Foreign Minister Julie Bishop has launched a ‘temporary embassy’ in Tallinn, Estonia, that will facilitate Australian participation in the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).
The ‘pop-up’ Embassy will be in Tallinn for 12 months.
Minister Bishop also confirmed that a member of the ADF will be seconded to the centre for three months each year. This year Australia observed Locked Shields, the world’s largest cyber defence exercise.
“Australia welcomes the opportunity to deepen engagement with the world-leading cyber defence experts at the NATO CCDCOE,” Minister Bishop said. “Now, more than ever, we must engage with the international community to set clear expectations for responsible state behaviour in cyberspace.”
Australia has been unusually transparent in this space, and was the first state to publicly acknowledge its offensive cyber capabilities in 2016. According to PM Malcolm Turnbull, these will be used to respond to serious cyber-attacks, to support military operations, and to target offshore cyber-criminals.
In a recent report, ASPI noted some of the advantages and disadvantages of cyber capabilities like Australia’s, which are subject to rules of engagement and international law.
Cyber can serve as a potent force multiplier for existing operations – the report references Israel’s use of cyber to temporarily disable Syria’s air defences and allow bombers to fly undetected during the 2007 raid on a Syrian nuclear reactor. Cyber operations also have a global reach, offer asymmetric advantages at relatively low cost, and can engage targets that cannot be reached conventionally. The Stuxnet worm that hit Iran’s nuclear centrifuges is a case in point.
The downsides are that cyber is unlikely to be effective when used on its own, and cheap, brute-force attacks (WannaCry, for example) are not tactics likely to be used by a state abiding by a rules-based international order.
These, however, are exactly the sort of attacks that other states freely use to gain operational and strategic advantages. Russia used blunt-force DDOS attacks to disrupt Ukrainian communications and gain an operational advantage during the invasion of Crimea. It also used ‘troll farms’ and other online tools to influence the 2016 US presidential election.
This disparity in tactics places the ADF and Australian defence industry on the defensive.
That is not necessarily a disadvantage, but it does mean that the ADF and wider industry must be prepared. States like Russia that are prepared to use cheap, blunt-force cyber-attacks and other online tools do not discriminate between military and civilian targets. Information on system capabilities and vulnerabilities may be easier to glean from the supply chain than from the end user.
Ultimately, the difference in how nations choose to use cyber reflects their relative happiness with the current global order. A revisionist state like Putin’s Russia, which is seeking to challenge the West’s conventional supremacy, relies heavily on the asymmetric advantages that cyber offers. It is a tool that can be used freely with a low risk of triggering a conventional conflict.
Minister Bishop subtly rebuked Russia’s use of cyber in her remarks. “The international rules based order applies online, just as it does offline.”
That is not the case in practice. Asymmetric advantages like cyber offer revisionist states an advantage precisely because they do not follow established rules.
Australia needs to prepare accordingly. Participating in cyber exercises in Estonia will certainly aid in the ADF’s preparation, but more needs to be done to secure Australian industry, particularly SMEs, in the increasingly contested online domain.
For more information on cyber issues, see the forthcoming May edition of ADM.