The construct that there is war or peace, where peacetime permits business as usual, is an outdated binary construct.
We exist on a spectrum of conflict where everything is a potential weapon against our way of life and our sovereignty. The September 2019 attacks on the Saudi oil production facilities impacted around five per cent of the worlds daily oil supply. Despite the Saudi Government spending billions of dollars to protect a kingdom built on oil, it could not defend against the relatively small-scale drone and cruise missile attack.
It was somewhat sobering to watch a Saudi official trying to congratulate their air defence forces on defeating recent attacks from ballistic missiles whilst standing in front of the images of burning oil infrastructure. Clearly Saudi Arabia’s critical infrastructure is still vulnerable and further attacks will have major impacts on global economy and energy security.
Following the Saudi refinery attack, John Rood, the Pentagon’s Under Secretary of Defense for policy pointed out that “The threat that we face has developed faster than our own countermeasures … As much progress as we’ve made, if you’re not staying equal to, or making greater progress than, the threat picture, it’s a serious problem.”
Was the attack really a surprise? Perhaps to some; but drone attacks are not new, and the oil fields of the Middle East had suffered small scale attacks in the past. Cruise missile attacks should also not be a surprise to us as they have been used extensively by a number of countries in the past decade; weapons proliferation is not new.
Many commentators have written that we should also expect future attacks by masses of swarming drones that could operate autonomously. How will we, in Australia, defend against such threats if an adversary targets, for example, our critical infrastructure? Are we preparing for such an environment or will we merely wait to react?
When we think about critical infrastructure, we often think about the energy sector because of its’ scale and impact. For example, Australia is currently the world’s largest exporter of LNG. Japan is our largest customer, importing more that 30 per cent of its’ LNG from Australia. Approximately 30 per cent of the Japanese electricity supply is LNG based.
A coordinated attack on Australia’s LNG infrastructure could have significant impacts on our economy, global energy supplies and in turn Japan’s critical infrastructure. Surely that bears thinking about?
IME as a nation
In our ADM article of November 2018, we argued for an integrated Information Management Environment (IME) for Defence. We now realise that by focussing on Defence we did not consider the bigger issue. To deal with the threats we are seeing today, and are predicting for the near future, we need an integrated IME architecture for the nation, not just Defence.
We are suggesting something more is needed than the Trusted Information Sharing Network that is in place in Australia. We are exploring the idea of a real-time hybrid Government/Commercial operations system, based on a C2ISR architecture, to support the protection of our nation’s Infrastructure.
Do we want to be in a position in the future of congratulating the ADF on defeating a range of high technology attacks whilst standing in front burning critical infrastructure because we took a traditional approach to national security and defence?
Could we leave it to Defence to build such an architecture as a prototype for a national system? We don’t think such an approach would be effective and have some thoughts on a path forward.
IME and Defence
Last year we concluded that the issue faced by the ADF was that existing communications and information networks were not designed as an integrated system and did not appear to be a good foundation upon which to build the 5th Generation Force the ADF is acquiring.
We suggested that the ADF needs an integrated communications architecture and network; one that is not just defined by individual projects. Of particular concern was that systems integration across ADF platforms is not a capability that can be bought off the shelf, it has to be purposely designed, tested, certified, accredited and maintained through life as a weapons system in its own right. That is a challenge for an organisation that is structured to acquire platforms and system components that are stove piped in design and with a workforce and skill set optimised for Project Management and Scheduling.
The analogy that we use is that of the iPhone. We have purchased, or are acquiring, a magnificent group of apps (platforms) that would be amazingly effective if only they could work together. All we are missing is the underlying operating system that enables the apps to do just that. It is worth reflecting that Apple’s approach to the iPhone was the inverse; that is to build the underlying operating system first and then allow the innovative apps developers to utilise it … together. We should also recognise that Apple ruthlessly built and enforced a wall around the development environment and architecture in order to maintain configuration control, security and performance.
So how has Defence progressed in this area over the past 12 months? From our discussions with Defence and Industry colleagues it appears that VCDF Group has indeed made progress through several efforts to bolster the requirements determination process. Plan Aurora, mentioned in our previous article, is being consolidated via promulgation of
Integrated Employment Concepts and accompanying Integrated Target Statements. The Group is developing Operational Deployment Patterns (ODPs) for a number of key capabilities.
Integration and Interoperability Reference Frameworks and Capability Assurance are also positive steps forward in consolidation and development of requirement determination and future needs, at the integration and interoperability level.
Whilst a necessary and critical first step, considerable work is still required for integration of the ODPs themselves along with reconciliation of the requirements at the procurement and sustainment end of the organisation. The dilemma faced within Defence is that much of the existing underlying integration infrastructure, required to integrate and generate force multiplication between and across 5th Gen platforms, is not fit for purpose.
Projects, such as Air 6500 Integrated Air & Missile Defence (IAMD), are faced with the fundamental challenge of identifying an integrated design, and the relevant technologies, able to integrate a wide range of systems into a coherent and real-time capability. Just like the dilemma faced by the NBN telecommunications system, the management of the multitude of technologies, when combined with lowest common denominator capabilities, can inhibit capability realisation.
Defence is further constrained by the existing contracting system and a political risk profile where management of the “as is” is the priority over the “to be”.
Other areas of Defence, specifically within CASG, are also working on a key component of the 5th Generation IME. At the systems design level there are a multitude of standards (both international and proprietary) requiring reconciliation and enactment horizontally across the systems of system. Communications, protocols, bearers, ICT, TCPIP, voice, data imagery and the combat platforms themselves present unique challenges particularly where standards and new technology capabilities are constantly evolving.
The concept of mission critical for much of the future integration needs enters the arena adding a layer of complexity to the systems of system Standards at both system and component level Standards. CASG are accordingly updating the Defence Standards Manual and attempting to rationalise the National Standards Authority Register, in order to generate better control of, and clarity around, standards.
Plans Jericho and Aurora continue to provide 5th Generation concept awareness, scoping high level integrated capability needs and criticality. VCDF Group efforts at the requirements determination level have been positive as they try to capture strategic integration requirements in policy, concepts and patterns. External forums such as the Williams Foundation also play an important role in providing broader awareness of these issues.
The question is whether these initiatives are happening fast enough to keep pace with technological changes and evolving threat profiles. There is no doubt that strategic requirement has to be firmly established generating direction, budget and priority. However, Defence’s challenge remains in transitioning from concept and ODPs into actual design and build.
Projects such as Air 6500 lead the pack but are in somewhat of a vacuum, awaiting both more detailed strategic guidance and the mechanisms to enact that guidance at the design and build stage. Industry remains somewhat perplexed at the question of what Defence actually wants from this project.
Other discussions with Industry colleagues indicate that a key Terrestrial LAN integration Project is stumbling for want of effective design and technology baselines. The apparent use of existing technology stacks, components and conventional hub and spoke thinking are not generating the strategic requirement needs. Whilst lessons are being learned on this journey, valuable budget and time are needlessly being consumed for capabilities that are not fit for purpose.
From a scorecard perspective, Defence has made progress and is doing some good work at the Strategic Requirements level. The complexity of the integration challenge is immense, requiring design and performance understanding at both component and complete system level.
VCDF policy and direction is one thing, actual design take-up and build priority is another. Whilst the ADF is rightly applauded for its’ tactical agility and innovation it is, in reality, restrained by a process-encumbered business model.
In our view, the pace of change in the IT/information domain is such that the industrial age business model evident at the strategic level is not capable of matching the pace of commercial sector innovation, and therefore the pace of threat growth. The brutal reality is that when an adversary can use the latest commercial technologies in an agile and asymmetric manner, then you cannot counter them with using an unwieldy, process focussed, business model.
This is not a particularly original conclusion, but it does lead us to think about the need for a different approach.
The emerging problem
The potential task of protecting our critical infrastructure in a future context is massive. At scale, this cannot only be a task for the ADF given its’ small size/task load, the cost of Defence bespoke capabilities, and the slow pace of force upgrade through the existing capability design and acquisition system. Whilst it is easy to conceive that our police forces will also need to be able to deal with such threats, the potential scale of threats could mean that we will need future critical infrastructure owners to be able to deal with more infrastructure protection roles.
Today they are responsible for physical access and cyber protection. Is it beyond our imagination to see a time when critical infrastructure owners will also need to address short range defence capability against a threat such as weaponised swarming drones? Or do they just dial 000 and wait for help?
Technical solutions to a range of identified future threats are being developed. If we consider the potential scale and impact of emerging commercial platform-based threats, then it is not a threat that can be merely assigned as a Defence responsibility. It is a bit akin to looking at threats to our Maritime Trade and expecting that the Navy will be capable of addressing the full breadth of the task; it is not.
Given the observed lag in the development of integrating information architectures and systems in Defence and the potential detrimental effect on operational capability, it is not unreasonable to assume that we may also be at risk from a lack of a wider national information infrastructure when we attempt to deal with future threats.
Logic and international experience from the Internet of Things (IoT) tells us we should address the information architecture first, as per our iPhone example, in order to provide a foundation on which future national response systems can be integrated.
In the case of critical infrastructure, we are suggesting that a national IME would support sharing of relevant situational awareness, sensor and threat data to a wider group of potential responders. Is this suggestion mere fantasy or is there an example of such thinking overseas, given our current propensity to be a fast follower rather than an innovation leader?
The Finnish Government, for example, recognises that in recent years, threats involving the increased use of technology and networking in society and the economy have been growing and that the vulnerability of the technical infrastructure of society has increased.
Information and communications systems vital to the functioning of society must be secured through national measures. Public authorities must have at their disposal computer systems that meet the demands of exceptional threat-based circumstances.
Another example is the Swedish national digital communications system used by the emergency services and others in the fields of civil protection, public safety and security, emergency medical services and healthcare. There are around 70,000 users on the network, and it helps provide security for 10 million people.
What should such national systems look like in the next decade? How will industry, for example, be integrated where and when needed?
A National Integrated IME
In our November 2018 ADM article we noted that the current stove-piped model of Defence networks creates bottlenecks for the passage of essential, time-critical information and also constrains the passage of that information to a number of limited bandwidth classified pathways. A national IME would also need to address such bottlenecks.
Is the technology to support a national IME in existence or under development? What are the impediments? When considering a national IME model, we do need to consider what components need to be sovereign? As in which elements need to be owned by Australian companies, and which functions need to be operated by Australian citizens? The Government’s decision to exclude Huawei from building parts of our 5G networks is an excellent example of this thinking in Government.
Current and emerging technologies in the commercial sector offer numerous options to consider. Telstra’s Software Defined Network (SDN) architecture is an example that is being deployed. As Telstra states, “unlocking the full potential of those (new digital) services requires an agile network to match … Telstra states that their Programmable Network provides secure, flexible and on demand connectivity to virtual network services around the globe … through … an SDN platform.”
This is an interesting example of commercial state of the art technology that is more advanced than current Defence hub and spoke network architecture. Australian developed encryption technologies could also permit the use of multiple, independent, commercial, as well as military, pathways for communications and information.
There appears to be sovereign capabilities that could be the foundation for a sovereign IME. However, we need to be mindful of the Defence experience, in that piecemeal decisions focussed on components our national infrastructure will not be sufficient.
We need to have a framework or context under which we design such an IME. The framework model that Defence purports to use of Strategy, Concept and Plan could be a good starting point. So, what are the roadblocks?
Firstly, the lack of a National Security Strategy is the most obvious impediment to developing a National IME. We had a National Security Strategy in 2013 but it has since faded from view to be replaced by stove piped, reactive, security policies rather than a coherent Whole of Government approach.
Secondly, we need to develop a concept of how we think we need to function at a national level against current and future threats. In Defence parlance this might be called a Future Joint Operating Concept.
Again, Defence had one of these a few years ago but it has since faded from view and does not appear to have a replacement. As one senior officer explained to one of the authors of this article in 2018, “we don’t need one as we already know what warfighting capabilities we will have in 2030.” That response speaks for itself. The national mobilisation work being done in VCDF Group to support a new strategy (the first such effort since WWII) might have some answers.
Thirdly, we need a plan of how we will build our national security capabilities, one component of which should be a national IME. That will be problematical without the first two steps.
Fourthly, we can’t design, build and operate an integrated national IME using business models developed for acquiring stand-alone, stove-piped capabilities. An integrated IME is not a capability that can be procured as a single entity, it must be designed, built, tested, accredited and sustained from the bottom up horizontally traversing extant boundaries, culture and thinking.
Government, like Defence, operates primarily on an industrial business model. Break a problem into parts, work on the parts, use committees to coordinate and then deliver something, preferably on time and on budget. Henry Ford would have been proud of us.
So, where does rapid innovation occur? Clearly in some parts of industry and particularly in small teams and SMEs. An example which did impress us was that of the Lockheed Martin Skunkworks. In an excellent presentation to the Williams Foundation Seminar in August 2015, Steve Justice described a rapid innovation culture that produced transformational results.
It wasn’t done with a rigid process, large staffs and numerous committees and continuously growing budgets. The original vision for the Skunkworks was for “An experimental department where the designers and shop artisans could work together closely in the development of airplanes without the delays and complications of intermediate departments . . .” It had a number of key rules, the first four of which were: One Strong, Knowledgeable Leader; Minimal Program Office Size; Minimal Staffing and Simple Paperwork.
Last year we concluded our article by stating that the ADF is acquiring 5th Gen platforms and systems but with a risk that they will be shackled with an outdated communications and information network architecture.
Given the recent examples of emerging threats, and the scale of destruction that can be achieved by a small number of weapons, now is the time to ask ourselves if our current approach to national security is fit for purpose for both near term and future threat environments.
If an adversary can use the latest commercial technologies in an agile and asymmetric manner, you cannot counter them with a large process focussed organisation business model.
The warning signs are there. We don’t want to wait for yet another wakeup call closer to home.
This article first appeared in the November 2019 edition of ADM.