Retired US Navy Rear-Admiral Mike Brown has spent a lot of time grappling with Cyber as the fifth domain of warfare, and as a pioneer in developing only operational capability and helping to define doctrine.
Cyber warfare is less conventionally understood than the first four domains of Land, Sea, Air and Space. Outside of military, intelligence and specialist government services, it is only very recently that the mainstream has grasped cyber as a powerful instrument of war.
These days Mr Brown is vice-president and general manager for security specialist RSA’s Global Public Sector Business. It’s a role he is suited to. But on retiring from the military, he spend time in the US federal government, first with the Department of Defence and then with the Department of Homeland Security in the post 9/11 years focused on cyber security issues.
His last active role inside the US Government was as Director of CyberSecurity Coordination for DHS. Mr Brown’s background gives him an excellent vantage point to view global cyber trends.
It gives an interesting perspective on Prime Minister Malcolm Turnbull’s proposed Home Affairs super-ministry to be led by Peter Dutton. The proposal would bring together federal intelligence and law enforcement agencies with the Immigration and Border Protection functions in government.
Such an Australian Home Affairs office does not exactly mirror the Homeland Security department in the US. But the bringing together of different silos of intelligence and operations are not dissimilar, and many of the issues that such a restructure will face are the same.
In this podcast, Mike Brown talks candidly about issues ranging from the development of offensive cyber capability in the military over the past 20 years – and the development of cyber doctrine to manage their use.
He talks about the challenges to business and government of the currently cyber threat landscape, and the difficulties government face in creating policy and regulation that keep people – and the economy – safe while still enabling innovation.
And he gives some specific thinking on today’s international regulatory environment – including the potential impact of the EU’s pending General Data Protection Regulation (GDPR) and of Australia’s coming mandatory breach notification regime.
When Malcolm Turnbull unveiled Australia’s Cyber Security Strategy 15 months ago he outlined in the broadest terms the significant offensive cyber capabilities the government has at its disposal – and its willingness to use those capabilities in certain circumstances.
It was the first time a Prime Minister had so openly talked about an offensive capability that had long been assumed to exist.
Mike Brown says the US has had a focus for 20 years on how to develop the capabilities inside cyber to run operations that would allow for defensive capability, offensive capability – and an exploitation capability in relation to the intelligence piece.
From the early days when the first joint operational command was set up in 1998 – the JTF Computer Network Defence which Mr Brown was involved in – there have been a bunch of different operational constructs before arriving at the US Cyber Command which organises both offensive and defensive capabilities.
“The thing that we really had to overcome inside the US government was deciding what truly [constituted] a cyber operation,” Mr Brown said. “And what we discovered and decided was that cyber is simply another domain.”
“It is the equivalent of maritime operations, air operations, ground operations and space operations. It is the fifth domain and we need to be able to – as a country, as a military – to operate in that domain,” he said.
“And that helped to bring around some policy and some structure – and most importantly from a military point of view, [it brought about] doctrine.”
The issue of doctrine is a fascinating one. It refers to the belief systems and structures that govern how a military organisation will conduct itself, what its operations will look like and under what circumstances.
Cyber doctrine is in its “extremely early days” but has developed rapidly in the 20 years of activity in the US. It is doctrine that governs behaviour, how the organisation will respond to a given set of circumstances.
It is a cultural concept, and as such it is not so surprising that 20 years is considered a short amount of time in such a fast changing technology environment.
Much depends on the language of cyber, something that Malcolm Turnbull also noted in launching the Australia’s Cyber Security Strategy. Unless there is a common international language developed around cyber, there is an increased risk of misunderstandings between nation states around the severity of cyber incidents.
Mike Brown says the appointment of an Australian Cyber Ambassador as a credentialed diplomat of the Department of Foreign Affairs and Trade – Dr Tobias Feakin – is a very good idea. It is increasingly common across governments as the reliance on digital communications – and the digital economy – has grown.
An international language around cyber is critical because it helps to define behaviour.
“How do we create the appropriate standards of behaviour – the norms, or the expectations – and then hold people accountable, hold organisations accountable,” he said.
“And how do we work together, in a global economy. Cyber is global.”
“We always talk about the need to bring the full range of the whole-of-government capability to any given situation,” Mr Brown said. “We’re talking diplomacy, intelligence [services], military or defence operations, and that’s where cyber is fitting in right now …. It is another arrow in the quiver.”