Military cyber strategy too vague on skills gap
The government’s newly released military strategy may have outlined billions in new spending, but information security researchers have warned that its failure to outline offensive cybersecurity capabilities could leave Australia outmanned and outgunned in future military engagements.
The 2016 Defence White Paper, released at the end of February, outlined planned expenditure in a range of areas, including improved intelligence “so that our forces have a comprehensive awareness of what is happening around them and the ability to respond”.
When it comes to cybersecurity defences, the white paper also sets intelligence-related investment at 9% of the $195 billion Defence spending through 2025–26, with initiatives including enhanced “space situational awareness” and enhancements to “cyber capabilities to deter and defend against the threat of cyber-attack”.
“The government will significantly strengthen Defence’s cyber capabilities over the decade to protect Defence and other critical Australian Government systems from malicious cyber intrusion and disruption,” the paper’s intelligence surveillance and reconnaissance section explains, adding that the related technology investment “will include the ability to achieve near real-time production, exploitation and dissemination of data to support a range of strike and other combat operations.”
Yet while the white paper commits an additional 900 defence force staff and 800 federal public service staff to supporting these capabilities, its lack of detail — specifically, about where hard-to-find cybersecurity skills will be secured or how they will be developed — led to warning flags from the Australian Centre for Cyber Security (ACCS), a joint effort between UNSW Canberra and the Australian Defence Force Academy.
“The biggest gap in the government’s new defence policy in respect to cyber space is its failure to spell out a transition to the sort of civil-military planning we need for resilience of our information systems in the civilian sector in war-time,” ACCS professor in cyber security, Greg Austin, said, noting that this deficiency leaves “no sense that the cyber warrior skills deficit is urgent”.
Yet urgency has been a recurring theme in discussions about Australia’s cybersecurity skills, with ongoing surveys highlighting a yawning gap between supply and demand for cybersecurity experts in and out of government.
A new report from industry group ISACA, for example, suggested that security professionals are losing confidence in the ability of their teams to detect and respond to security issues.
The proportion of respondents feeling such confidence dropped from 87% in 2014 to 75% in 2015 — of whom 60% do not believe their staff can handle anything beyond simple cybersecurity incidents.
Such figures not only highlight the urgent need for a top-level program for developing defensive cybersecurity skills, Austin warned, but bode poorly for Australia’s ability to develop proactive cybersecurity skills like those outlined in US President Barack Obama’s Comprehensive National Cybersecurity Initiative (CNCI), which calls for the establishment of a government-wide ‘cyber counterintelligence plan’ that would “coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyber intelligence threat to US and private sector information systems”.
More recently, the US Cybersecurity National Action Plan (CNAP) committed the Department of Homeland Security to step up recruitment efforts to develop 48 standing teams of cybersecurity experts from public and private sectors.
CNAP also allocated $62m in personnel training including development of a Cybersecurity Core Curriculum, an expanded National Centers for Academic Excellence in Cybersecurity Program, development of a CyberCorps Reserve program and initiatives such as student loan forgiveness programs for cybersecurity experts that join the federal workforce.
The lack of such explicit measures within the 2016 Defence White Paper fails to address the root causes of Australia’s skills shortcomings, Austin said.
It also fails to mention the need for proactive cyber-military capabilities would put it on the back foot if a conflict saw the use of cybersecurity attacks alongside more conventional military strikes.
“Australia’s declared strategic guidance, the 2016 white paper, does not explicitly accept the potentially decisive impact on future war of cyber operations,” he explained.
“In this respect, Australia is out of step with the two most powerful countries in Asia: the United States and China.
“If the United States and China are building powerful military cyber capabilities, then our armed forces need to develop in a short time a very large cohort of cyber warriors who can compete and win in that environment.”
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...