When the Information Warfare Division was stood up almost two years ago, there was some confusion outside Russell about how they would fit into the cyber landscape. Major General Marcus Thompson, Head of Information Warfare Division in the Joint Capabilities Group has spent some time clearing that up.
You would be hard pressed not to pick up on any kind of media coverage about the cyber threat to our nation. From privacy and data security at the individual level all the way through to existential threats to critical infrastructure, the cyber bogeyman lurks behind every screen. The Internet of Things (IoT) has become ubiquitous to the point where it’s virtually impossible to live a modern existence without some level of connectivity.
“It’s a big job that we’ve been given and the breadth of the portfolio is not getting any narrower as we move forward and so as the threat continues to evolve and adapt in cyberspace,” MAJGEN Thompson explained to ADM. “As the role of information in contemporary conflict continues to grow in importance, as the exponential growth of IP technology in both civilian and military capabilities continues to expand, the insatiable thirst for intelligence also refused to abate. We’re getting after that as quickly and as constructively as we can.”
Major General Thompson is very much aware this is a ‘team effort’.
“To achieve the war fighting effects that the ADF needs I need help; I need help from across the national security community which is normal for Defence. I need help from industry with understanding the art of the possible with technology. I need help from academia with concepts, with technology development, working with the Defence Science and Technology Group to continue to develop high technology capabilities and continue to give the ADF the military advantage that we need to prevail in contemporary conflict.”
Perhaps most startlingly, MAJGEN Thompson and his counterpart at the Australian Signals Directorate (ASD) Mike Burgess have been open in their respective need for both defensive and offensive capabilities with support from industry since the Prime Minister confirmed their existence two years ago.
Burgess has been moving his organisation ‘out of the shadows’, with the agency running an internal competition for its first foray into the Twittersphere on Oct 28, 2018. It chose an admirable winner; “Hi Internet, ASD here. Long time listener, first time caller.”
Industry engagement
In terms of how these not so secret squirrels engage with the wider cyber ecosystem, there are a few avenues open to other players.
“I’m open to all avenues of entry and there’s a couple of specifics, that are situation dependent,” MAJGEN Thompson said. “In the satellite communications program under JP9102 we’ve deliberately reached out to seek industry advice on what is the art of the possible and what might it cost as we are developing our own plans and submissions for government. We are hosting an industry engagement day with ADIESA.
“It’s not quite the revolving door here in my office, but where I’ve got the time industry come in and talk to me personally, or they’re in talking to my team or my team are out talking with them. It’s certainly not a one size fits all and so we’ve always engaged with industry, I’d say to your readers, as I said at MilCIS, I’m open to all good ideas. I’m not necessarily open to every idea but I’m certainly open to all good ideas.”
It’s also important to note that there are some cyber capabilities where the expertise is resident within the Commonwealth, with Defence and ASD being the first line of Defence and the relevant subject matter expert. There are government to government channels that industry simply do not have access to for reasons of sovereignty and security.
“That’s not to say we won’t talk to industry but there’s some aspects here where we’ll back ourselves,” MAJGEN Thompson said to ADM. “One of the biggest issues in cyber comes down to trust; who do you trust and how much? The basics of the prisoner’s dilemma come into play.
“For the first time, we can start talking in more detail about what our staff do, what kind of skills they have, and why you might want to come and work with us,” Burgess said in a March 27 speech to the Lowy Institute. “Why is that important? Transparency informs, helping dispel myths and most importantly helps with our value proposition to prospective employees.”
And this is where the bogeyman comes out to play; what’s real and what’s a myth? Books like Ghost Fleet by Peter Singer and August Cole are a good example of what this blend looks like. But government leadership is actively trying to explain what they can given the restrictions they operate under.
“When we talk about ‘offensive cyber’ at ASD, we’re referring to a broad range of activities designed to disrupt, degrade or deny our adversaries,” Burgess explained. “And to be clear, all our activities are focused offshore. We do this by using specialised tools and techniques to disrupt their communications or interfere with the way they operate online.
“In my experience, when people think of offensive cyber – they focus on the high-end of the spectrum involving computer network attack operations to destroy an adversary’s communication device. Yes, this is something that ASD does, but in very specific circumstances, and within a strict legal framework. But it’s just one of the ways we can disrupt our target’s behaviour online.
“Many of our operations are carefully designed to achieve the objective in a much more subtle and sophisticated way. And to be honest, that is far more exciting than smoking computers or devices in cyberspace. For example, our targets may find their communications don’t work at a critical moment – rather than being destroyed completely.
“Or they don’t work in the way they are expecting. Or they might find themselves not able to access their information or accounts precisely when they need to. These kinds of operations are actually more representative of what offensive cyber looks like – highly targeted and proportionate actions, timed to precision. Whatever the technique, our objective is to use our offensive cyber capabilities to keep Australia and Australians safe.
“It is also important to remember that we are a foreign intelligence agency. Our operations disrupt, degrade and deny offshore adversaries who pose serious threats to Australia’s national interests,” Burgess said.
MAJGEN Thompson is also keen to point out that the links between the various government players remain strong.
“We’ve got a well structured ecosystem from an ADF perspective where we work elsewhere within the Department of Defence, particularly with the CIO Group on the defensive side, and of course the ADF has an incredibly tight relationship with the ASD,” MAJGEN Thompson said. “It’s been that way for 70 years and it has not changed at all with the movement of ASD to its statutory independence in July last year. That relationship remains incredibly close. You wouldn’t be able to get a cigarette paper between us.”
Workforce
Both MAJGEN Thompson and Burgess are open about the fact that they are in the market for people, but they are ‘not the stereotypes you see in the movies’.
“The ADF people who are in ASD supporting and contributing to the ASD mission, they’re fantastic young men and women - well trained, professional, supporting that ASD mission in the role of cyber operations, the cyber security functions, and the nesting with the broad electronic warfare or the traditional electronic warfare function has generated a delightful career path for someone who’s interested in a career in military cyber,” MAJGEN Thompson said.
“They come from all sorts of backgrounds - everything from computer science to marketing, international relations, the law, linguistics, biology and mathematics to name a few,” Burgess reflected in his Lowy speech. “Regardless of the background – all of them go through a comprehensive training program to make sure they have what it takes to be an offensive cyber operator. Some of them are expert at generating technical effects to degrade or destroy an adversary’s communication device.
“It’s the type of effect that might be crucial to support a military operation. Working alongside the operators are our software developers. These programmers are responsible for developing highly surgical software tools to cause the effect. It is precision work, requiring reverse engineering skills and a deep understanding of computer operating systems.
“They have to find a way to bypass the target’s security mechanisms, and make sure the tool causes the exact effect that has been approved under our legal framework– and only that effect.”
The ADF is also ensuring that they will be able to field the next generation of cyber warriors from within their own ranks. At this point, MAJGEN Thompson has not had to look outside the current cadre of ADF personnel but knows that it is on the horizon.
“We’ve got a course running at the moment for 50 members of the ADF. There were 1,000 expressions of interest from across the ADF for places on that course.
“The service chiefs have agreed to consider case by case basis waivers to traditional entry standards for cyber experts to come in, both full time and part time “It’s one of those opportunities where the value proposition that we can offer to people who want to come in who might already have a career in cyber underway somewhere else but if you want to come and do some of this really funky stuff legally, there’s only two places you can do it and that’s ASD and the ADF,” MAJGEN Thompson said.
The pros and cons of connectivity
Despite the assumption that all IT security people do is say no, the nature of connectedness is now assumed. And it’s not just consumers and the everyday people; it’s business as usual for the ADF now.
“What does that mean? It means that we’ve got to be very aware of what vulnerabilities we’re introducing into the ADF and defend against threats accordingly,” MAJGEN Thompson said.
“I often talk about how during my lifetime there will be no more old-fashioned hydraulics left in the ADF inventory, everything will be fly by wire, sail by wire, drive by wire. For the pedants, I get that that still involves hydraulics but modern hydraulics, the electronically driven. So what does that mean? It means that as soon as that ship pulls alongside, when that aircraft is towed into
a hangar, when that vehicle pulls into a workshop, that someone is going to plug in an electronic device.
“I’m interested to know what’s the hygiene of that device, who is responsible for checking the hygiene of that device, who’s device is it and what are the potential vulnerabilities from all this. And that’s just from a basic cyber-worthiness perspective before we get into actually fighting in cyberspace.”
The grey zone
Warfighting in the grey zone, as it is now known, is by definition an amorphous space. The US has been clear in defining a cyber attack will be treated the same way as a kinetic attack. But should the first shots fired in war be cyber-based, the Australian response is less clear.
“We’re continually grappling with because it’s changing every day,” MAJGEN Thompson said to ADM.
The 1901 Defence Act is very clear about how and when the military can be deployed on home soil. What’s less clear is what role the military plays in the grey zone. For example, what if Australia was subject to Estonian style digital shut down; no access to the internet for over a week. Remember this is the same Internet that runs the vast majority of power, banking, finance, water and other critical services in our nation. Or even a disruption of these services to the point where they were unreliable.
“Whilst we’ve got provisions within Australian legislation to call out or to use the military in times of crisis, this is not an environment where you can metaphorically parachute in and immediately identify anomalies and unusual behaviour. It’s a tough question to work through but I just have a question, in that scenario, if a threat comes at scale, what is the role of the ADF? The ADF capability is designed and built for use offshore.”
“I think just from a pragmatic perspective, if a threat comes at scale it just doesn’t make sense to me that we would have highly trained soldiers, sailors, airmen and airwomen sitting on the bench while their civilian mates are in the fight,” MAJGEN Thompson said to ADM.
Given the evolving threat and the state and non-state actors in the mix, is this really a hole we can continue peering into? Barriers to entry to a cyber attack are incredibly low. When does transnational cyber crime cross into an attack on a sovereign nation? This is the essence of the grey zone.
At the moment, there are more questions than answers in this space.
This article first appeared in the May 2019 edition of ADM.