The federal government needs to provide more clarity on its cyber warfare capabilities and substantially increase funding to offensive cyber development remain competitive, according to an Australian Strategic Policy Institute paper.
The new report, from ASPI by International Cyber Policy Centre chief Fergus Hanson and visiting cyber security fellow Tom Uren, aimed to “further clarify the nature of Australia’s offensive cyber capability” and provides a number of recommendations to government.
It found the Australian Signals Directorate faced significant competition with the private sector in attracting the cyber talent, and needed to both improve its recruitment efforts and increase salaries.
It said the government must improve the way it communicates its cyber warfare capability and to lower the classifications levels in order to bring the private sector on board.
The think tank defines cyber warfare as involving “activities in cyberspace that manipulate, deny, disrupt, degrade or destroy targeted computers, information systems or networks”.
In 2016, the Turnbull Government became one of the first in the world to confirm its offensive cyber capabilities. Later that year, it also confirmed it had used this capability to target the Islamic State, while in 2017 Australia became the first to say openly that its offensive cyber capabilities would be used to target “organised offshore cyber criminals”.
The government also last year launched the Information Warfare Division within the Australian Defence Force.
While the government’s transparency on this issue was “commendable”, it had led to some complications and created confusion around what this actually involved, the report found.
“This commendably transparent approach to telegraphing our capability and intentions hasn’t been without challenges,” Mr Hanson and Mr Uren said in the report.
“In some cases, these communications have created confusion and misperceptions. There’s a disconnect between popular perceptions, typified by phrases like ‘cyber Pearl Harbour’, and the reality of offensive cyber operations, and reporting has at times misrepresented how these tools will be used.
“While these disclosures have raised awareness of Australia’s offensive cyber capability, the limited accompanying detail has meant that the ensuing public debate has often been inaccurate or misleading.”
The Institute said government needs to be more careful with the way it communicates its cyber warfare capabilities.
“The limited detail and mixed reporting of the announcement that Australia would use offensive capability against offshore cybercriminals is inadvertently sent the message that it was acceptable for states to launch cyberattacks against people overseas whom they considered to be criminals,” the report said.
“The Australian government should be careful when publicly discussing the offensive capability, particularly to distinguish the military and law enforcement roles.”
The government’s cyber warfare capabilities sit within the ASD, and the organisation is currently struggling to compete against the private sector for the best cyber talent, the report found.
Recruitment is currently a “major hurdle”, and the ASD has to “invest heavily” in training, increase salaries and develop an extensive alumni network that encourages former staff to return after stints in the private sector.
The report also recommended that the government lower classification levels for some information in order to have a more cooperative and mutually beneficial relationship with private sector firms.
“The government should continue to scope the potential benefits from lowering the classification of information associated with offensive cyber operations. Excessive classification shows potentially valuable two-way information exchange with the information security community,” it said.
Unlike traditional warfare, cyber can be easily countered by adversaries after it is used for the first time, so the government needs to invest heavily to improve Australia’s asymmetric capability, the think tank said.
“Given the limits of what can be achieved with current spending on conventional kit, the Australian government should consider conducting a cost-benefit analysis on the relative value of substantial further spending on cyber to provide it with an asymmetric capability against future adversaries,” the report said.
“This would need to include a considerable investment in training.”
Legislation should also be introduced allowing the Australian Defence Force to deploy offensive cyber capabilities without obtaining approval from national authorities, the report said.
“The ADF will inevitably need to incorporate offensive cyber on the battlefield as a way to create local effects, including force protection measures and to deliver effects currently generated by electronic warfare,” it said.
“It should not always be necessary to reach back to the national authorities for clear-cut and time critical battlefield decisions.
“There appears to be scope to update the existing policy and legislative framework that governs the employment of offensive cyber in deployed operations to support those kind of activities.”