Australia's cyberwar defences 'badly lagging': ADFA

One of Australia's leading military scholars has called for a 'rapid catch-up' in the nation's cyber defence capability.
Written by Stilgherrian , Contributor

Imagine if Australia's banking and finance systems were suddenly shut down, just as happened in Estonia in 2007. Simultaneously, key communications satellites are destroyed, and our island nation's handful of key undersea fibre optic cables are cut.

Electricity grids are shut down too, like the US did in Yugoslavia in 1999. False data is inserted into some military systems, while others are disabled in an attack like the one against Saudi Aramco in 2012 that disabled 30,000 computers. More malware, apparently planted well in advance, causes further disruption, from opening floodgates on dams to interfering with logistics systems.

Nothing in that scenario is novel. Only the combination is new. It's just one potential scenario canvassed at an international conference on cybersecurity held in Canberra in November.

But even though such scenarios have been hypothesised for years, Australia is "badly lagging" in its preparation for such a medium intensity cyber-enabled war, according to a new report by Professor Greg Austin.

"As of 1 January 2016, Australia had not embraced the idea of 'information dominance' (largely a cyber space strategy), preferring a less enthusiastic embrace of the revolution in military affairs [RMA] by having a doctrine on 'information activities' shaped largely on the old-fashioned concept of political influencing through propaganda, psychological operations, or disinformation," Austin writes.

"Australia has also been reluctant to acknowledge the US doctrine of 'prompt global strike', a cyber-enabled military strategy."

Meanwhile, and to pick just one example, China is surging ahead.

"In September 2014, [Chinese President] Xi told the country it needed a new cyber military strategy. In December 2014, the government introduced new regulations for cybersecurity intended to help promote the rapid growth of China's domestic cybersecurity industry. In May 2015, the country issued a new Military Strategy in which the government declared for the first time in such a document the idea that 'Outer space and cyber space have become new commanding heights in strategic competition among all parties'," Austin writes.

China's vision to become a world leader in the science and technology base of cyber power is "staggeringly ambitious and complex".

"It sees China approaching the frontiers of science, economics, and social organisation in the sphere of information technology by mid-century," he writes.

As well as its permanent cyber forces, China is developing two levels of reserves. One is what might be called a normal reserve, consisting of relatively well-trained units. The other is far less-trained militia units.

"China is exceptionally well placed to develop the most powerful and best-organised cyber militias in the world. It does not now have such a strong capability but it has taken steps along this path," Austin writes.

"Countries like Australia with a small highly trained cyber work force in uniform can usefully learn from the Chinese conditions that could, in a ten to fifteen year time frame, create a unique and powerful cyber militia capability."

Austin's report, Australia Rearmed: Future Capabilities for Cyber-enabled Warfare, was released on Tuesday by the Australian Centre for Cyber Security (ACCS) at the Australian Defence Force Academy (ADFA), not to be confused with the government's cyber defence coordination organisation, the Australian Cyber Security Centre (ACSC).

Austin joins ACCS as it launches a new Master of Cyber Security, Strategy and Diplomacy program through UNSW Canberra at ADFA. His report serves as a solid, readable introduction to the course's themes.

There's a familiar form to strategic reports from those with military backgrounds -- and Austin's CV includes more than a decade in Australia's defence intelligence community, as well as various consulting stints since. Describe a series of scary future scenarios, point to our weaknesses, suggest some strategic solutions, and, optionally, pitch for money.

Indeed, Austin's report recommends that Australia builds a "much more visible community of interest around the concept of cyber-enabled warfare".

"An ideal location for such a centre might be the Australian Defence Force Academy, which might build off the foundations already in place at the Australian Centre for Cyber Security," he writes. Well, yes.

But coded in the normally diplomatic tone of such reports, Austin is scathing.

"Trends in the technologies of cyber attack and defence are moving in a direction that will present almost insurmountable challenges to the security of many small and middle powers." he writes.

"Australia will need to develop complex responsive systems of decision-making for medium intensity war that address multi-vector, multi-front and multi-theatre attacks in cyber space, including against civilian infrastructure and civilians involved in the war effort. Australia's defence forces need to maintain distinct capabilities for cyber warfare at the strategic level. The capabilities need to be unified in both policy and doctrinal terms in a way that lays a clear pathway for mobilisation of the country in very short time to fight a medium intensity, cyber-enabled hot war. This will require new technologies of decision-making that do not yet exist, even in most G20 countries."

Considering scenarios like the one that began this column "leads us to only one of three possible conclusions about Australian government policy," Austin writes.

"First, medium intensity cyber-enabled war outlined in such a scenario may be such a remote possibility that we need not plan for it. Or, second, we have not studied it sufficiently to know or to have developed a national consensus on what type of cyber-enabled war we are most likely to face."

Or third, Austin writes, we can't regard Australia's cyber military policy as mature until the government has done a rather large number of things:

  • Has had an open and candid conversation in public with key stakeholders about the sort of threat scenarios our armed forces and communities may face in a medium intensity cyber-enabled war
  • Has developed defence policies and armed forces, supported by the civil sector, that could perform credibly in those scenarios given reasonable warning time
  • Has articulated a diplomatic strategy to reduce the risks of such a war if it looks like emerging
  • Has articulated a civil defence strategy for the inevitable high impact disruption of our civil economy and communities in such a war
  • Has set in place policies for development of our industry base and work force that can support all of the above to the extent that our national economy permits and limitations of alliance support dictate.

The second or third conclusions are more logical, Austin writes: "I lean to the third, but am prepared to credit the second, subject to much deeper analysis by relevant agencies, scholars and think tanks."

It appears that Australia has a large number of what Donald Rumsfeld would have described as unknown unknowns.

Austin's conclusion is stark.

"The famous war correspondent H G Wells observed in the 1930s that as military technology becomes more advanced, it becomes controlled by an increasingly small number of countries. One thing is crystal clear. Australia will not make the necessary transitions for cyber-enabled warfare at all unless it makes a number of new policy commitments and substantial institutional transformations very soon."

Editorial standards