ICT as a weapons system

Do you ever have those moments where you hear something so out of tune with your thinking that your only response is a slow blink while your brain processes it? That’s how I felt in the Budget lock up when Defence Finance officials told me that ICT programs under Chief Information Officer Group are not included in the Top 30 Acquisition and Sustainment program tables. As you can see in my Budget analysis on P32, their reasoning was that “ICT programs are usually short in nature, not materiel related unlike the other major Defence programs, and not core business”.

I can think of at least half a dozen major ICT programs off the top of my head that defy that framework.

Last time I checked, Defence uses ICT not just as a key enabler but as a weapons system in its own right. While it may not have its own functional and discreet domain like air, land, sea, joint, or cyber (see P41 for more) none of these capabilities are ICT free anymore; not for acquisition or sustainment. I would challenge any ADM reader to find a program in any of the Budget tables that does not use ICT in a meaningful way every day.

An increasingly connected 5th Gen force means that the ADF relies on a strong foundation of ICT systems. Indeed it is the ultimate system of systems. Every single capability manager recognises this, publicly and privately. There are of course arguments about what constitutes reliable and fit for purpose ICT, but the base assumptions are in accord.

With many of the disruptors of warfare coming out of the innovative use of ICT (AI, big data, better streaming, real time analysis etc), which is now more readily available thanks to lower barriers of entry, protection and exploitation of this space is not only natural but necessary.

Think about how society now functions; a complex web of ICT systems supports every service. Want to see how a society functions when they don’t work? Estonia 2007.

On 26 April 2007, the capital of Tallinn erupted into two nights of riots and looting. 156 people were injured, one person died and 1,000 people were detained after weeks of simmering anti-Russian sentiment boiled over.

From 27 April, Estonia was also hit by major cyber-attacks, some lasting weeks. Online services of Estonian banks, media outlets and government bodies were taken down by unprecedented levels of internet traffic. Massive waves of spam were sent by botnets and huge volumes of automated online requests swamped servers.

The result for Estonian citizens was that ATMs and online banking services were sporadically out of action, government employees were unable to communicate with each via email, and newspapers and broadcasters suddenly found they couldn't deliver the news.

NATO's Article Five guarantees that members defend each other, even if that attack is in cyberspace. But Article Five would only be triggered if a cyber-attack results in major loss of life equivalent to traditional military action.

Identifying who is responsible also makes retaliation difficult. The 2007 attacks came from Russian IP addresses, online instructions were in the Russian language and Estonian appeals to Moscow for help were ignored.

That means a hostile country can create disturbance and instability in a NATO country like Estonia without fear of military retaliation from NATO allies.

So what did they do about it when traditional lines of defence failed them? Fast forward to today. Since Russia's 2014 annexation of Crimea, the Estonian Defence League has been much reported on by the international press; at weekends 25,000 volunteers don fatigues and head to the forests to learn how to shoot. Less well known is the murky world of the voluntary Cyber Defence Unit.

The Estonian Ministry of Defence also trains the country’s leading IT experts, but in addition they are security vetted and remain anonymous. They donate their free time to defending their country online by practising what to do if a major utility or vital service provider is brought down by a cyber-attack. It's the sort of private sector talent government could never usually afford to employ.

Is this the right path for Australia? Perhaps.

There needs to be a realisation that cyber is not just an ICT issue. It’s national security, nation-building and wellbeing issue that needs to be analysed and funded as such.

This article first appeared in the May 2019 edition of ADM.