The much-anticipated launch of the 2016 Defence White Paper presented the Australian government with an opportunity to set out a clear understanding of how it views the current and future cyber threat environment. It was also a chance to answer questions about what kind of defence force and capabilities will be required to respond to such threats, and how much government is prepared to invest to make its vision a reality.
During Prime Minister Malcolm Turnbull’s opening remarks, he mentioned ‘cyber’ a number of times, stating that Australia faces the threat of ‘increased malicious cyber activity’, that as a nation Australia needs to be ‘more resilient in cyberspace’, and that the White Paper will ‘considerably strengthen our cyber capability’. Clearly ‘cyber’, as an area of defence capability, was viewed as an important focus point, and rightly so. Turnbull’s words are re-enforced by the White Paper itself:
‘The security environment of the future, both in peacetime and during armed conflict, will feature increased threats from offensive cyber and spacebased capabilities…State and non-state actors now have ready access to highly capable and technologically advanced tools to target others through internet-connected systems and we are seeing greater use of offensive cyber operations. This trend is likely to continue.’
The White Paper also highlights the fact that while major conflict is unlikely between the US and China, cyberspace is a ‘point of friction’. In fact, in the White Paper’s list of potential relationship flare points (p.43) between the geo-political heavyweights, cyberspace is only preceded by potential unrest in the South and East China Seas.
It was evident that malicious threats in cyberspace was a key theme in the launch and messaging of the White Paper. But is the rhetoric backed up with cash?
Overall, this White Paper is impressive, presenting a costed spending plan to fund the commitments made. A positive step is that ‘cyber security’ has its own dedicated spending line, with a commitment to spend $300–$400 million. At first glance, that sounds remarkable, but when you take into consideration that it’s extrapolated out over a 10 year period, the cash injection amounts to a mere $30–$40 million per annum. There will be money invested in future cyber threat and capability R&D from the $730 million larger pool of funds for threat research, but it’s not clear how much will be allocated to cyber research. Compared to other identified threat areas the cyber investment seems to be lacking.
There’s also a commitment to grow Defence’s cyber workforce, with 800 new jobs to be created for ‘enhancements to intelligence, space and cyber security capabilities’, and a further 900 ADF positions required to fulfil the same enhancements. However, those 900 positions will be spread across supporting ‘information requirements of the Joint Strike Fighter, surveillance aircraft and navy ships as well as supporting special forces and cyber security.’ 1,700 bodies across such a multitude of complex and important tasks will result in a thin spread.
We need to ask where these new human resources will come from. At present there’s already a shortage of qualified individuals to fill the broader cyber security skills gap in Australia—although hopefully the upcoming Cyber Security Review will have more to say on this topic in the near future. At today’s launch, the PM employed strong rhetoric about a ‘truly visionary White Paper’. But I’d suggest that it’s simply robust, rather than revolutionary. While there are positive moves to actually cost the commitments, the White Paper offers no significant changes to Defence’s cyber policy position from the 2009 White Paper and in some respects, actually says less on some key issues including the development of norms and the application of international law in cyberspace.
To have been ‘truly visionary’, or at least to keep pace with the defence policies of other advanced nations, the 2016 Defence White Paper would have to have engaged in a more holistic discussion across the spectrum of cyber capabilities. A cursory glance at the American, British, Chinese, French and Dutch defence-related strategies, for example, reveal a great deal more about how those nations deal with cyber both offensively and defensively.
When increased spending and developments in cyber capability are placed within a framework that is at once exceedingly clear, measured and explanatory, it lowers suspicion and the potential confrontation in cyberspace. It may also induce others within our region to develop their capabilities in a similarly restrained and transparent manner.
Unfortunately the language in the 2016 Defence White Paper hasn’t kept up with the pace of change in this area. Indeed, the White Paper tells us very little about how Australia considers military cyber capability as part of its broader state power or how Australia will fund, structure and posture its capabilities to deal with cyber threats.