I would use that word ... I reckon 99 people out of 100, in their head, would go directly to offence. When in fact it's the defence of our networks and mission systems that is not only our most pressing priority, it's the greatest challenge -- and the more expensive challenge," he said.

As a result, ADF developed a conceptual framework for ADF cyberspace operations, centred on self-defence, passive defence, active defence, and then offence.

"Three of the four include the word 'defence' -- we're trying to drag people away from thinking about offence all the time," he explained.

He shared an example of an exercise that was conducted in 2016 alongside Blue Force, a major field training operation that was held in South Australia, involving around 4,000 people.

As part of the exercise, ADF had set up a social media monitoring team in south-east Queensland comprised of 12 individuals, five electronic warfare cyber operators, five intelligence analysts, and two lawyers.

It tested the weakest cybersecurity link in any organisation -- a human.

"You would think that in an organisation like the ADF where secrecy comes natural to us that we'd have that sorted," he said.

"[But] that team of 12 people took less than 48 hours to completely unpack the Blue Force unit nomenclature, unit locations through geo-locations that they were posting through social media, and in some cases, unit intent. And they did that using only open source tools."

Their rules of engagement prevented them from moving past any passwords, Thompson said, and their monitoring ceased the instant that they moved past the ADF member to their family or friends.

Thompson said the team generated 671 individual intelligence files that led directly to actionable, targetable intelligence. 100 of those resulted in interviews of personnel.

Another similar exercise was conducted a year later.

"There was a noticeable improvement, however, an individual still posted to social media [of] a geotagged image from the inside of a command centre," he added.

Also: CISOs given cyber leadership role in Australia's new Information Security Manual

Thompson also posed the question of how much of Australia's critical infrastructure the government should be responsible for.

"How do we defend civilian infrastructure we don't control? That makes Telstra, Optus, Vodafone the operating environment; makes the banks, other financial institutions, utilities companies, targets," he asked. "How do we determine what infrastructure will be the government's responsibility to defend?"

At the same time that Thompson gave his address, 5 kilometres away, Prime Minister Scott Morrison disclosed that the nation's political parties were also hit in an online attack earlier this month that had forced a password reset of all Australian Parliament House network users, including politicians and all of their staffers.

Regarding the online attack, Morrison said the networks of the Liberals, Labor, and Nationals were affected, but that the nation's security agencies were securing those systems, and that there was no evidence of electoral interference.

"The Australian government will continue to take a proactive and coordinated approach to protecting Australia's sovereignty, our economy, and our national security," Morrison said. "Our political system and our democracy remains strong, vibrant and is protected.

"The government has chosen to be transparent about these matters. This is in itself an expression of faith by our government in our democratic system and our determination to defend it."


Cyber blitzkrieg replaces cyber Pearl Harbor

The first cyber attack in the war against electricity grids was in 1999, says one of Australia's leading cyber strategists, but 20 years later we're still not ready to face 'multi-vector' cyber attacks.

At least nine global MSPs hit in APT10 attacks: ACSC

HPE and IBM are reportedly among the managed service providers targeted by China's APT10 group. Meanwhile, the Australian Cyber Security Centre hasn't ruled out government agencies being among the end targets.

Cyberwar predictions for 2019: The stakes have been raised

Cybersecurity will define many of the international conflicts of the future. Here's an overview of the current threat landscape, UK and US policy in this area, and some expert predictions for the coming year.

Culture the missing link for cybersecurity's weakest link

Whether people are your weakest link and falling for phishing attacks, or your strongest link and looking out for anything suspicious, is down to your organisation's culture.

Editorial standards