The Weight of the Australian Army’s Cyber Body Armour
Abstract
The Australian Army is facing a shifting operational landscape, where nation state actors are pushing boundaries in cyberspace. Largely the approach by the Australian Army to protect its networks within cyberspace has followed the broader Australian community and government by prioritising information assurance and reacting with defensive actions. This article contends that this approach is not suitable in modern warfare as it essentially cedes the initiative to the enemy and may be missing the actual intent of the enemy in the first place. In the future it may be impossible for any entity to fully protect their networks from attack, and options to manoeuvre more freely in cyberspace should be explored to decrease risk in a more proactive and aggressive way.
Introduction
In 2011 the Australian Army learnt a lesson. After years of operating in Iraq through largely vehicle-based operations, the in-service body armour (MCBAS) had evolved to maximise survivability of soldiers. When the operating environment changed and Australian soldiers began conducting more dismounted combat operations in Afghanistan, it was quickly discovered that MCBAS was extremely heavy and decreased agility, endurance and the overall capability of the Australian soldier.1 By treating the risks of the present, the risks of the future had been increased; and today the Australian Army finds itself in a similar predicament in cyberspace. The focus of cybersecurity within the Army is largely centred on industry-based information assurance practices and has led to a penchant for governance, risk and compliance actions to protect sensitive information.2 This focus, however, has resulted in a number of encumbered communications systems that are beginning to make command and control slower.3 Like the Army did in 2011, the organisation needs to assess whether this focus on information assurance is appropriate in the future, and whether mobility or lethality in the cyber domain are areas which require further development.
This article will describe the factors that have influenced the development of the Australian Army’s cyber security capability and the changes in the contemporary operating environment that are beginning to pose problems for this capability. It will also describe the actions of some major cyber adversaries and question the actual intent of those organisations and the impact that they are having on the Australian Army’s ability to command and control. Finally, the article will recommend some alternative approaches to cyber security that are more manoeuvre focused and could be added to the overall security mix as part of a more holistic and risk-managed approach.
The Evolution of Army’s Approach to Cybersecurity
There have been two main drivers of the current state of security for the information networks that are utilised within the Australian Army. One has been the traditional approach to communications security (COMSEC), which historically has centred around the use of encryption in radio networks; and the second is a focus on information exchange requirements. The combination of both of these drivers has resulted in the majority of communications networks within the Army being weighed down by multiple layers of cyber body armour, which in turn is having adverse effects on the ability of the Army to manoeuvre in cyberspace.
Encryption has been a part of military communications for thousands of years, starting with simple cyphers employed by the ancient Greeks and evolving to the Advanced Encryption Standard (AES) that protects communications within military communications networks today.4 In the early 20th century the use of encryption to protect radio transmissions was the main, if not only, COMSEC principle employed within the Australian Army. The other elements of COMSEC, such as terrain shielding and emissions control, were often overlooked or forgotten over time. This trend in the Australian Army was amplified by the actions of the US Army, who over the same period had significantly relaxed their emphasis on passive electronic protection procedures and begun operating with Australian forces more regularly in the Middle East.5 To a degree this relaxation was effective as the electronic warfare (EW) assets in this environment could only target the radio transmissions that travelled through the air, and if they were unable to break the encryption, then they could not discern the information within. Communication networks have substantially evolved since this time and are now interconnected through a variety of mechanisms—not just through radio transmissions.6 As such, there are a variety of vectors that can be used by adversaries to target sensitive military information. Modern EW and cyber techniques are more akin to manoeuvre than code breaking, thus requiring more than good armour to combat effectively.
A shift of focus from COMSEC to information security (INFOSEC) can be observed in industry. Modern banks and large companies have realised that even with huge cyber security budgets, it is largely impossible to fully protect their network from attack. They have therefore moved effort away from protecting everything to prioritising the areas of absolute importance and accepting more risk in areas they can afford.7 In a resource-constrained environment, with other major capital projects all pushing for their share of the Defence budget, this approach is not only more effective but also more supportable for the organisation in the long term. Additionally, by lowering the security classification of some networks, one also reduces the governance overheads that come with managing those networks.8 This involves critically analysing the nature of information being shared over the network in question, determining the freedom of action and allowing a commander to accept or transfer risk accordingly.
These steps will assist in shedding the cyber armour that the Army has placed on itself, but a key difference between the military and industry is that the military is able to ‘shoot back’—or indeed ‘shoot first’—in cyberspace. In this sense the Army has an opportunity to emulate the path that it took to reduce the risk to soldiers in 2011, when it implemented lighter body armour across the organisation and traded protection for lethality. In order for such a change to be effective in a cyber context it is important that planners shift their minds to manoeuvre instead of security.
Key to shifting this way of thinking is understanding the current focus on information exchange, and the adverse effects that this focus is having on the agility of the Army’s communications networks. After many years of operational experience in the Middle East, the Army has been shaped towards facilitating office-like information and communications technology. Skype, SharePoint and email were used to increase efficiency and information flow between fixed headquarters in forward operating bases during the counterinsurgency focus of the 2000s.9 As the Army shifted its focus to more traditional brigade-level manoeuvre operations in subsequent years, the challenge for the communications specialists was how to deliver the same services in a more mobile and agile package. The Battlefield Management System (BMS) was pursued to solve this problem. Instead of requiring strategic, office-based computer networks, a tactical and mobile network was designed to enhance the communications capabilities of the Army at brigade level and below.10 This network has come with its challenges (some of which could be solved by moving away from Type 1 encryption as explained below); but it demonstrates how the Army understood that being fixed in forward operating bases with large servers and satellite bearers was not going to be an effective way to operate in the modern battle space.
These steps are encouraging, but ultimately are still reactive in nature and, to a degree, permanently surrender the initiative to the enemy. In addition, the discussions within the Army at this point in time are still anchored in the physical nature of communications systems and their mobility in the battle space. The next logical step is to be just as agile in the cyber and electromagnetic domains as the Army is attempting to be in the physical domain. Once this step has been taken, it will be important for the Army to use this agility and capacity to become more lethal and move away from the passive approach that exists currently.
The Evolving Threat
In 2011 not only did the environment and operational requirements in which the Australian Army was deployed change; so too did the enemy. The enemy that Australia is facing in cyberspace is similarly changing today. In recent times the Bureau of Meteorology, federal parliament and the Australian National University have been victims of sophisticated cyber attacks.11 The majority of discussion regarding the intent of the advanced capabilities used in those situations have posited that the ‘enemy’ was seeking to gain access to valuable information. Whilst this is likely true, there are important second- and third-order effects of these attacks that are largely absent from general discourse. Generally, in the aftermath of a cyber attack the organisation that was targeted reacts by expelling the threat and then implementing a raft of additional security controls to stop similar attacks from being conducted in the future.12 If the intent of the enemy is to gain information, then largely this approach is appropriate, albeit completely reactive. But what if the intent of the attacks was actually focused on increasing the governance and management overheads of the IT industry? This article proposes that the actual goal of these state actors is to influence the standards and procedures employed on the more sensitive and highly classified networks, through cyber-probing attacks on unclassified networks.
The Australian Cyber Security Centre (ACSC) leads the efforts of the Australian Government (including the Australian Army) to improve cyber security.13 As such, the way in which information security is governed within the Army is the same as it is in broader Australian society. As trends and practices develop in one sphere, they influence the other. By attacking unclassified networks, the enemy is eliciting a known response: the ACSC recommending that organisations adopt additional network security controls.14 These recommendations are then adopted by the ADF and subsequently the Army, thus adding to the management and governance overheads of their networks. These overheads require resources, personnel and time to implement and operate—or, in other words, add additional layers of cyber body armour. This armour degrades command and control of the Army by making the networks increasingly complex to manage and difficult to communicate across.
The third-order effect is that Australia influences the network standards of other countries, in particular those in the Five Eyes Alliance, through considerations of interoperability.15 Therefore, seemingly benign attacks on civilian unclassified networks can even affect multiple other countries as well as Australia. A simple example of this is the password requirements that most computer systems have, which require a user to change their password each month and use a combination of letters and numbers. This requirement was identified by a security researcher in a study and was subsequently adopted by the US, which then required other nations to do the same if they wanted to share information with US networks. Unfortunately the person who came up with these password requirements has since stated that those password requirements probably haven’t improved security at all and have only made people forget passwords at regular intervals.16
These second- and third-order effects from sophisticated cyber attacks are far more damaging than any single instance of information compromise. The tactics that the Australian Army will have to employ in order to effectively coordinate cyber defence against this new enemy will require more than simply implementing security controls. As in other manoeuvre operations, the environment and enemy will need to be analysed in detail before a response is formulated.
Moving Away from Cyber Security towards Cyber Manoeuvre
One of the initial areas where a manoeuvrist approach can be applied to the Army’s communications networks is in tactical communications. The majority of the Army’s radio communications networks are encrypted to the highest standards, which have been assessed by some commentators as ‘overkill’ for the sensitivity of the information passed over those networks.17 If the Army were to reduce the level of standardised encryption at the brigade level and below to lower commercial standards, it would be able to realise a significant number of efficiencies from the cost per unit of each radio to the overall governance and fleet management requirements. Additionally, this would generate an opportunity in that other communication devices and methods would be easier to implement at the tactical level if commercial encryption standards were employed. Mobile devices, 5G technology and the broader internet are all part of the modern battle space, and being able to manoeuvre within this environment will be key in reducing the risk that using lower encryption standards entails.
If this is not managed carefully there is a significant risk that soldiers can expose their organisation to attack both virtually and physically. This was seen in the Ukrainian military in 2014–2016, when a number of artillery units used an open-source Android application for processing targeting data more quickly. This application was posted on an internet blog site and quickly compromised by Russian hackers, and the Ukrainian artillery locations were subsequently geolocated and destroyed.18 If these devices had been managed by the Ukrainian military and hosted on an internal network, this cyber attack would have been less likely to occur. Indeed if this had been the case, the Russian hackers and EW assets would only have known that mobile devices were in use within the battle space, which would not have been enough information to expose the Ukrainian positions.
The COMSEC mindset has left the Army vulnerable in the modern operating environment, as it fails to take into account the electronic signature which is left behind. An example of this can be seen in the following scenario. If a tactical element of the Army was employing a network that utilised exclusive high-end military encryption in South-East Asia, this would probably look strange to a modern EW or cyber state actor. This would be due to the lack of availability of both the military sections of the electromagnetic spectrum and high-end encryption to the general public, or to those nations’ militaries. The presence of the abnormal has been an indicator of threat in the battlefield for a long time, and it is no different in cyberspace. As such, if a network is employed that uses commercial standards, there is more ambient noise in which that network can hide.19 Therefore, the risk of compromise can be reduced by using camouflage and concealment, as opposed to technically hardening a system. For this approach to be successful, commanders in the future should make decisions prior to a mission commencing about what they want their electronic signature to look like at various stages of the battle and be prepared to shift it to suit the mission, environment and threat. Similar methods of deception can also be used within the networks themselves to increase mobility internally. This implies that the Army should be more accepting that a level of compromise is likely in the modern context, which is another shift in attitude away from the COMSEC approach of the past.
From the standpoint of a computer network, Army has taken a similar overburdened approach as with tactical communications networks. The implementation and operation of security controls within an information systems environment is a difficult and time-consuming task.20 By not taking a layered and nuanced approach to classification, the Australian Army has inadvertently increased the cyber body armour it has applied to itself. The Army (and ADF more broadly) has made the assessment that the majority of operational communications are sensitive and has subsequently classified its networks that store that information to the highest levels,21 thereby putting the highest priority on confidentiality. In doing so, the organisation has created myriad networks with stringent controls that require a great deal of effort to maintain. Again, the proliferation of threats and vulnerabilities, such as ‘insider threats’, social media and signals intelligence will make the impenetrability of these networks almost impossible to maintain in perpetuity.22 Potentially a more effective way forward is to reduce the scope of the network hardening efforts to the truly important information and increase the efforts going into proactive measures to disrupt or degrade potential adversaries.
In an Army context, this creates the potential for BMS to become the line of demarcation between the national secret networks employed at higher headquarters. At battle group and below, availability, capacity and flexibility are considered more valuable than confidentiality. Risk can therefore be taken at these lower levels and, if the networks are logically separated, be more closely managed at higher headquarters. The intent of these activities should not be to prevent but to delay, as that is far more achievable in the modern environment. Additionally, a layered approach can also reduce the overall burden of cyber governance and free up effort for the Army to be more manoeuvrist in other areas of its networks.
Honeypots in cyberspace are sacrificial computer systems designed to attract cyberattacks to gain information about system vulnerabilities and attackers. The use of honeypots as a means to be more proactive in cyber defence is one area that can be explored with this additional capacity. Honeypots within cyber security have been effective in complementing traditional intrusion detection systems by providing a more active and in-depth view of an adversary’s activities.23 In essence these honeypots can be used to attract an attacker by looking like valuable information, which, to continue the thread of military analogies, works quite similarly to a dummy position. What is important to note here is that the approach of a honeypot is more manoeuvrist than attritionist in nature, and reduces the spread of defensive effort across the entire network. In addition, it accepts that the network may not be impenetrable and that a level of compromise in the future may be unavoidable.
Deception is not the only area in which improvements can be made to the Army’s movement away from cyber security and towards manoeuvre. As in other areas of the Army, the cyber defence capabilities will be required to shoot back at their adversaries to achieve victory. The defensive cyber capabilities which the Army produces in the future should also focus on actively disrupting the offensive cyber capabilities of the adversaries that are targeting them. A number of European nations have been dealing with persistent and capable cyber adversaries for a number of years and have adopted this approach.24 As with defensive routine in an infantry setting, the Army does not just focus on digging trenches and developing the defensive position. Risk in this context is reduced by active patrolling and other offensive activities; it is no different in cyberspace. The defensive cyber teams employed by the Army in the future can be used to disrupt the access their adversaries have in the operating environment, or to identify high-value targets to be destroyed kinetically. This use is a paradigm shift from the current focus of the Australian offensive cyber capability, which to date has been used in support of counter-terrorist activities.25 Coordination between the defensive teams who work internally within Army networks and the offensive teams who action targets externally will be critical in achieving a complete defensive effect—especially in periods of open conflict.
Conclusion
The adoption of information and communications technology within the Army has led to some great improvements of information flow and business efficiency. However, as the operational threat landscape has evolved, these networks have become increasingly vulnerable to attack and compromise. The response by the Army to protect the networks has been greatly shaped by its experience in combating conventional EW and the provision of information to a commander. Unfortunately this response falls short of its aspiration, as the defensive and reactive themes that have manifested essentially cede the initiative to the adversary. Indeed the majority of actions do not analyse the intent of the enemy at all. In order to achieve a more holistic cyber defence effect, the Army needs to take a manoeuvrist approach and take proactive steps to minimise risk. This will involve assessing the importance of various information flows and establishing a layered defence that will reduce the burden of the cyber body armour currently worn by the Army. Once this armour has been shed, the additional capacity can be used to add deception and counterattacks to the overall defensive effort, allowing the Army to more effectively manoeuvre in the cyber domain. As for the Australian soldier in 2011, these efforts will lead to a more effective capability in the modern operational environment.
Endnotes
1 Chris Brady, Derrek Lush and Tom Chapman, 2011, A Review of the Soldier’s Equipment Burden (Edinburgh, SA: Land Operations Division, DSTO).
2 Kim Lindros, ‘What is GRC and Why Do You Need It?’, CIO website, 11 July 2017, at: https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it…
3 Christopher Paul, 2018, Improving C2 and Situational Awareness for Operations in and through the Information Environment (Santa Monica, CA: RAND Corporation).
4 Tony Damico, 2009, ‘A Brief History of Cryptography’, Inquiries Journal 1, no. 11.
5 Andrew H Boyd, 2017, Satellite and Ground Communications Systems: Space and Electronic Warfare Threats to the United States Army, The Land Warfare Papers No. 115 (Arlington, VA: The Institute of Land Warfare).
6 Arthur Gordon, ‘Tactical Radios—It’s Time to Do More Than Just Talk!’, Defence Review Asia, 19 September 2012.
7 Kim Loy, 2018, ‘5 Emerging Risk Management and Security Trends in Banking’, Security, 30 October 2018, at: https://www.securitymagazine.com/articles/89528- emerging-risk-management-and-security-trends-in-banking
8 Deb Bodeau et al., 2010, Cyber Security Governance: A Component of MITRE’s Cyber Prep Methodology (MITRE).
9 Jacob Marshall, 2017, ‘Enabling C2 Survivability—Deception, Technology and Redundancy’, Grounded Curiosity blog, 1 November 2017.
10 Damien de Pyle, ‘Army’s BMS Mess’, The Cove website, 21 August 2019.
11 Michael Vincent, ‘Suspicion Falls on China after Cyber Attack on Australian Parliament— and it’s not surprising’, ABC News website, 9 February 2019. Accessed 30 October 2019 at: https://www.abc.net.au/news/2019-02-08/australian-parliament-cyber-secu…
12 Joseph Failla, ‘Incident Response: How to Build Cyber Resilience in 2019’, CSO website, 30 January 2019. Accessed 30 October 2019 at: https://www2.cso.com.au/ article/656875/incident-response-how-build-cyber-resilience-2019/
13 Australian Signals Directorate, ‘About the ACSC’, Australian Cyber Security Centre website. Accessed 30 October 2019 at: https://www.cyber.gov.au/about
14 It is easy to see from a review of the ACSC website that every security advisory report has associated mitigation suggestions, all of which involve some level of additional network controls. An example is ‘Microsoft Windows Security Vulnerability—’BlueKeep’ (CVE-2019- 0708)’, at: https://www.cyber.gov.au/acsc/view-all-content/alerts/microsoft-windows…
15 Cyrus Farivar, ‘Australia Advocates Weakening Strong Crypto at Upcoming “Five Eyes” Meeting’, Ars Technica website, 26 June 2017. Accessed 30 October 2019 at: https:// arstechnica.com/tech-policy/2017/06/australia-to-target-encrypted-messaging-apps-at-upcoming-security-meeting/
16 Naveen Goud, n.d., ‘Password Security Bible Fails to Curb Cyber Attacks!’, Cybersecurity Insiders website. Accessed 30 October 2019 at: https://www.cybersecurity-insiders.com/ password-security-bible-fails-to-curb-cyber-attacks/
17 Martin White, 2014, ‘Operational Security in the Digital Age: Who Is Being Targeted?’, Australian Army Journal XI, no. 2, 11–12.
18 Dustin Volz, ‘Russian Hackers Tracked Ukranian Artillery Units Using Android Implant: Report’, Reuters website. Accessed 25 May 2020 at: https://www.reuters.com/article/ us-cyber-ukraine/russian-hackers-tracked-ukranian-artillery-units-using-android-implant-report-idUSKBN14B0CU
19 Martin White, 2019, ‘The Changing Operational Security Landscape for Sensitive National Capabilities’, Security Challenges 15, no. 1, 63–74.
20 IMPACT, 2005, Developing a Successful Governance Strategy: A Best Practice Guide for Decision Makers in IT (Manchester: National Computing Centre), 48–52.
21 White, 2019.
22 Ibid.
23 Emmanouil Vasilomanolakis et al., 2015, ‘A Honeypot-Driven Cyber Incident Monitor: Lessons Learned and Steps Ahead’, Proceedings of the 8th International Conference on Security of Information and Networks (New York, NY: ACM), 158–164.
24 James Lewis, 2015, The Role of Offensive Cyber Operations in NATO’s Collective Defence, Tallinn Paper No. 8 (NATO Cooperative Cyber Defence Centre of Excellence).
25 Mike Burgess, ‘Director-General ASD speech to the Lowy Institute’, 27 March 2019, transcript at: https://www.asd.gov.au/publications/speech-lowy-institute-speech
