The 2013 Defence White Paper marks a distinct progression in how cyber issues are dealt with by the Australian Government. Evident is an attempt to de-militarise the issue through a change in the language used, and the emphasis on a whole-of-government approach. But words are one thing, and the proof will be in the results they deliver. There’ll be a great deal of work ahead to ensure cooperation between departments, create productive mechanisms for the private sector to play their part and provide sufficient finance to produce results.
The 2013 National Security Strategy, which was intended to underpin Australia’s thinking on how it views the strategic outlook for the nation, places cyber at the heart of its security concerns, making ‘integrated cyber policy and operations’ one of its key five year priorities. This has strongly flavoured the 2013 Defence White Paper, most notably by bringing about a change in the titles of the Defence Signals Directorate and the Defence Imagery and Geospatial Organisation. Quite simply, both organisations have had ‘Defence’ removed and replaced with ‘Australian’. DSD always had to wear two hats, one which was as an element of defence capability (including intelligence support to the forces as well as offensive capability), and the other as a national agency that provides technical support to a wide range of government constituents (primarily in a defensive cyber security capability). The name change change seems a small one, but it’s intended to demonstrate a change in organisational mindset, from a defence led approach to a recognition of cyber as a whole-of-government approach.
The language used in the paper to describe cyber further reinforces the broader approach and has notably been ‘demilitarised’. In the 2009 White Paper, the term ‘cyber warfare’ was used fifteen times, in the 2013 version it’s non-existent. This more nuanced language softens the blow of cyber activities at a time when the international dialogue is becoming ever more heated over the malicious use of cyber space. There’s an acknowledgement in the White Paper that, as much as Australia is advantaged by its cyber capability and that of its allies, it is also disadvantaged in the building of international strategic partnerships. Reading between the lines, this would appear to refer to burgeoning economic and strategic relationships that Australia has across the region, with partners who chose to exploit cyber space to gain advantage over us (read ‘China’), and thus represents a less confrontational approach that the 2009 effort.
The Australian Cyber Security Centre, (essentially the Cyber Security Operations Centre (CSOC) rebranded) is again mentioned, as it was at the launch of the NSS in January. Yet there’s still insufficient detail, especially where finance is concerned as no additional funding has been promised. However, on the governance question there’s been progress—a Board led by the Secretary of the Attorney-General’s Department will report to the National Security Committee of Cabinet. But with Defence playing the lead role in the operation of the centre, it’ll be interesting to see how closely the relationship between the operators and overlords of the centre develops.
One ingredient lacking from the cyber section of the White Paper is a fuller description of what role the private sector will play in developing Australia’s approach to cyber. They are, after all, the key stakeholders in terms of ownership of the IT infrastructure, intellectual property and many of the skills required to enable true cyber resilience. They are referenced as being ‘participants’ in the cyber centre, but are the mechanisms for engagement defined? That’s doubtful, and rather than just being participants, they should be fully included to drive the understanding and responses to cyber forward.
A key line in the paper states that ‘the net effect on Australia’s position will depend on how well we exploit cyber power’, which is an interesting addition to the Government’s vocabulary in official documentation as it neatly describes both the need for offensive and defensive capability. The definition of Joseph Nye of this term is applicable:
… cyber power is the ability to obtain preferred outcomes through the use of the electronically interconnected resources of the cyber domain… Cyber power can be used to produce preferred outcomes within cyberspace or it can use cyber instruments to produce preferred outcomes in other domains outside cyberspace.
There’s no doubt that Australia’s strategic position in the region in the evolving 21st century will require a carefully sculpted use of cyber power, one which advantages Australia but doesn’t antagonise other nations and damage international relationships.
The Defence White Paper marks an interesting evolution in the Government’s approach to cyber, especially in the vocabulary being used, but there’s still some real work to do to get all the actors involved to pull in the same direction in order to harness the full potential of Australia’s cyber power.