Australian businesses facing up to cyberwar need the right kinds of clouds

But Australian businesses 'aren't very far up the maturity ladder with this stuff yet', says network engineer Mark Newton.
Written by Stilgherrian , Contributor

"China as an economic and military actor in cyberspace is determined to look and feel very different in 20 years' time," wrote Professor Greg Austin -- and that could have implications for how Australian businesses organise and defend themselves.

Austin released his report, Australia Rearmed: Future Capabilities for Cyber-enabled Warfare, last week. On Wednesday, I summarised why Austin thinks Australia's defences against cyber-enabled warfare are badly lagging, and why we need a "rapid catch-up". In a second column, I argued that as a nation we're ill-equipped to face the challenge.

Fixing the nation's cyber defences is a job for government, of course. But I reckon one section of Austin's report, about China's rapidly-changing military doctrine, has implications for businesses too.

"Given China's past practices of clinging to outmoded patterns of national level command and control, including compartmented intelligence collection, it is all the more remarkable that it has in 2015 also committed to a countervailing doctrine that accepts the unique characteristic of cyber war called 'distributed warfare'," Austin wrote.

"The cyber environment places a premium on decapitation of superior level command authorities and even of basic communications systems in such a way that lower level combat units may need to fight without the benefit of continuous communications and intelligence feeds," he wrote.

"For China, recognition of this concept at the same time as it is moving towards centralisation [that is, into unified cross-service command structures along the lines of the US model] is all the more remarkable. It has been captured in a turn of phrase in the 2015 military strategy: 'You fight your way, I fight my way'."

My paraphrase of China's strategy would be this: You're totally dependent on all these live data links. So we'll train our forces to operate without those links, and then just knock them out.

Austin thinks it'll take five to 10 years for China to develop any meaningful capability like this.

"But when it does achieve such a capability, it will be at a scale that dwarfs that of smaller, less wealthy countries, such as Australia," he wrote.

It occurs to me that knocking out a nation's data communications would screw up any business that operates in the cloud -- but it isn't a simple issue. According to high-profile network engineer Mark Newton, it depends on the cloud in question.

"Some of them are routinely attacked by nation states, and are designed to withstand it. Locally-built bespoke infrastructure almost certainly will not be, because nobody in this country thinks big enough." Newton told ZDNet via email.

"I'd suggest that there are many threat models which can be countered by locating Australian data and applications outside Australia, because network capacity into Australia is expensive and contended, and hence eminently DoS-able. That obviously has tradeoffs in other aspects of privacy, security, and sovereignty."

One key problem is that a mere five fibre optic cables carry 99 percent of the traffic between Australia and the rest of the world. And as media scholar Nicole Starosielski from New York University explained last October, those links are surprisingly vulnerable.

An adversary could cut almost all of Australia's international communications with five two-person dive teams. Or with five "careless accidents" with boat anchors. Or by using the five poorly-chosen router passwords you captured previously. Or by setting fire to five buildings.

"I think people would be surprised to know that there are a little over 200 systems that carry all of the internet traffic across the ocean, and these are by and large concentrated in very few areas. The cables end up getting funnelled through these narrow pressure points all around the globe," Starosielski said.

As for satellite communications, well, there really aren't that many satellites to choose from either, and satellites are easy to destroy.

"And even when they're working perfectly, their capacity is a tiny drop in the ocean," Newton added.

It seems to me that an attack scenario like the "medium-intensity conflict" I described last week really wouldn't take that much effort.

Maybe businesses need to adopt the Chinese military strategy. Maybe they need to design their systems so they can operate even when the wide-area networks are down.

To keep operating during attacks on their infrastructure, businesses need a particular kind of operational resilience: Local caches of data for when the network is down; a mesh architecture that propagates data without requiring a central master copy -- a bit like BitTorrent, or Bitcoin's blockchain, but not really; and processes for rolling back transactions if it turns out they were based on out-of-date information.

"This is basically how cloud apps are supposed to be designed, yes, [but] Australian businesses aren't very far up the maturity ladder with this stuff yet," Newton told ZDNet.

"They've progressed from hosting their own servers in wiring closets, to hosting their own servers in colo datacentres, to running virtual servers in the same colo datacentres, to running virtual servers in cloud."

The problem is that businesses are still messing about with servers.

"Their adoption of cloud is basically a way of doing the same thing they did in their wiring closets, only bigger," Newton said.

"Public cloud infrastructure doesn't actually require you to operate like that. You don't need virtual servers with operating systems etc. You have RPC services which perform specific tasks, and you glue them together to provide facilities needed to run your business. That's what Amazon's and Google's platforms do," he said.

"So I think the operational resilience that's required is to move further up the maturity ladder: Get away from cuddling boxes, move to distributed applications. Because if your application is distributed, removal of a piece of infrastructure is a capacity reduction, doesn't have to be an outage."

That's a totally different way of structuring your business processes, of course, and a totally different way of structuring your data networks. That'll take time to fix.

The good news is that if Austin's right, you've five to 10 years to get it sorted.

Editorial standards