While the PM has heralded the 2016 Defence White Paper as visionary, its treatment of cyber policy is stuck in first gear. As noted by Tobias Feakin last week, DWP 2016 has provided more money and manpower for Australia’s cybersecurity efforts, but lacks a sophisticated policy position on cybersecurity posture, capability and resilience.
The DWP establishes two broad roles for Defence regarding cybersecurity. The first is to protect its own networks, and the second is to contribute to the broader whole of government cybersecurity effort, principally through the multi-agency Australian Cyber Security Centre (ACSC). The DWP proposes to achieve those two goals through investment in a larger workforce, enhanced cybersecurity capability, increased training and R&D. However this policy almost a carbon copy of the positions put forward in 2009 and again in 2013.
Casting back to the 2000 White Paper (yes, cyberspace existed back then), the central notions of Defence’s cyber policy were being formed. The 2000 White Paper noted that ‘information technology is transforming the way that armed forces operate’ and included ‘ensuring these systems are managed effectively, (and) secure against information warfare attack’ as a capability goal. By 2009, the White Paper noted that ‘the potential impacts of such (cyber) attacks have grown with Defence’s increasing reliance on networked operations’. In 2013, it was reworded to say ‘The potential impact of malicious cyber activity has grown with Defence’s increasing reliance on networked operations’. In 2016, that assessment remains: ‘Cyber attacks are a direct threat to the ADF’s warfighting ability given its reliance on information networks’.
Successive White Papers have also used similar language to reference Defence’s contribution to whole of government cyber security efforts. In 2009, the establishment of the Cyber Security Operations Centre was announced, with the caveat that ‘While this capability will reside within Defence…it will be purpose designed to serve broader national security goals’. In 2013, the creation of the ACSC, where Defence would play the ‘principal’ role, was highlighted as a major element of Defence’s cybersecurity posture. In 2016, Defence will continue to contribute to ‘the Government’s enhanced national cyber security efforts’—an area in which it makes a ‘critical contribution to (Australia’s) whole of government cyber security efforts’.
DWP 2016’s language on the treatment of cyber threats focuses on Defence and the Government’s work to ‘enhance’ and/or ‘strengthen’ cyber security capability. The DWP says that ‘The Government will strengthen Defence’s cyber capabilities to protect itself’. In 2013, Defence planned to ‘invest in technology and analytical capability to ensure our situational awareness and response capability remains ahead of the threat’. In 2009, the White Paper also stated that ‘The Government has decided to invest in a major enhancement of Defence’s cyber warfare capacity’.
A big part of the enhancement to Defence’s cyber capability is supposed to come from ‘increasing’ the R&D focus from the Defence Science and Technology Group (DTSG). In 2016, ‘Government will establish a research and development capability to help strengthen the defences of the ADF’s military information systems against attack’. DSTG’s Cyber and Electronic Warfare Division may be surprised to hear about this new cyber R&D capability since they have been responsible for Defence’s cyber related R&D work for a number of years now. In 2009, the then–DSTO planned to ‘increase its investigation and application of key enabling technologies…such as cyber warfare and computer security’. In 2013 also, DSTO was going to ‘bolster’ its cyber research in line with the 2013 National Security Strategy.
DWP 2016 has omitted the statement from 2013 on Australia’s position on international law and norms regarding cyberspace. That’s an important piece of the broader cyberspace conflict prevention and confidence building agenda in which Australia plays a leading role in our region. This agenda was important enough for the PM to mention in Washington, and its omission is surely a missed opportunity to promote it in Defence’s principal statement of policy.
Also missing is a strong concept of cyber resilience. Resilience is frequently mentioned in the DWP, but unfortunately, it’s only used once in the DWP in connection to cybersecurity. This is despite the concept of resilience’s emerging centrality to advanced cyber policy positions, such as the US Department of Defense’s Cyber Strategy. The DWP significantly fails to mention that a resilient military not only has the capability to protect itself in cyberspace, but also must be ready to operate effectively in a contested environment where access to cyberspace isn’t possible or trusted. The ability to operate without access to critical command and control networks now and in the future will mark the difference between advanced and less capable militaries and states. That’s a significant oversight, and a further marker of the lack of sophisticated thinking in DWP 2016 on cybersecurity policy.