As China and Russia stepped up their offensive cyber capabilities, Australia responded in the 2016 defence white paper by investing $400 million in improving its ability to protect its own systems and to respond to attacks.
That included creating an Information Warfare Division in the Australian Defence Force with responsibility for both offensive and defensive cyber activities. The goal was to make the ADF, and the Department of Defence more broadly, an integral part of the nation’s cybersecurity capability.
The increased focus on cybersecurity was timely given Moscow’s escalating use of cyber tools for online influence operations and China’s open ambitions to become a ‘cyber superpower’. Last month’s revelation that hackers accessed the computer systems of Australian defence shipbuilder Austal underscores the need for the government to further increase Australia’s cyber capability—not just to harden public institutions against attacks, but to encourage and enable the private sector to do likewise.
Australia’s cyber defences can only be as good as the people employed to set them up and operate them. If the Information Warfare Division is going to generate an effective offensive and defensive cyber capability, it needs to attract skilled and intelligent young workers. Unfortunately, there’s already a shortage of cyber professionals in Australia and it will be difficult for the division to get the new talent it needs.
The division had 100 staff when it was launched in July 2017. In 2018, 49 Defence personnel graduated from the inaugural ‘Accelerated Defensive Cyber Training’ course, which the ADF plans to run again in 2019 and 2020. Unless it increases cohort sizes or runs more than one course a year, Defence won’t be able to generate the 900 staff that the division has aimed to recruit by 2027.
In fact, the division needs more than 900. A standing force of that size requires a supply pool of around 3,000 trained personnel to allow for leave, reassignment to other posts and turnover.
The announcement that Elbit Systems of Australia has been awarded a three-year contract to provide further cyber training to the ADF will go some way towards helping qualify the required number of operators. The 49 graduates of the accelerated training course will be the first personnel to use the new cyber training range.
Defence must ensure that high-ranking ADF members in command positions are also receiving cyber education and training so that they’re well equipped to effectively lead on cyber issues.
The cyber threats to Australia are only going to increase. Because the Information Warfare Division will be expected to contribute offensive cyber capabilities to the battlespace, the ADF will need to have a comprehensive policy and legislative framework governing the employment of offensive cyber in operations. The division needs clear direction and an actionable policy to be able to translate the government’s strategic intent into operational and tactical success.
If a clear policy framework isn’t developed that outlines how the ADF is to do this, there’s a risk that money and capability won’t be used effectively.