Richard Addiscott is an information security consultant with BAE Systems Stratsec. The views expressed here are his own and do not represent the views of his employer.
What is cyber warfare and what could it mean to the Australian Defence Force? I hope the 2013 Defence White Paper will address both questions.
The concepts of network-centric warfare and information warfare have been embedded in military doctrine for a decade or more. Responding to cyber attacks was an ambition stated in the 2000 Defence White Paper. The 2007 Defence Update went further by calling for a focus on 'cyber warfare' to protect 'national networks (and) deny information'. The most recent Defence White Paper in 2009 also announced a 'major enhancement of Defence's cyber warfare capability...to maximise Australia's strategic capacity and reach in this field'.
Unfortunately, the definition of cyber warfare and what it entails for the ADF were never fully articulated in these White Papers. Yet without a definition for cyber warfare, it may be difficult to get the full national security benefit from investing in this capability.
As with any new initiatives seeking funding, and particularly in light of current fiscal restraints, decision makers need to understand and agree on the benefits to be realised from an investment. And given the rate of technological change and the number of system vulnerabilities discovered every day, the ADF's cyber capabilities, defensive and offensive, will require dedicated and constant attention. This will be difficult to achieve and sustain if the ADF has not fully defined what it means by cyber warfare and how it will be used to serve Australia's interests.
There are several definitions of cyber warfare, one of which was provided earlier this year by Defence Signals Directorate's (DSD) Deputy Director of Cyber and Information Security Mike Burgess in a speech to the Old Crows Association. He defined cyber warfare as 'an act...intended to degrade, destroy or deny computer accesses and systems' and added 'a true act of cyber warfare would have to be potentially lethal, instrumental and political'.
Clarke and Knake's definition is also worth looking at: 'Actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.'
Information stored on computers has become a key national asset and an element of our national power. Our ability to create information, store it, secure it, analyse it and harness it to make decisions has to be a strategic objective for the ADF that transcends the traditional boundaries of strategic and national security.
The ADF's ability to respond to cyber security events has matured since the 2009 launch of DSD's Cyber Security Operations Centre, which is Australia's senior cyber security agency, tasked with identifying and responding to cyber threats of national importance. However, cyber security is just one of a quartet of capabilities required to conduct cyber warfare.
The first of these three other capabilities is the ability to conduct offensive cyber attacks or counter-attacks with the intention of damaging, disrupting or gaining unauthorised access to another state's civilian and/or military computer systems, information networks and critical infrastructure.
The second is to develop a strong cyber deterrence posture to discourage an enemy from attacking by denying them success or punishing them in kind. Thirdly, there are also the obvious strategic and national security benefits from being able conduct all forms of strategic and day-to-day business operations even when under sustained cyber attack through steadfast cyber-resilience.
If the ADF decides it still wants to pursue its cyber warfare ambitions in light of its analysis of Australia's strategic environment, there are some challenges to overcome. The first is cyclical in nature. To achieve cyber-deterrence by denying an enemy success with their cyber attacks requires strong perimeter defences and a high degree of resilience.
Deterrence by punishing an enemy requires the ADF to make the enemy believe it can conduct retaliatory cyber-attacks that will cause similar or greater levels of return damage. If you prescribe to the notion that to spend your time focused solely on defending yourself in wartime means you'll likely lose the war, then cyber resilience must mean more than just being able to defend yourself to maintain the status quo. Effective cyber resilience means the ADF will have the ability to not only absorb an enemy's cyber-attacks and continue to operate critical systems, but also to have the ability to conduct offensive cyber attacks to reduce the number of attacks against critical ADF and Australian information systems.
A second challenge is the misalignment between the actions required of Defence in cyber warfare, principally by DSD, versus DSD's prescribed functions as codified in the Intelligence Services Act 2001. Depending on the interpretation of the law, this could leave non-uniformed DSD personnel subject to prosecution under Part 10.7 of the Crimes Act 1995 and or Division 476 of the Cyber Crimes Act 2001.
The international principles of war apply only to uniformed personnel and not civilians, who make up a substantial portion of DSD's resources. This could make non-uniformed personnel targets for retaliation and liable for prosecution under international law. These legal complexities could hamper Defence's ability to recruit the personnel required to undertake cyber operations.
Defining a business case and developing doctrinal guidance for Australia's strategic cyber capabilities before the next White Paper is crucial. In an increasingly tight fiscal environment, it is very difficult to justify capability investment decisions regarding the financial, human and technological resources required for developing, sustaining and continually enhancing the ADF's cyber capabilities when you haven't yet defined what you need the money for.
Photo by Flickr user Pixelsior.