From The Source: Mr John Blackburn, AO Strategy Consultant
John Blackburn retired from the RAAF in 2008 after a distinguished career which saw him rise to Deputy Chief of the Air Force. A former test pilot he was also Defence’s Head of Strategic Policy and led the development of Defence’s future warfighting and Network Centric Warfare (NCW) concepts and roadmap. He is now a Council Member of ASPI and a director of both the Williams and Kokoda Foundations. Most recently he co-wrote The Kokoda Foundation’s Paper on cyber security. He spoke to Editor at Large Gregor Ferguson.
ADM: One of the issues that you’ve looked at quite closely recently is the cyber domain. How bad does a threat have to become before we enter the cyber equivalent of today’s very stressful security driven air travel environment, or are we there already? And if we are, is it going to get worse do you think?
Blackburn: The Kokoda cyber security study aimed to get a sample of what people with a broad range of expertise really thought about the cyber challenge. A common view was that the cyber threat is going to get worse and that we are going
to see system-level failures in the future because the internet was designed for the open and free flow of information, not to be protective of that information.
The question we asked ourselves, is “are we able to anticipate those threats and do something about them?” A lot of the experts told us that they think that we’re going to have a series of significant cyber events or even a “Cyber 9/11” before there will be enough pressure or public acceptance of the need to implement the significant changes that need to be made to address the growing threat.
ADM: One of the things with cyber though is that it’s an issue which affects people individually; you’re almost talking about changing a national outlook or changing national behaviour at an individual level.
Blackburn: I think the steps that the government’s been taking are good. In particular, the 2009 Cyber Security Strategy which the Attorney General’s Department released was a great start. The decision late last year to have the National Security Adviser’s office within PM&C take on the cyber policy coordination role was important. The recent announcement of a cyber white paper is good because it will result in discussion and interaction across Government, Industry and the public. I hope that the white paper will also trigger an update in national cyber security strategy. But there’s a big role for industry here. Not only within Defence but across government and across business. And it’s not just the big industry players.
Small businesses need to play a role and individuals also need to take responsibility and accept that, in some cases, some degree of control or regulation of the cyber domain is necessary for everyone’s collective safety. I think as a nation we have to acknowledge that every individual has a responsibility for basic cyber safety and security practices
and there’s a need – because not everybody is going to do the right thing – to have a degree of regulation and control. I think we need an information campaign on the scale of the skin cancer Slip, Slop, Slap campaign or the car seatbelt campaigns of the past. The changes we need to implement are not going to be done in 12 months; this is a long term issue.
ADM: In Australia government tries to use market mechanisms to deliver essential capabilities but is there a market mechanism which actually works in cyber space, or do governments need to be more interventionist along the lines you discussed?
Blackburn: There is not a market mechanism in my view as yet because without broader education and understanding the public will not demand the services nor appropriate standards from businesses. When they don’t demand it there is not a mechanism there for businesses or boards to put adequate priority into improving cyber security.
I think in this case there is a need for controls and targeted government intervention, until the market mechanisms are established and understood.
One of the proposals we had in the Kokoda Foundation cyber security paper was for a national security innovation centre. We saw some benefits of the RPDE system for the network-centric warfare community in changing behaviours and relationships and exploring ways of innovating rapidly to meet operational needs.
What I’m suggesting is a similar model, a government-owned and contractor-operated national security innovation centre to allow both government and industry to team and try out new ideas and test new systems / capabilities and, if they work, implement them. An innovation centre could help us to improve the country’s ability to address the cyber threat.
ADM: Turning to the ISR domain, ISR is more than just sensors and networks - are Defence and the ADF actually evolving fast enough as organisations and in their procedures and processes to exploit and benefit properly from a networked combat environment?
Blackburn: ISR is an interesting challenge. Defence is doing some interesting things in the ISR domain. If you look at the Joint Capability Instruction related to ISR and the initiatives coming out of the Joint Capability Coordination area under VCDF, there are signs of some good higher level thinking. But the future ISR model that our country needs is a national one - that is, whole of government (federal and state) - because ISR in the future will not be conducted purely within the bounds of the Defence Department . In the case of security in Australia we must make sure
that we can link government systems, the state police systems, and other state information systems.
Within Defence there’s a couple of interesting issues that are emerging. Much ISR capability doesn’t fall within any single service environment; the Joint Capability Coordination division has the policy and coordination lead, but is there a need for a capability manager? That’s something that needs to be decided because at the moment there is no capability manager for ISR.
ADM: So how do you define and acquire this capability in a coherent way?
Blackburn: When you look at the acquisition of ISR the question arises as to whether we going to continue acquiring this capability project by project or are we going to take a systems approach? Defence’s acquisition process is, for a lot of good historical reasons, an industrial one but ISR and the issues associated with it are evolving very rapidly. It’s everything from the concept of operations of how you work as a nation or as part of an alliance, the people who are going to actually employ these systems and their skills, it’s the teaming with industry that’s going to allow
this to be effective in the future, so there’s a lot of elements to be integrated to make this happen.
Now, similar to what we see happening with simulation, ISR capability is acquired with a project-centric model. There is a good initiative to test ideas and to prototype some joint capability based on the US Defense Intelligence Information Enterprise (DI2E) system approach. That’s a great step; however the acquisition of ISR capabilities are still planned to be subject to traditional, separate projects which take a number of years to process the Departmental approval processes.
The US is going away from acquiring ISR capabilities through large segmented projects. They’re trying to evolve capability very rapidly because if you wait two or three years to define it, technology will have moved on and your needs will have changed.
ADM: In achieving situational awareness, which is really what ISR aims to deliver, what do you think the ADF needs that it hasn’t got, or that it’s not already planning go get?
Blackburn: I think the real issue here is that technology is the enabler, but the real challenge is going to be growing the people with the right skill sets and understanding and making sure that there are the practices and the processes and the behaviours in place to be able to actually take that information and share it, analyse it and get
it to the people who need it.
The other important thing to realise is that to have the right sort of ISR capability, it will take a considerable amount of time to grow the trained and skilled people we need both within Defence and industry.
You have to lead the acquisition of equipment: we have to grow the people, the processes, and the changed practices and behaviours ahead of when you actually need the ISR capability in service. And that’s why something like an evolutionary or progressive development model is so important because it allows you to grow the people and the skill sets in an evolutionary way but fairly rapidly.
ADM: When investing in new capability, do we get the balance right between kinetic effects and situational awareness?
Blackburn: I don’t think we know and we don’t have the right tool sets to allow us to make an informed, risk-aware decision. Without the right tool sets and experimentation support, at best we’re going to make judgements that may be riskier than they need to be. When we don’t have enough information to make those judgements people often default to just continuing business the way we’ve always done it.
ADM: So is Defence actually being ambitious enough in its aspirations for Joint Project 3028, the Defence Simulation Program ? Do we need to see this capability emerging sooner?
Blackburn: I think the broad goal in JP3028 is the correct vision, but I remember we were trying to drive this forward in the 1990s and whilst there has been good progress in the simulation of individual systems such as the F/A-18 or AEW&C, we have made minimal progress in networking those together so that we can actually train and operate as a team.
When I look at the timeline for JP3028 as it stands right now, we’re talking about not having an in service capability until 2017-18. Defence is about to do a force structure review that is going to require simulation and modelling to analyse some of the force options. So we need that capability now.
ADM: Are Defence’s project based acquisition processes really suited to the very diffused and complex capability development and training issues surrounding ISR and cyber security or projects like JP3028?
Blackburn: I think these acquisition processes are basically industrial age. If you want to buy an aircraft or a ship I can see the logic of following that process using the lessons derived by the Kinnaird Review. But unfortunately that process is totally unsuited to rapidly evolving ITbased capabilities such as ISR or a complex simulation and modelling system such as JP3028.
ADM: So how do you overlay a systems approach to things like capability development and training on an organisation which still to some degree thinks in terms of platform replacement using the mechanism of a major capital equipment project?
Blackburn: I think what has to happen is greater engagement between Defence and Industry, to educate and inform in order to try and get people to understand that you can’t actually develop a very large complex system of systems – which is what our defence capability is – by only approaching it in a piecemeal way.