Cyber and the seven questions posed by the Defence Strategic Review
Cyber war and AI

Cyber and AI are reshaping the tech world, banks & unis - but not the Australian Defence organisation.

Written by

Lesley Seebeck

In an age of fast evolving, disruptive digital tools, including emerging forms of AI, how can we reimagine the Australian Defence organisation, including the military, and its functions?

What are the concepts of work, financial frameworks, governance, resourcing models, and skills needed for Defence to be better suited to the 21st century, rather than the 1990s, as now?

These core questions echo those confronting the world’s tech giants, banks and even schools and universities because of cyber and digital disruption—ChatGPT is just the latest, headline example. The cyber elements of the war in Ukraine are less well known, but still surely have lessons for our own military.

But they remain unaddressed, and it’s hard to have confidence that Defence—or key minsters—grasp either the challenges or the opportunities on the evidence of the unclassified Defence Strategic Review (DSR).

That may be the result of deliberate obfuscation through the rewrite. But if even so, that presents further problems. There’s the matter of accountability to the public: the public have a right to expect coherence in both planning and in support of the considerable expenditure of taxpayer funding. And such public documents are important signalling mechanisms to industry and other nations. Words matter: poor exposition can lead to misunderstandings and add to risk.

Which takes me to the DSR’s treatment of cyber. Cyber is a tough topic—it’s ubiquitous, continually evolving, and beyond the ready grasp of governments. The public DSR addresses the problem mainly through using domains, applying deterrence, and then looking at means.

The DSR seeks to tame the wickedness of cyber by forcing it into accepted conventional constructs. For example, it reminds readers several times that there are five domains—air, land, sea, space and cyber—and that Defence must operate, as an integrated force, across all five, granting a sense of equivalency to cyber.

But the implied equivalency does not hold water. Cyber is fundamentally different from the other domains. Cyber resides in physical infrastructure—which mostly resides in civilian hands—in the logical, software layer, and in the cognitive realm, that is, how people use and interact with technological systems. Cyber is the only domain that is entirely human created, and which changes continually through human interaction and ideas. And because digital systems—data, networks, sensors, interpretation—are so embedded in our organisations, economy, and daily lives, cyber affects all other means of operations in a way other domains do not.

Equivalency is explicitly granted to cyber in the context of deterrence (see paragraph 4.4), too, though one could interpret the statement that ‘[d]eterrence strategy and practice is evolving’ as a recognition that matters may indeed change. (Let’s leave aside for the moment the fact that deterrence is not a ‘strategy’ per se.)

The problem here is that deterrence as understood in conventional strategy, or in nuclear strategy, makes no sense in the cyber strategic domain. In cyber, actions are opportunistic, the opportunity space is vast and ever-changing, and the mode of operation is the fait accompli. That means that the threat of denial, punishment, or coercion has little if any meaning or traction.

Deterrence is also largely about what the opponent knows or expects. But in cyber, where attribution is hard and invisibility the modus operandi, signalling, at best, is of limited utility. In turn, the DSR’s expectation that cyber may be used by an adversary for compellance—‘any adversary could seek to coerce Australia through cyber attacks’ (paragraph 4.9)—is questionable. Ukraine has shown how best to offset this possibility, through the uplift of civilian capability and infrastructure, and much less through explicit military means.

For military operations, the utility of cyber lies primarily in the realm of classic intelligence, counter-intelligence—including, as we’ve seen in the early of the war in Ukraine, information security—and obfuscation of enemy perceptions, morale and decision-making through influence operations.

The Ukraine war has also shown that cyber-attacks of the highly anticipated ‘cyber Pearl Harbor’ sort have little battlefield effect. Commanders prefer conventional bombardment as it has greater utility, is more predictable, more reliable, better understood in terms of doctrine and the same tools, the malware, are less likely to be used against your own side once in the wild.

None of this is to suggest cyber has no value. But it is a new and different strategic domain, and one that is not wholly or even primarily in the realm of the military and conventional defence apparatus.

And that makes the prospect of designing the ADF around cyber capabilities, amongst others (paragraph 7.11), hard to envisage. Without a coherent military strategy and concept of operations, cyber will continue to be an add-on and reactive, rather than, for example, baking in information security, hardening of capability and fast adaptation, let alone persistent engagement. Broader information operations need to supplement operations—but that probably should reside outside of military hands, given its broader societal and political implications and potential for blowback.

More likely we will continue to see the continued domination of cyber by the intelligence community and as a tool of intelligence. That’s likely to impede broader utility, accountability, transparency, and potentially, resilience.

For example, it is hard to judge the efficacy of the additional $9.9 billion of REDSPICE added to ASD’s budget over the ten years from 2022-2032—assuming that money has been programmed into ASD over and beyond the forward estimates, not simply announced. ASD has struggled to recruit and retain staff—security clearance processes have not helped, and experienced staff are highly attractive in the private sector.

Nothing in the DSR suggests breakthroughs overcoming persistent problems in both the cyber and information technology areas, though the issues it acknowledges are well-known. Nor have the authors comes to grips with the potential for needed change offered by new technologies, such as AI.

Given there is little new—at least in the public domain—we are left with several further questions.

First, while government policy on cyber is guided preferentially through the lens of intelligence, surveillance, and secrecy, how does the government propose ensure the transparency, public accountability, and attention to democratic norms such as privacy that are essential to resilience in a democracy?

Second, what does a strategy that best engages the cyber strategic domain and its interaction with the conventional strategic domain look like?

Third, what is the military strategy and concept of operations that best engages cyber—and potentially a non-Defence, civilian-led and -run cyber and influence capability?

Last, there is a sense that Defence has withdrawn from its exploration of a role in the grey zone, where cyber is a large factor, as set out in the 2020 Defence Strategic Update. How, to what end, and through what agency, does the government propose to engage in the grey zone?

Such questions suggest that, as least as far as cyber, digital technologies and the fast past of change on the battlefield are concerned, the DSR may well have a short and limited shelf life. And leaves me with a final question: given the time it takes to turn the ship of Defence, can we afford to wait until the iteration of planning in 2024?