Generating Joint Cyber Capability

Bottom line up front

Cyber warfare is growing as a domain of warfare but requires a different approach than the environmental domains. The individual services are not large enough to effectively generate cyber warfare capability and therefore Australian Defence Force (ADF) cyber operations must be a truly Joint enterprise. This will involve a raise, train, sustain and deliver model more similar to Special Forces than conventional capabilities, with Joint funding and direction, and the human capability lifecycle managed by one service rather than all three.

The impetus to act

Cyber, as a component of information warfare, has been recognised as the ‘Fifth Domain’ alongside land, sea, air and space in US doctrine since 1995 and by the North Atlantic Trade Organisation (NATO) since 2016. The ADF, although self-described as a ‘network-centric force’, has been slow to develop cyber warfare doctrine and capability. Partly this has been due to the shortage of a trained cyber workforce across Australia. Partly it has been due to organisational resistance, or lack of understanding, from a defence force that has always been led by manoeuvre commanders, fighter pilots and warship captains—leaders most comfortable with kinetic effects. The ADF must recognise the significance of the Fifth Domain if we are to meet the future threat environment.

The 2016 Defence White Paper identifies that ‘the Government is committed to ensuring that Australia can address the growing cyber threat’. The cyber threat is real. State-sponsored actors are already delivering effects in this domain, including against Australia. Austal, a defence shipbuilder, was hacked in October 2018. Australian parliamentary networks were hacked in February 2019, and the Australian National University—home to advanced research with both civilian and military applications—was reportedly hacked in September 2019. Following escalations in the Strait of Hormuz, including the seizure of merchant traffic and shooting down of drones, US officials publicly announced a series of cyberattacks on Iran that had degraded Iran’s ability to target shipping in the Persian Gulf. Meanwhile, our Defence networks routinely come under attack. So far, cyber warfare has been seen primarily at a strategic level but the future almost certainly will involve operational and tactical-level effects.

What the ADF is currently doing

The ADF now recognises the imperative to develop a cyber workforce. Information Warfare Division (IWD) was established in July 2017 under Joint Capabilities Group (JCG) to oversee and develop an ADF cyber capability. The single services have pushed ahead in developing their own capabilities through RAAF’s cyber warfare offices and operators, Navy’s cryptologic networks sailors and elements of Army’s Signal Corps. Each service now has a nascent cyber capability. However, these single-service workforces are frail, with high separation rates. Many of the ADF’s relatively few cyber operators feel frustrated by the teething problems of establishing a new capability within each service and, at the same time, are tempted by the promise of higher pay in private sector or a better developed workforce inside the Australian Signals Directorate (ASD). They also see their colleagues in the Joint Cyber Unit being afforded better opportunities for skill development and deployment. Meanwhile, the Joint effort is undermined by the separate and competing interests of the single services. Although Joint Capabilities Group has developed a Joint Cyber Workforce Framework that identifies operational and enabling roles, knowledge and skill requirements, the single services have already presented cases to the Defence Force Remuneration Tribunal that are not aligned to this Joint framework. Further, the limited pool of cyber practitioners is inefficiently harnessed when split between the competing priorities of each service. ADF operations are increasingly Joint and rely on shared networks, the defence of which must therefore be prioritised as a Joint process. From an offensive perspective, cyber effects should be prioritised and allocated through the Joint Targeting process. The current single and Joint service model is a reaction to current workforce limitations rather than future requirements.

The core problem is that the ADF still does not recognise that cyber is a warfare domain in its own right. The ADF approach to cyber is based on understanding cyber as an enabler to other domains rather than a domain in itself. As enabler, cyber sits with communications and logistics as a requirement for each single-service; each service has its own unique terrain, requirements and priorities and therefore must generate its own enabling capabilities. However, the ‘cyber as an enabler’ concept is too narrow. The cyber domain has its own terrain, both virtual and physical infrastructure, its own rules, and can deliver kinetic and non-kinetic effects. More so than other domains, the cyber domain is contested by state and non-state actors, is deeply integrated into civilian and military endeavour, and lacks the geographical bounds of the traditional domains. The cyber domain intersects each environmental domain, but cyber operations do not require practitioners of the corresponding environmental service. Army networks could be defended equally by Army, RAAF or Navy operators in a mature model, and vice-versa.

Unfortunately, the ADF’s current model for generating cyber capability is based on the American single-service model. This is unwise because of the disparity in size and resources of the ADF compared to the US military. The US military has more than 50,000 uniformed personnel in its cyber workforce, compared to fewer than 300 in the ADF, as shown in Figure 2 (note that not all ADF cyber elements are depicted).

This means that the US is large enough to generate meaningful cyber capabilities within each service. The US Navy 10th Fleet, which is devoted solely to cyber warfare, is larger than the entire Royal Australian Navy (RAN). This gives economies of scale to single-service capabilities that the ADF will never have. By having each service produce its own policy, workforce frameworks, training pipelines and C2 structures—as is currently occurring—the ADF is duplicating effort and reducing interoperability. The current model is less a reflection of genuinely different single-service requirements and more a reflection of the fact that the ADF’s raise, train and sustain function resides with the single services. For us to enjoy our own economies of scale, we must take a different approach.

The solution

The ADF must recognise that cyber operations capability will be most effectively delivered as an exclusively Joint enterprise. My proposed ADF Cyber Command would sit under Information Warfare division and be responsible for operational control and technical control of the ADF’s cyber operations capability. It would also oversee the integration of ADF cyber into the whole-of-government effort. This is similar to the model in place for Special Operations—albeit less Army-centric—or electronic warfare, through Joint Electronic Warfare Operational Support Unit (JEWOSU). Putting the cyber operations capability under Joint command, and removing it from the single-services, will reduce the duplication of effort that currently exists and allow for more effective prioritisation and employment of the scarce cyber workforce.

In order to enjoy efficiencies in force generation and management of the human capability lifecycle, I additionally propose that the workforce be managed by one single service, rather than by all three. There are two main arguments for this. First, it will allow for better management of personnel, which is good for retention and allows for the creation of a more robust career structure for both officers and enlisted due to a larger workforce pool. Second, by having one service responsible, the workforce can be designed from the ground up (i.e. from recruitment, through initial employment training and advanced training) to align to Joint cyber workforce requirements as developed by JCG. Under the current model, different pay cases and job specifications, with different training and employment plans, have already been presented to Defence Force Remuneration Tribunal, which will create problems down the line for integrating cyber personnel of each individual service within a Joint effort. For example, RAAF have implemented Cyber Warfare Officer and Cyber Warfare Analyst (officer and enlisted, respectively) musterings, whereas Navy and Army will not have cyber officers as there isn’t critical mass (more than 50 positions) to make a viable career pathway.

While any of the single-services could take responsibility for managing the cyber human capability lifecycle, I argue that it should be RAAF. The RAAF currently has the best developed cyber workforce; already manages a similar capability, electronic warfare, through JEWOSU; and has the best retention of the three, which is vital when training cyber operators takes so long and costs so much.

ADF Cyber Command, as a component of Information Warfare Division, would be similar to Special Operations Command (SOCOM) as a bespoke capability that provides value to the whole of defence. Personnel from all services or off the street could be identified for ‘cyber’ service, as they are for Special Air Service Regiment (SASR) or 2 Command Regiment (2CDO), but once they’re in, they go through a common cyber pipeline and are employed according to Joint requirements.

But what about the unique context of each single service?

One of the main arguments for having cyber capabilities within each service is based on each service having unique platforms and operating environments. For example, the Navy operates a lot of Industrial Control Systems (ICS) on our ships. However, under a Joint cyber capability model, this would be overcome through reinforcement training cycles that provide baseline cyber skills to all personnel before specialising them into specific areas such as ICS, penetration testing, threat emulation etc. Again, Special Forces provide a good model. All beret-qualified SASR are trained in parachuting—that’s the baseline capability. Then, through reinforcement cycles, SASR personnel gain specialist skills—underwater operations, sniper, etc. Special Forces performing clandestine operations from a submarine do not need to have previously been submariners before becoming SASR. Likewise, cyber operators defending Navy networks, if appropriately trained, do not need to wear grey uniforms.

In fact, having each single service focus on the small part of the cyber domain that it deems most relevant (e.g. Navy with ICS) is counterproductive. It stovepipes capability. It means that the personnel of each service may not be adequately exposed to the whole cyber domain, which could result in each single service developing blind spots that can then be exploited by adversaries. For example, although Navy does have more ICS than the other services, it also still operates a lot of IP-based networks and therefore needs skills in those areas. Likewise, if Navy owns the ICS capability, will it also defend RAAF’s fuel farms that run on ICS? And, if Navy personnel can defend RAAF ICS networks, because they are the personnel trained in ICS, does this not indicate that there was not a genuine single service requirement? Or, conversely, if RAAF must train its own personnel in ICS as well, and each single service must be competent across all areas of the cyber domain, then why not have one cyber workforce instead of three?

Who does cyber security?

How does cyber security fit into this model if the single-service cyber units are disbanded? Here we need to make a distinction between cyber operations, a Joint capability, and cybersecurity/information assurance, which should be maintained at the single-service level by communications/signals categories and as part of the engineering process. In the mature state for which the ADF must plan, cybersecurity must be business as usual for all parts of Defence. Meanwhile, high-end cyber operators are too scarce a resource to spend on information assurance audits, just as beret-qualified SAS are too scarce to use for manning an armoury.

So what needs to happen?

A change in direction now appears like a lot of work and appears to undo the progress that each single service has made over the past two years. However, it is only two years of progress—and it won’t all be wasted. While the ADF’s cyber operations capability is still young is the perfect time for reorganisation and establishing the right foundations. Ultimately, cyber warfare is a sufficient threat that it demands innovative responses. When military aviation first emerged in the First World War, it was Army Aviation Corps. By the end of the war, strategists and policy-makers recognised that aviation had opened up a whole new domain: the air. Thus emerged the Air Force. We don’t need a whole new cyber service, but we do need to recognise that success in this domain requires a new approach. That approach is Joint.