Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Cyber security and the Defence Strategic Review: What does this mean for the ADF?

Major General (Ret’d) Dr Marcus Thompson recently sat down with our own Phil Tarrant for a comprehensive first look into the government’s recently released Defence Strategic Review 2023 document.

user icon David Hollingworth
Wed, 26 Apr 2023
Cyber security and the Defence Strategic Review: What does this mean for the ADF?
expand image

It’s a weighty read at over 110 pages, but it is an important and foundational document outlining what Australia’s future warfighting capabilities will look like. It focuses a lot on the acquisition of new technologies, from nuclear submarines via the AUKUS arrangements, to acquiring long-range guided missile capability.

It also takes a look at what can be done to improve the Australian Defence Force’s cyber capabilities, and while that is only covered on a single page, the two recommendations made by the review come with a lot of questions.

The recommendations are that:

============
============
  • A comprehensive framework should be developed for managing operations in the cyber domain that is consistent with the other domains.
  • Defence’s cyber domain capabilities should be strengthened to deliver the required breadth of capability with appropriate responsiveness to support ADF operations.

Here are some of MAJGEN (Ret’d) Dr Thompson’s key observations on these recommendations and what they mean for the ADF and its warfighting capabilities.

Understanding the DSR: Classified v unclassified material

An immediate observation I’d make is that this is the unclassified version of the Defense Strategic Review. Those two recommendations pertaining to cyber could be literally anything, and I’m absolutely confident that those two recommendations are an aggregation of additional recommendations and points and commentary that, for no doubt all the right reasons, decisions have been made not to publish them into the public domain.

Why normalising cyber as a warfighting domain matters

I was delighted to hear the Deputy Prime Minister talking about cyber as a domain of warfare, to be considered in the same vein as the traditional warfighting domains of land, sea, and air. And now, of course, cyber space and space are also considered warfighting domains.

So to hear our Defence Minister talking in those terms was really quite encouraging.

Now, that first recommendation that a “comprehensive framework should be developed for managing operations in the cyber domain that is consistent with the other domains”, well, what we’re talking about is normalising cyber, as a warfighting domain — cyber is all pervasive.

It’s not just about the investment in REDSPICE, which is the investment in the Australian Signals Directorate — the Navy, the Army and the Air Force also need cyber capabilities. There’s all this reference to investment in this document — they’re thinking about contemporary fast jets, thinking about submarines, they’re thinking about contemporary, major fleet units. Combat vehicles that in this day and age are all digital platforms, and so, therefore, potentially vulnerable in cyber space, so they need to be defended.

There’s also an aspect here of the ADF having offensive capability that can be used in military theatres, because we’re now talking about potentially great power competition. The underlying theme here, of moving sort of beyond militarily inferior adversaries, or potentially inferior adversaries, and into something potentially much bigger, it is fair to assume that the adversary is probably using digital combat platforms as well. So let’s have a crack at that and see if we can generate an advantage for our combat forces.

On the formation of a cyber warfare arm of the ADF

I don’t see a cyber service or anything like that happening in the immediate term.

What’s fascinating for me is just how quickly space has overtaken cyber as a priority here, and space is specifically addressed in the DSR. Space Command, which was formed just a couple of years ago, moved into the Joint Capabilities Group, and I think that’s a good thing. Before the formation of Space Command, I had a branch within the Information Warfare Division that was responsible for the development of our space-based capabilities; that was moved out of Joint Capabilities Group into Air Force in 2021, so this is obviously moving those capabilities and that capability management responsibility back into Joint Capabilities Group, which I think is the right place for it.

I think space is now an example of what can actually be achieved from a military perspective.

Behind the scenes of this unclassified version of the DSR

It’s clear to me from reading through this unclassified document that there are still debates occurring internally about where do the governance responsibilities lie, because when it comes to cyber, there are references to the Australian Defence Force, there are references to the Australian Signals Directorate, and there are references to the chief information officer group, as well.

So there’s clearly a lot more water to go under the bridge if the objective that is stated here is to be achieved, which is: “integrating the defence and management of Defence’s C4 networks and architectures; delivering a coherent and, where possible, centralised cyber domain capability development and management function; and building and sustaining a trained Defence cyber workforce”.

When you talk about building and sustaining a workforce, sure, the Australian Defence Force is a combat organisation; it exists to fight the nation’s wars, to defend the nation during times of conflict.

But don’t forget that at its very heart, at its essence, the Australian Defence Force is a training organisation with the core skill of taking someone off the streets and training them to be something: a fast jet pilot, a ship navigator, an artilleryman, or a cyber security specialist.

These are things that the Australian Defense Force does very, very well, and it is designed to do it.

Governance of the ADF’s cyber capabilities — is it the Information Warfare Division?

Come the first of July this year, it’ll be six years since the Information Warfare Division was formally stood up, so let’s get it sorted and move forward.

We’ve just got to get to the important conversations, which is how do we support the warfighter? How do we generate the intelligence effects that the nation needs? How do we generate the law enforcement effects in cyber space that the nation needs? Because reading between the lines here, a disaggregated approach only hurts everyone.

I couldn’t find a single reference to information warfare [in the Defence Strategy Review]. You know, I saw references to cyber and information operations — okay, sure. I mean, at the end of the day, a label’s a label. Call it Robert, for all I care. I mean, as long as we know what we’re talking about.

I know there are people thinking about cyber operations. There are people thinking about information operations. But I’m wondering about who is stitching all of that together and bringing in all of the other aspects that comprise information warfare. Now, maybe that’s the chief of Joint Capabilities, who’s going to have space coming in, who’s already got cyber in there.

I guess the proof will be in the pudding. We might find out in the fullness of time.

You can learn more about cyber operations in the DSR here, read the full report here, and listen to the latest Cyber Security Uncut podcast with Major General (Ret’d) Dr Marcus Thompson and Phil Tarrant here.

Major General (Ret’d) Dr Marcus Thompson was the inaugural head of information warfare for the Australian Defence Force and is currently the director of Cyber Compass.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.