Shaping the Cyber Arms Race of the Future

Greg AustinProfessor, Australian Centre for Cyber Security,

UNSW Canberra at the Australian Defence Force Academy

Professorial Fellow, EastWest Institute, New York

ADM 22 June 2016

Arms Race

• NOT A BILATERAL TIT-FOR-TAT EMULATION PROCESS (TOP SECRET, PENTAGON 1981)

• But it is a simultaneous race for the national technological frontier

• … to maximize military capability • Within peace-time budget constraints

( mobilisation for war)• It is shaped by unique national institutions and

power blocs inside the armed forces• It is shaped by technological start points• It tilts posture towards “offensive” thinking and is

dangerous (“security dilemma”)

Cyberspace and Future War

• TODAY: “Cyber war”, no!! “cyber-enabled war”, yes!!• will the cost/benefit relationship in technical development

and use of cyber weapons change in the 10-20 year time frame?

• will the political character of a cyber weapon change as countries accumulate entire cyber arsenals, rather than single cyber weapons?

• does the political character of a cyber weapon change as countries move away from conventional military strategies to information age strategies where information dominance is judged to be the decisive capability?

• 2030: “Cyber-dominant” war • or i-Warfare

Cyber-dominant War

• Not a fifth domain of warfare, but the new commanding heights of all warfare

• Thee layers: physical, logical, persona

• Eight vectors of attack and defence– Software, hardware, network, payload, power

supply, people, policy, ecosystem

• Like all wars: political, economic, social and military elements to achieve a POLITICAL GOAL

i-Warfare

• Combat action in milliseconds• Distributed (fractured) authority• (Re)aggregation of military impacts and forces look very

different• Equalisation of tactical and strategic aspects• Compression and distortion of geography (Russia, China

and USA are now everyone’s neighbor and uninvited house guest)

• All information vectors have a political value• Hyper information environment• Informational well-being (assurance) comes under

sustained threat (every computer is a disinformation dept)

Benchmarks

Future National Defence Postures• China: cyber power intent, cyber S&T intent, distributed cyber war, militia• United States: prompt information dominance, cyber weapons for all, R&D

innovation, military education, civilian reserve• War avoidance and peace building

Future ‘Cyber-dominant war’• Trends in planning (Future technologies of complex cyber attack and

defence)• Case of Critical Infrastructure• Scenario planning• Technologies of decision-making• How much to spend?• Only one answer for Middle Powers?

China2003 • Local war under conditions of informatisaton

2014 • Cyber Power announcement

2015 • Military strategy: “outer space and cyber space” are commanding heights

• “you fight your way, I fight my way”• Cyber militia• PLA cyber attack/defence competitions• Cuts to PLA of 300,000 to help pay for cyber

transition• Unification of tri-services cyber command elements

2020

2030

• initial joint force and civil sector cyber attack capability (“complex cyber attack”)

• China reaches “total war” cyber capability against Taiwan

United States

1990s Joint doctrine (1998), 1st cyber attack in war (1999)

2002 Northrop Grumman Cyber Warfare Integration Network

2010 Cyber Command, Stuxnet revealed

2012 JP 3-13, PPD 12

2013 JP 3-12

2015 “Beyond the Build”: cyber options; new Cyber Strategy. Laws of War Manual on “logic bombs”

2020

2030

President chooses first “cyber before bombs” intervention in Middle EastCyber civil defence becomes a national obsession

War Avoidance

1998 First UNGA resolution on ICT and international security

2006 SCO declaration

2009 SCO Treaty

2010 GGE: increasing state reliance on cyber war

2011 SCO proposal for Code of Conduct

2013 UN GGE: international law applies in cyber space

2015 UN GGE (voluntary norms)Russia/China agreement, US/China “progress”

20202030

States begin to endorse voluntary norms Mutual restraint treaty (for peacetime only)

Trends in Planning Cyber-Dominant War

• Political goals

• Surprise attack and speedn

• Multi-vector, multi-front, multi-theatre

• Sustained, cyber + kinetic

• Resilience in defence

• Advanced Situational awareness

• Scenario planning

Technologies: FireEye RSA 2013

Case of Critical Infrastructure

• The presumption that a control system is “air-gapped” is not an effective cyber security strategy. This has been demonstrated by over 600 assessments.

• Intrusion detection technology is not well developed for control system networks; the average length of time for detection of a malware intrusion is four months and typically identified by a third party.

• The dynamic threat is evolving faster than the cycle of measure and countermeasure, and far faster than the evolution of policy.

• The demand for trained cyber defenders with control systems knowledge vastly exceeds the supply.

Idaho National Lab 21 October 2015

Scenario Planning

Estonia 2007 (a shut down of the financial and banking system)

+ China’s kinetic anti-satellite test 2007 + Stuxnet 2010 (cyber sabotage) + release by the group Anonymous of military personnel data + cutting of undersea cable (numerous incidents) + closing down of civil satellite links (Egypt) + closing down electric grids (U.S. operation in Yugoslavia 1999) + insertion of false data into military systems + attacks on Saudi Aramco + planting malware in civil aviation systems + opening flood gates on dams + closing down military communications.

Decision-making Systems

Middle powers will need to develop complex responsive systems of decision-making for medium intensity war that address:• simultaneous multi-vector, multi-front and multi-theatre

attacks in cyber space by a determined enemy• including against civilian infrastructure and civilians

involved in the war effort. And all of that before we even think about emerging technologies like:• quantum computing, anti-satellite weapons, mass

deployment of drones as distributed airborne C4ISTAR platforms, a return to traditional HF-based communications for cyber activities, and laser-based communications

How much to spend for 2035?

Without cyber-enabled war capability:

• $20 bn fleet of fighter aircraft may not fly

• $30 bn fleet of submarines may stop dead in the water

• Civil infrastructure WILL NOT WORK

cyber war capability spend of $$$ billion?

&/OR Diplomatic strategy of war avoidance

&/OR a home guard (= cyber civil defence)

Only One Option for Middle Powers

• A new form of collective security: what does it look like?

• Necessary dilution of existing blocs and alliances• Necessary shift to civil defence (militia) both for

deterrence and active protection• Build a community of interest around the

concepts of cyber-enabled warfare and war avoidance with a recognised authoritative hub that can unite political, military, diplomatic, business, scientific and technical interests and expertise