Minister for Defence Kevin Andrews recently gave a preview of what the cyber security community can expect from the forthcoming Defence White Paper during a speech in Canberra.
It seems that the next White Paper will continue the evolution of cyber policy settings outlined in the 2009 and 2013 White Papers. Reading between the lines of the speech, Defence’s principle cyber tasks are to: secure the information required for conventional capability and operations; continue ASD’s work within the Australian Cyber Security Centre; and support the rest of Government’s cyber security and international cyber policy efforts.
The first two tasks are clear directives, while the third is slightly vague, but they don’t deviate from what was seen in 2013.
Perhaps of greatest interest is that much needed new money for cyber capabilities appears to be on the cards, with Andrew’s saying, ‘the Government will substantially enhance Defence’s cyber capabilities, as well as invest in other enablers of the joint force.’ While encouraging, this investment would be futile without a carefully thought-out plan to recruit and retain cyber security professionals, but the Minister has assured that this too will be outlined in the White Paper. Separately, Army’s Head of Modernisation and Strategic Policy, Major General Fergus McLachlan, said that Defence would have to consider dramatically different recruitment standards to attract the necessary cyber security professionals, similar to the approach by the UK.
The categorisation of cyber capability as an ‘enabler of joint operations’, analogous to intelligence and surveillance capabilities, provides an interesting insight into Defence’s thinking on the role of cyber capability in military operations. While much has been said about the role of offensive cyber capabilities in future warfare, Defence has rightly recognised that conventional military capability and operations are at serious risk from cyber opponents if there isn’t a focus on securing the information systems that provide modern militaries the multiplying effect of rapid information collection and sharing.
Andrew’s comments on Defence’s support for the development of a rules-based order and peacetime norms for cyberspace are noteworthy considering the visible absence of Defence from DFAT’s work in this field, including the Global Conference on Cyberspace and ASEAN Regional Forum cyber security initiatives. One way that Defence could contribute to the international cyber policy debate might be to declare Government’s views on the use of offensive cyber capabilities.
Details of cyber capability are necessarily sensitive, and despite some media conjecture, the Australian Government has refused to comment on speculation that Australia has any such capability. Regardless of the existence or otherwise of such capability, a declaration similar to that of the US, that Australia may consider using such capability, but only in accordance with existing international law (principally the Law of Armed Conflict (LOAC) and national rules of engagement) would be a significant contribution by Defence to Australia’s pursuit of a rules-based approach to cyber space.
While Andrews’ speech gives a good indication of where Defence and Government thinking on cyber security will take the next White Paper, there are no big surprises here. It’s more of the same, if only with some greater clarity about Government’s expectations of Defence in cyber security and policy. This implies that Defence’s analysis of its cyber structures has concluded that it has it pretty much right. If, Andrews’ assessment—that malicious cyber activity is likely to be the most persistent transnational security threat faced by Australia—is accurate, let’s hope this is true.