The Australian Defence Force and Cyberspace
Chris Kourloufas
Cyberspace is an entirely human-made universe that exists within the wires, servers, computers and minds of cyber citizens and dreamers. It is a universe that can both seem so familiar and also impossible to describe. Most of us in the West have a degree of exposure to it but only a few have the proficiency to manipulate it. What happens within cyberspace can have consequences within the physical world, as well as within the mind and society. Consequences can flow the other way around too.
Within this created universe, there are potentially infinite worlds crafted out of the source material of the cyber universe - code. I had the opportunity to hear from a variety of ‘cybernauts[1]’ at the recent ADF Cyber Skills Challenge held in Canberra and virtually. I was inspired by the people I spoke with, amazed by the possibilities and impressed with the leadership of ADF visionaries to make such an event a success. What I share here is an outsider’s point of view, looking in. I am an outsider in the sense that I am unfamiliar with the cyber ‘domain’ - as the military puts it. I thought it worth sharing my impressions for those like me, and to also add to the conversation about cyberspace and the ADF’s role within it.
Cyberspace and the Organisation of the ADF
Conversations during the event usually started with discussion of staffing levels, budgets and organisational structures. There was some frustration that cyber threats were not being resourced in proportion to their impact. Many of the problems vented were attributed to a lack of understanding of cyber within the whole of the organisation. I did note a broad positivity around the level of senior leader championship, which was tempered, however, by uncertainty over new identities being posted in over the next few months.
Many of those I heard from, spoke with great insight into ideas like attribution, justice and compensation within cyberspace - especially in the light of recent highly-publicised data leaks. There was also concern over the everyday cyber-physical interactions that could cause disruption and harm at a society level. For instance, how the idea of national security applies to things like civil infrastructure, utilities, health records and satellite navigation. There was also examination of ‘collateral damage’ of cyber attacks that spill out from a conventional war environment into civilian infrastructure of another country completely removed from the conflict.
I’ve had the luxury of letting this all sink in and I have been thinking about where we could go from here. There might be some unchallenged perspectives of cyber that are problematic. For instance, cyber is an ‘enabler’, cyber is for ‘phase 0’, cyber for ‘Information Warfare’. Cracking open some of our doctrine, I was surprised to learn of the ‘Information Environment’, which (in my reading) encompasses the entirety of the known universe. That is to say, existence is just information. Bringing it back down to Earth, I also heard the view - more than once, that the ADF is unwilling to make revolutionary change and that there was no appetite for significant organisational change. Some went as far as saying that ‘we will never have another service’. Is that ‘never in my career’ or ‘never in the next hundred years’? Never is a long time…
History is full of people making embarrassing predictions of the future. I won’t hazard a prediction here, but what I would like to explore is some of the metaphors that perhaps underpin the discussion and thinking. For instance, the abstract military idea of ‘domain’ seems to cause more confusion than it intends to clarify. It seems to me that it puts in place more boundaries and consumes unnecessary intellectual energy to navigate. Within the ADF, domain and service do not align, and with the cyber (and space) domain, we are struggling to provide comprehensive stewardship of ‘Cyber Power’ and its Fundamental Inputs to Capability. Another metaphor that could be examined is ‘war’ and its usefulness when considering cyberspace, which is impossible to disentangle from the modern (non-war) context. Further, how useful is the ‘war/peace’ dichotomy within the reality of cyberspace and (cyber)time?
Technology Challenges of Cyberspace
Going to my first conference on cyber had me feeling very insecure and exposed. Especially because there were a large proportion of presentations examining and demonstrating vulnerabilities to software, hardware, vehicles and national infrastructure. This is particularly exacerbated by the use of common hardware, firmware and software modules - all with known vulnerabilities. It felt like if someone wanted to get in, it was a matter of ‘when’ and not ‘if’. I also recognised that the knowledge and responses to vulnerabilities were distributed between individuals and (formal and informal) organisations. We are also grappling with the convergence of technologies such as Artificial Intelligence with cyberspace and are confronted with examples on a daily basis of how this can lead to inequality, privacy issues and countless other unintended consequences.
One of the causes of these challenges has been described as the ‘race to the bottom’ when it comes to cyber security. Technology companies are pressured to compete for financial survival and hence, release products without the necessary (and expensive) testing, certification and patching. We are also conditioned to treat these products as disposable with relatively short life cycles and little-to-no ongoing security support. There seems to also be a lack of norms, governance and legislation when it comes to the complex social, moral, commercial and geostrategic ‘landscape’ of cyberspace. At the Cyberskills Challenge, I learned of the distinction between Information Technology (IT) and Operational Technology (OT). Which makes addressing the technology challenges of something like a commercial aircraft more complex; with their proprietary hardware/software and their mammoth aviation safety certification requirements.
This is indeed a clash of cultures, often with these perspectives talking past one another. What we have been witnessing is how tecnhology is enabling worldviews to become a reality faster than ever before. For instance, privacy or radical openness – both are competing simultaneously within cyberspace. How do we rationalise the view of technology giants that the metaverse as a utopian escape from physical world with their track record of exploiting us all for our data and attention? How do these things distract from the very real consequences of war and climate change - is it sufficient to us that our Pacific Island neighbours be uploaded to the metaverse? Perhaps we can examine whether continual growth is indeed ‘good’. Newer may not always be better. There has to be more room for conversations on the morality of what we may intend to have positive, altruistic consequences. History has shown us that there are often unintended and unforeseable consequences to technological advancement. Perhaps it’s time to integrate some more wisdom to allow us to judge the impact of our creativity on the interests of the ‘other’.
What I think underpins these views are metaphors such as ‘man versus machine’. Or the myth that growth is always good. Another metaphor worth exploring is human subservience to machine. That is, that we have become the fuel or cogs of the machine. These systems continue to consume human energy and cognition and we risk losing our agency within the system that we cannot explain or control. Is that what we intend? Is this a preferable present/future? What is the value of life?
The Risk Landscape of Cyberspace
On first blush, it seems like there is just so much illegal and malicious activity that no-one can avoid being impacted. It was said at the conference that ‘hackers outnumber defenders’. And there’s always the old stereotype of kids in basements, with keyboards and hoodies, changing the course of global affairs. If you listen to anything from mainstream media, you are probably thinking about going off-grid and pulling out the tin foil hat. I learned a new term during the event - Advanced Persistent Threat (APT). This describes, in short, an adversary with sophisticated levels of expertise and significant resources. APT sits within the mid-to-high tiers of threat actors and covers both criminal and nation state actors. What’s worth emphasising is the term ‘persistent’ - that is, such adversaries could have been within your cyber infrastructure longer than you think; and, they have the motivation to persist until they achieve their aims.
Risk was described as the combination of vulnerability and threat. For someone with an aviation safety background, I have not habituated this way of thinking of risk and threat. To me, risk is consequence and probability. And the hazard is seen through the lens of large data sets. The hazards are from natural or physical phenomena. But the cyber perspective of course makes sense from a security point of view. For the cyber security expert, they see these threats in tiers roughly based on the types of vulnerabilities. That is: vulnerabilities that we know of; those that we don’t know about yet - but there are people looking for them, and the vulnerabilities that are being created by more sophisticated actors. The vulnerabilities can be the result of technical reasons as well as human behaviours. With higher-tier actors having more resources and tradecraft to target vulnerabilities in the physical world.
Interestingly, malicious actors tend to utilise numerous vulnerability exploits simultaneously. This is part of the mindset that aims to conceal novel capabilities as long as possible. Put another way, ‘one doesn’t burn zero days’. So there is inertia to sharing new vulnerabilities. Further, there are many reasons why someone might want to muck with you. It could range from morbid curiosity, to stealing national secrets. Some of it is driven by greed, anarchy, competition, celebrity and/or ego. One needs a great deal of imagination to explore the myriad threat vectors that we face. I think that each is worth unpacking in order to appreciate our risk profile, and wonder whether there is a tendency within the field to value some over others.
This can seem very ‘cat and mouse’ or ‘attack and defend’. There’s a sense of insecurity that’s necessary to function in this world. There are earth-based metaphors like ‘terrain’, ‘surfaces’, ‘ranges’ and ‘bridges’. Perhaps the cybernaut could benefit from literally ‘living off the land’ as part of their training and education. What would our Indigenous populations teach us here? There are also health-based metaphors like, ‘virus’, ‘hygiene’, ‘infection’, ‘poisoning’. How does importing this language help us – could there be interesting insights from doctors, nurses and virologists?
The Cybernaut Experience
I had the great pleasure to meet a wide range of cyber practitioners at the ADF Cyber Skills Challenge event. From beginners to experts and with defence, academic and industry backgrounds. They seemed to struggle with being ‘in the shadows’, constantly operating, undervalued and exposed to traumatic content. These were considered to be just part of the job and possibly being dealt with by the individual as best as they could.
I was amazed that anyone would remain within this realm given these chronic welfare impacts. I recognise that because cyberspace is experienced in the mind of the practioner, it is subjective. I cannot know what it is like to experience reality as anyone other myself. So, how does the idea of wellbeing and duty of care translate to this context, which is inherently impossible to ‘supervise’ in the traditional sense? We are expecting a lot from the cybernaut – guru level of self-awareness while operating constantly and bombarded by all sorts of disturbing content.
We have come a long way in recent decades when it comes to taking mental health seriously within the ADF and society at large. It seems much easier to deal with mental health issues that come from physical deployment than it would from a cyber ‘deployment’. And common stereotypes of the cyber ‘warrior’ or ‘lone wolf’ clash with the necessary collaboration and team work necessary to succeed in cyberspace.
For the military professional, how does the mythology of the ANZAC apply to their circumstances? Are ideas of beach landings, trench warfare and multinational co-operation useful or not? What myths and metaphors already exist within the cyber community? For instance there’s often talk of ‘grey’ as well as ‘black & white’. This is interesting because it assumes that war is black and white to begin with. I can see how things are indeed ‘grey’ – for example, when a cybernaut is poking around where they aren’t expected to be. What’s also interesting is how the cybernaut themselves must take on the role of the ‘red’ in order to protect the ‘blue’. Although they are driven by altruistic motives (the defence of infrastructure, data or intelligence), they must empathise and act as an aggressor. For some, this is their specialty and have made a career out of it. Thus, I think that we must have more-nuanced ways of dealing with cyber other than a fight of ‘good versus evil’.
Reframing the Conversation
I wonder where we are having the conversations about cyber - in high-security basement venues, on the internet, at conferences; and how could we integrate more perspectives into the conversation? My impression so far, is that we could benefit from new ways of exploring the ADF’s relationship to cyberspace (other than the ways with which we got here). And I wonder who the cyber thought leaders of the ADF are? Is there an equivalent to the domain think tanks like the ASPC, SPC-A, AARC and CDR?
The past – burden and responsibility
Cyber’s history within the ADF is one of growing within and out of the three services. This brings ‘baggage’ that is good, bad and neutral – service identity, language, doctrine, domain mindedness, threat landscape, etc. Service Chiefs are also charged with the responsibility for raising, training and sustaining their cyber workforces, as well as ‘cyberworthiness’, cyberspace security and cyberspace operations within their own organisations. No matter how we step forward, we cannot ignore these crucial considerations.
The present – things to resist and to ride
We must work hard to care for the cybernauts witin our organisation, build a level of cyberspace proactivity and encourage collaboration and resource sharing within the ADF. There’s opportunity to develop the strategic thinking about cyberspace across the whole organisation and integrate broader perspectives of cyberspace into ADF conversations. It is critically important that our air and space practitioners develop a level of cyber-mindedness in order to have a two-way conversation with our cybernauts.
The future – fear and hope
It is important that we continue to design and communicate our hopes for the future of cyberspace at all levels – from national strategeic to tactical. This will rely on growing our nasent cybernaut professional masters and investing in their training, education, operational experience, experimentation and membership to informal and formal associations. This way, we may better anticipate emerging threats – both to national security as well as to the long term health and wellbeing of cyber veterans.
[1] I am using this term to describe any cyber practitioner in general (ADF, civilian, state or non-state).