shaping the cyber arms race of the future · shaping the cyber arms race of the future greg austin...
TRANSCRIPT
Shaping the Cyber Arms Race of the Future
Greg AustinProfessor, Australian Centre for Cyber Security,
UNSW Canberra at the Australian Defence Force Academy
Professorial Fellow, EastWest Institute, New York
ADM 22 June 2016
Arms Race
• NOT A BILATERAL TIT-FOR-TAT EMULATION PROCESS (TOP SECRET, PENTAGON 1981)
• But it is a simultaneous race for the national technological frontier
• … to maximize military capability • Within peace-time budget constraints
( mobilisation for war)• It is shaped by unique national institutions and
power blocs inside the armed forces• It is shaped by technological start points• It tilts posture towards “offensive” thinking and is
dangerous (“security dilemma”)
Cyberspace and Future War
• TODAY: “Cyber war”, no!! “cyber-enabled war”, yes!!• will the cost/benefit relationship in technical development
and use of cyber weapons change in the 10-20 year time frame?
• will the political character of a cyber weapon change as countries accumulate entire cyber arsenals, rather than single cyber weapons?
• does the political character of a cyber weapon change as countries move away from conventional military strategies to information age strategies where information dominance is judged to be the decisive capability?
• 2030: “Cyber-dominant” war • or i-Warfare
Cyber-dominant War
• Not a fifth domain of warfare, but the new commanding heights of all warfare
• Thee layers: physical, logical, persona
• Eight vectors of attack and defence– Software, hardware, network, payload, power
supply, people, policy, ecosystem
• Like all wars: political, economic, social and military elements to achieve a POLITICAL GOAL
i-Warfare
• Combat action in milliseconds• Distributed (fractured) authority• (Re)aggregation of military impacts and forces look very
different• Equalisation of tactical and strategic aspects• Compression and distortion of geography (Russia, China
and USA are now everyone’s neighbor and uninvited house guest)
• All information vectors have a political value• Hyper information environment• Informational well-being (assurance) comes under
sustained threat (every computer is a disinformation dept)
Benchmarks
Future National Defence Postures• China: cyber power intent, cyber S&T intent, distributed cyber war, militia• United States: prompt information dominance, cyber weapons for all, R&D
innovation, military education, civilian reserve• War avoidance and peace building
Future ‘Cyber-dominant war’• Trends in planning (Future technologies of complex cyber attack and
defence)• Case of Critical Infrastructure• Scenario planning• Technologies of decision-making• How much to spend?• Only one answer for Middle Powers?
China2003 • Local war under conditions of informatisaton
2014 • Cyber Power announcement
2015 • Military strategy: “outer space and cyber space” are commanding heights
• “you fight your way, I fight my way”• Cyber militia• PLA cyber attack/defence competitions• Cuts to PLA of 300,000 to help pay for cyber
transition• Unification of tri-services cyber command elements
2020
2030
• initial joint force and civil sector cyber attack capability (“complex cyber attack”)
• China reaches “total war” cyber capability against Taiwan
United States
1990s Joint doctrine (1998), 1st cyber attack in war (1999)
2002 Northrop Grumman Cyber Warfare Integration Network
2010 Cyber Command, Stuxnet revealed
2012 JP 3-13, PPD 12
2013 JP 3-12
2015 “Beyond the Build”: cyber options; new Cyber Strategy. Laws of War Manual on “logic bombs”
2020
2030
President chooses first “cyber before bombs” intervention in Middle EastCyber civil defence becomes a national obsession
War Avoidance
1998 First UNGA resolution on ICT and international security
2006 SCO declaration
2009 SCO Treaty
2010 GGE: increasing state reliance on cyber war
2011 SCO proposal for Code of Conduct
2013 UN GGE: international law applies in cyber space
2015 UN GGE (voluntary norms)Russia/China agreement, US/China “progress”
20202030
States begin to endorse voluntary norms Mutual restraint treaty (for peacetime only)
Trends in Planning Cyber-Dominant War
• Political goals
• Surprise attack and speedn
• Multi-vector, multi-front, multi-theatre
• Sustained, cyber + kinetic
• Resilience in defence
• Advanced Situational awareness
• Scenario planning
Technologies: FireEye RSA 2013
Case of Critical Infrastructure
• The presumption that a control system is “air-gapped” is not an effective cyber security strategy. This has been demonstrated by over 600 assessments.
• Intrusion detection technology is not well developed for control system networks; the average length of time for detection of a malware intrusion is four months and typically identified by a third party.
• The dynamic threat is evolving faster than the cycle of measure and countermeasure, and far faster than the evolution of policy.
• The demand for trained cyber defenders with control systems knowledge vastly exceeds the supply.
Idaho National Lab 21 October 2015
Scenario Planning
Estonia 2007 (a shut down of the financial and banking system)
+ China’s kinetic anti-satellite test 2007 + Stuxnet 2010 (cyber sabotage) + release by the group Anonymous of military personnel data + cutting of undersea cable (numerous incidents) + closing down of civil satellite links (Egypt) + closing down electric grids (U.S. operation in Yugoslavia 1999) + insertion of false data into military systems + attacks on Saudi Aramco + planting malware in civil aviation systems + opening flood gates on dams + closing down military communications.
Decision-making Systems
Middle powers will need to develop complex responsive systems of decision-making for medium intensity war that address:• simultaneous multi-vector, multi-front and multi-theatre
attacks in cyber space by a determined enemy• including against civilian infrastructure and civilians
involved in the war effort. And all of that before we even think about emerging technologies like:• quantum computing, anti-satellite weapons, mass
deployment of drones as distributed airborne C4ISTAR platforms, a return to traditional HF-based communications for cyber activities, and laser-based communications
How much to spend for 2035?
Without cyber-enabled war capability:
• $20 bn fleet of fighter aircraft may not fly
• $30 bn fleet of submarines may stop dead in the water
• Civil infrastructure WILL NOT WORK
cyber war capability spend of $$$ billion?
&/OR Diplomatic strategy of war avoidance
&/OR a home guard (= cyber civil defence)
Only One Option for Middle Powers
• A new form of collective security: what does it look like?
• Necessary dilution of existing blocs and alliances• Necessary shift to civil defence (militia) both for
deterrence and active protection• Build a community of interest around the
concepts of cyber-enabled warfare and war avoidance with a recognised authoritative hub that can unite political, military, diplomatic, business, scientific and technical interests and expertise