Australia and Australians are targets for malicious actors—including serious and organised criminal syndicates and foreign adversaries—who are all using cyberspace to further their aims and attack our interests – The Hon Malcolm Turnbull MP, Prime Minister, April 2016
‘the ADF is likely to be blind to the operational vulnerabilities of their major complex systems and platforms to cyber attack’ – Keith Joiner, January 2016
Operations in the cyber domain present both a threat and an opportunity to the ADF, with many warning of our vulnerability to this emerging threat. This post argues that the development of Army’s cyber defences should be built on the fundamentals of physical security – potentially including the ability to respond when required – as well as resilience to the loss or degradation of networks. It is written to discuss the nature of contemporary cyber operations and contribute to ADF debate on the subject.
The launch of the government’s Cyber Security Strategy on 21 April noted the very real, persistent and evolving cyber threat to Australia and the ADF. It also noted for the first time that ‘Australia’s defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack’ (emphasis added). While the Strategy did not state whether both these capabilities are possessed by the ADF, they should be. The capacity to operate across the full spectrum of cyberspace operations – that is from security and defensive actions through to conducting offensive cyber operations – is critical to the defence of military systems. Such a capability is necessary to move from a ‘Maginot line’ mentality of defending a perimeter towards a more robust defence in depth approach that accepts that cyberspace is a contested domain. Possession of these capabilities at the tactical level would complement the efforts of strategic government organisations.
The latest US joint cyberspace doctrine (JP3-12 Cyberspace Operations, an unclassified document and the basis for developing Australian doctrine) makes this clear by defining cyberspace operations as ‘the integrated and synchronized employment of offensive, defensive, and [ICT security] operations, underpinned by effective and timely operational preparation of the environment’. Effective operational preparation of the environment might include reconnaissance and assessment of adversary networks, actions which can be considered as offensive in nature. Therefore any cyber security capability that does not consider the full spectrum of operations is incomplete by definition.
That the enemy gets a vote means that we need to adopt the same approach as for operations in the physical domains – one where we accept some battle damage and casualties in order to achieve the mission. This requires moving from an ‘Information Assurance’ approach that tries to ensure all networks and data are secure towards ‘Mission Assurance’, that is ensuring an organisation’s mission capability in response to any loss or degradation of cyber capabilities. In other words we must prepare to fight in a disrupted and degraded information environment, and accept that we cannot always prevent attacks on our networks. Known and likely penetrations may need to be tolerated in order to maintain information systems necessary to complete a mission, and cyber operations assets will be scarce. We must also understand the threat, our own strengths and weaknesses, and how we can effectively defend against it.
In this way the cyber threat might be considered analogous to the air threat to land forces. Operational planners generally assume that achieving air superiority is difficult and that a situation of air parity is far more likely. Thus the enemy may be able to strike anywhere at any time, but certain attack profiles or targets are generally the most likely. Every force element is responsible for reducing the threat through passive and active measures like maintaining operational security, camouflage, emissions discipline, all arms air defence and the like. Ground Based Air Defence assets are scarce and must be used to protect the main effort, command nodes or high value targets. Generally the best weapon to kill an aircraft is another aircraft. The cyber domain could be viewed in the same manner: cyber parity is likely, defence in depth across all networks is essential, specialised defensive cyber teams will be scarce and the best defence might be a good offence – or at least the ability to respond in kind when required. All of these approaches should focus on ensuring the mission is achieved despite the threat.
While developing a full-spectrum cyberspace capability is desirable, these assets would be scarce, valuable and only employed to further the achievement of the mission. The conventions and norms of cyber operations are still developing, and while the ADF might develop an offensive capability it should be careful in employing it. Again the US doctrine provides a useful and cautious perspective, warning offensive cyber operations require “careful consideration of projected effects…appropriate consideration of nonmilitary factors such as foreign policy implications”. As such any response operations should be coordinated at the highest levels and only be employed to further the campaign objectives. That would not place it beyond the realm of tactical commanders, rather it could be employed using the same targeting cycle and directives routinely used for Offensive Support. Time sensitive targets exist in cyberspace just as much as they do in the physical domain. Given all this, there is no reason why our cyber forces should not be jointly developed, trained and employed.
Cyberspace is a contested and potentially dangerous battlespace in which the methods are new but the principles of defence are not. The ADF should build on sound security principles by aiming for Mission Assurance rather than trying to be strong everywhere. This approach requires sound education and training that emphasises defence in depth, a capacity to respond in kind, and ensuring network resilience – our forces’ ability to operate with disrupted networks for limited periods of time. The continued development of specialised cyber operations capabilities is vital, but the ADF must not fall into the trap of thinking that they are all that is required to meet the growing threat.
About the author
David Cave is a Royal Australian Engineer officer currently attending the Advanced Command and Staff Course in the United Kingdom.
Disclaimer
Grounded Curiosity is a platform to spark debate, focused on junior commanders. The views expressed do not reflect any official position or that of any of the author’s employers – see more here.