The launch of the 2015 SDSR provided evidence that UK Defence and Security agencies are being re-invigorated after a period of extensive cuts. Over the next ten years £178 billion will be spent on a range of military platforms. While this won’t elevate the UK to the peak of global military powers, it will reassure allied partners that it’s a reliable security partner.

Large quantities of money are often associated with ‘big ticket’ military hardware, yet the UK has spent comparable sums on its cyber capabilities. At the launch of the 2010 SDSR, the sting of looming cuts were softened by the announcement that the Government would invest £500 million in cyber security. In the intervening period, that’s risen to an £860 million investment in a growing area of national security concern and potential advantage.

The 2015 SDSR announced that spending on cyber security will grow again with a commitment to invest a further £1.9 billion (A$S3.9 billion) over the next five years. When that sum is added to the core spending on cyber security capabilities to protect UK networks, the total spend amounts to more than £3.2 billion (A$6.5 billion).

The clear and concise wording of the document is just as significant as the money attached to it. The 2015 SDSR weaves together a clear articulation of the UK’s strategic goals in cyber along with a comprehensive narrative about the importance of cyber security to national and economic security, and introduces measures to enhance capability and skills in both areas. It commits the UK to remaining a world leader in cyber security to protect critical networks, to maintain high levels of confidence in its ability to protect business from cyber threats, to bolstering the digital economy to help it reap the economic rewards of high value cyber security technology and skills.

The lead component of the cyber section of the SDSR is the newly formed National Cyber Centre established under GCHQ’s leadership. This centre will have charge over operational responses to cyber incidents. Not only will it have an operational lead but it will also act as a focal point for companies seeking advice on cyber issues, simplifying previous arrangements.

There are three areas worthy of specific comment. First, the UK has worked hard over the past 10 years to mature the Government’s relationship with the private sector on cyber.. There’s a clear commitment to ‘share knowledge with British industry and with allies’, ‘help companies and the public do more to protect their own data’, and ‘simplifying private sector access to government cyber security advice’. That’s evidenced most strongly in the promise to develop a ‘series of measures to actively defend…against cyber attacks’, alluding to active defence tactics which aim to disrupt attackers prior to, or while they’re attacking a network. The SDSR states that those capabilities will be ‘developed and operated by the private sector’, which is a leap forward in coordination between the UK’s public and private sectors.

Despite efforts to build stronger relationships with the private sector on cyber, Australia is some way off being able to make these kinds of statements. There’s a continuing journey that needs to be undertaken in order to reach the same level of maturity that the UK has achieved.

Second, the SDSR details a significant investment in creating highly qualified and skilled personnel, including £20 million to open an Institute of Coding to fill the current gap in higher education. A £165 million Defence and Cyber Innovation Fund was also announced to support innovative procurement across government, alongside two new cyber ‘start-up’ centres where new companies can incubate their tech in the early stages of development.

Finally, one of the most striking aspects of the plan was the emphasis placed on developing offensive cyber capability. The UK has firmly stated that it has this capability and will use it as a tool of national power and to respond to security threats. George Osborne used strong words to underscore this part of the plan:

‘Part of establishing deterrence will be making ourselves a difficult target…We need to destroy the idea that there is impunity in cyberspace…We are building our own offensive cyber capability—a dedicated ability to counter-attack in cyberspace.’

Following on from the US admission in 2010, this further illustrates an emerging trend among Australia’s allies to publically state their capacity to conduct or develop offensive cyber operations. A clear statement of the way Australia views the use of offensive cyber capabilities would be a welcome addition to the Australian Defence White Paper when it emerges.

There are lessons for Australia on the cyber front here. First is the use of committed, firm ideas and language which are backed financially. We are yet to see how much the Australian Government will invest in this important area of national security. Second, there’s a clear articulation of the linkage between cyber security, economic security, digital innovation and national security. Australian cyber strategy will hopefully follow suit. Finally, there’s evidence of a mature and trusted relationship between Government and the private sector built over time, which Australia can afford to do much better at. With both a Cyber Review and a Defence White Paper due imminently, expectations will be high that Australia can deliver on both fronts.

Mike Burgess, Telstra’s Chief Information Security Officer, claims that attributing blame for cyberattacks is a ‘distraction’. It’s hard not to empathise with his views when, according to the Australian Centre for Cyber Security, 85% of the threat of intrusion could be mitigated by the implementation of baseline protection measures. Burgess also pointed out that while attributing blame is an important component of preventing attacks, they are too often discussed in amorphous and hyperbolic terms when describing their sophistication.

Burgess has decades of experience in intelligence and security and unlike many others is well past the future shock of cybersecurity. At present, the capability of actors to penetrate networks is increasing, as is their ability to do damage. If you ever want to induce a sense of utter helplessness in your CEO, just show them this raw feed of cyberattacks from Norse. The reality is that good intelligence on actors and their capabilities is fairly useless unless a company has a strong understanding of what it’s exposed to. Context is everything when it comes to raw data.

It doesn’t help that many leading cybersecurity researchers fail to discuss these events within their wider context; and many of the top cybersecurity programs treat the subject matter as an extension of computer science and engineering. To security studies, cybersecurity is one area, amongst a range of others where threats exist in asymmetric terms. Authors are largely yet to work across these disciplines when discussing such threats. An example of this is found in Sandria’s work on Cyber Threat Metrics, which attempts to reinvent the wheel rather than work within the existing context of existing security threats. In Clausewitzian terms, cybersecurity is just security by other means. The literature on security, threat, perception, signaling and a range of other areas is sitting there waiting to be leveraged rather than reinvented.

There’s a great deal to be gained by discussing cybersecurity as an extension of existing trends. The relative youth of cybersecurity as a subject area means that it hasn’t yet been integrated into the wider literature. While that’s not unexpected it is something that needs to be addressed. In the early days of nuclear weapons, Oppenheimer had to reach for the Bhagavad Gita for an eloquent expression of future shock. Today’s cybersecurity researchers have no need to reach so far back for a meaningful comparison. Science transforming the security environment is nothing new: nuclear weapons were first discussed by the scientists that invented them, then by the military and then finally harnessed by statesmen. A similar thing is naturally occurring in cyberspace.

In reckoning with present trends, cybersecurity faces an uphill battle where opponents are increasing in capability and responses are uneven. While it is all well and good to proactively deter attack, if a company has a flat network architecture and never updates its software, it probably won’t do very much to limit exposure in the medium to long term. A few years ago US retail giant Target had invested over a million dollars in malware detection tools from FireEye. So despite possessing functioning notification tools, Target did nothing when they detected an attack. The breach compromised 40 million debit cards and the personal details of 70 million people, and cost the company more than US$146 million. Spending money on the right tool is useless if the company isn’t getting the basics right.

Another area of potential change is the ongoing debate over when to report an attack. Companies are not convinced that it will be to their benefit if they disclose attacks, and an increasing number in Australia don’t. Companies also fear a loss of confidence by investors if they disclose an attack. There’s presently a move in the European Union towards mandatory reporting. In 2013, Pricewaterhouse Coopers estimated that in the course of a year some 93% of large British companies had suffered a cybersecurity breach. The same report lists the median number of breaches per company at 113 over the same period, with the average cost of a large company’s worst breach coming in at over £400k.

So we understand, to some degree, the context and scope of the threat. And while it’s a threat that’s increasing, the vast majority of cybersecurity conundrums are manageable at present. New methods of attack aren’t a distraction but they are a second order problem and ought to be treated as such. The first step is to recognise the risk and implement the already identified best practice strategies to manage the threat. Moving on from there, the second order debates of reporting, classifying threats and auditing systems will take place. Burgess is right when he notes that second order problems currently dominate the discussion, but can this be seen as a natural extension of the uneven development of cybersecurity as a field? Many companies, for their part, must work to escape the future shock—cyber threats are real but so are the basic strategies on how to manage the risks they pose.

Australia’s in a strong position to close the gap between awareness and response. Under Burgess, Telstra has proactively produced industry-based reporting on the present situation. Along with this, the Australia Cyber Security Centre was launched in November 2014. That same organisation has produced an unclassified threat report that represents a good first step. Finally, CERT Australia is attempting to develop the space between government and industry where effective collaboration can flourish.

Each of the organisations mentioned above has constructed the beginnings of a collective response to cybersecurity. Being overwhelmed by risks is an extension of not understanding their context. Australia is on a strong path to cooperatively and proactively respond to cyber threats if those problems are tackled in order and in a collaborative manner.

Command and control were key naval unknowns in August 1914. What hadn’t been properly appreciated in set-piece, largely visually conducted exercises before the war were the problems with radio. The full conceptual and practical difficulties associated with its use really only became apparent in the Grand Manoeuvres. These were neither frequent nor long enough to fully make the point. This would have fundamental implications for naval operations.

The potential of wireless to coordinate widely separated forces was appreciated almost from the first, just as the telegraph cable had been recognised in the nineteenth century. Before 1914, the Admiralty made heroic efforts to develop ‘network enabled’ warfare, with an Admiralty War Room as the operational command centre. But radios had problems of range, reception, wavelength, mutual interference and reliability, while there were difficulties with security, the encryption and decryption of signals and, above all, with the combined true and relative errors of navigation which meant that the ‘pool of errors’ was often very much greater than the prevailing visibility, particularly in the North Sea. Even if you were told were the enemy was and where he was heading, there was no guarantee—or even probability—that you would find him.

The greatest difficulty with radio, however, was that it created a ‘virtual unreality’, an unreality that navies were all too ready to immerse themselves within. Too many acted as though their commander were in sight—and this mattered.

Navies had a bi-polar culture of command, perhaps most extreme at the beginning of the twentieth century. Andrew Gordon has written an extraordinary book called The Rules of the Game examining the failures at Jutland. Gordon presents a compelling picture of the way that an over-controlling approach to tactics and manoeuvres created a system of operating a fleet at sea incapable of managing events under the actual stress of combat.

By their nature, however, navies arguably always operate this way. If ships are in company, then the culture is one of obedience to allow the admiral to coordinate the force to achieve the operational intent. This is still the case, because it generally works—and disobedience by a subordinate, such as Nelson’s apparent disobedience at the Battle of Cape St Vincent in 1797, is the exception that proves the rule. Such control is, of course, more effective if achieved by ensuring prior understanding of the intent, rather than frequent signalling.

Some of the British problems would be caused by more than the tight control of formations at sea, because this actually extended to control of everything. Following the flagship’s movements and routines was compulsory. If the flagship spread awnings, so did you. If the flagship declared a rest afternoon, so did you. This sort of thing, continued for day after day in every fleet or squadron when assembled, created not so much a culture of ‘senior officer veneration’, as one of ‘the senior officer present’.

This idea of ‘presence’ making the difference is important. The other part of the naval split personality was very different. If officers were out of visual contact, then they were expected to exercise their initiative. And they generally did. During the century of the Pax Britannica, such enterprise was consistently demonstrated, creating an expectation summed up by Lord Palmerston’s declaration that he would send a naval officer to solve a problem in distant lands.

There was at least partial awareness of the situation. We tend in 2014 to think of communication as practically instantaneous, but in the navy of the last century it was not, even for radio. A 1906 expert estimated that visual signalling speed rarely exceeded two and a half miles per minute in effect—and was often slower. Early experience of radio showed that its problems—even when ciphers weren’t in use—meant that its effective speed was often not much better and sometimes, much worse. The greater the distance, the greater the delay.

Furthermore, neither the language nor the concepts for communication by radio existed. This was why Army observers of naval manoeuvres had good reason to criticise. One senior observer noted that ‘the preparation of orders is not understood in the Navy, making all allowance for the general differences inherent’. The Navy had yet to develop a system for coordinating remote formations in a tactical environment, something with which the Army had been struggling for more than a century.

There were key aspects to be resolved. Before the radio, all tactical reporting was visual. This meant that the enemy had to be so close (either on the horizon or just over it) that absolute positional errors did not matter—what a commander was interested in was what the enemy bore and in what direction he was steaming. A remote report required not only much more precision—and the greater the distance the more important precision was – but also much more information. This was not fully understood. The first British radio format for an enemy contact report didn’t include either the enemy or reporting unit’s position, while the concept and practice of a tactical plot would take years to formulate.

However, the ‘virtual unreality’ came in the fact that, despite the limitations of radio, many commanders behaved as though their remote senior officer always knew more than they did, sometimes in direct contradiction of what they themselves were seeing. In the pre-war Grand Manoeuvres there were multiple instances of officers failing to act on their own initiative because they thought that higher authority somehow knew more.

Learning to use the new technology and changing the culture of command would take more than just the First World War to achieve. After the failures of the 1916 Battle of Jutland, an effort to return to the ideals of Nelson would be one of the principal concerns of the Royal Navy between 1919 and 1939. Events of the Second World War, starting with the Battle of the River Plate, suggest that this work to achieve cultural change wasn’t wasted.

History doesn’t repeat itself, but it does rhyme, and one particular rhyme of 2015 with 1914-15 is apparent to me. The ever greater reliance upon networks and the instantaneous exchange of information in what have, since the end of the Cold War, been largely uncontested electronic environments may have created a new ‘virtual unreality’ with an expectation that higher command will always be accessible, not only to give direction but to be consulted. Thus, commanders at sea may complain they are being micro-managed, but at the same time become reluctant to do anything without first clearing it with their seniors.

Will such a culture work in a cyber war?

Last week’s release of the first Australian Cyber Security Centre (ACSC) Threat Report provides some sobering statistics and interesting case studies on the cyber threats facing Australia. It outlines the problem well, but beyond the usual missives to implement ASD’s Top Four Mitigation Strategies, it’s relatively mute on the response. This is a task that has likely been left for the Government’s Cyber Security Review to complete in the coming weeks.

It’s unsurprising to most that Australia endures constant attempts to breach public and private networks. The combined 12,204 incidents that either ASD or CERT Australia responded to in 2014, around 33 each day, provides some insight to the scale of cyber intrusions that the ACSC handles. The threat is also growing in sophistication, as cybercrime groups begin to rival the capability of some state-sponsored actors, demonstrating the enormous resources they’ve accumulated from their successes.

The ACSC has categorised cyber adversaries into three tiers: foreign state-sponsored, serious and organised crime, and issue motivated groups. The motivations of those groups vary, as does their capabilities. State-sponsored actors are the most capable, closely followed by the larger cybercrime syndicates. Those two actors have the most sophisticated capability and potentially the biggest effect on our national security and economic well-being. Issue motivated groups use less complex, more readily available capabilities, such as DDOS, to bring attention to their cause, without causing serious damage or harm. The ACSC predicts that terrorist groups will continue to be a nuisance in cyber space by defacing websites and using DDOS capabilities to draw attention to their cause, rather than pursuing the use of more destructive cyber capability as the financial and technical barriers to these more sophisticated tools lower further. .

The careful definition of the term cyber-attack is of particular interest to policy wonks. Used colloquially to describe just about any malicious act in cyberspace, for Government—and in particular the Defence-dominated ACSC—the term is defined as an act that seriously compromise national security. The report notes that Australia has never suffered an event that Government would consider to be a cyber-attack, but if it did, it may be considered to be an act of war. The imprecision of the common usage of ‘cyber-attack’ would be unsettling for an agency that’s primarily responsible for responding to armed attacks on Australia. Careful definition provides greater clarity about how and when Defence is involved in responding to the many thousands of cyber intrusions Australia is subject to.

Government’s efforts appear to be bearing some fruit as the number of incidents ASD responded to has grown at a slower pace than in previous years, and the confirmed number of significant breaches of Australian Government networks has . The biggest hole in the statistics noted in the report is intrusions against the private sector, which the ACSC admits it has a more limited understanding of. This means that there’s potentially more cyber intrusion attempts occurring than is known, with attempts going undetected and unreported.

CERT’s statistics show that the energy, banking and financial services, and the communications, defence industry and transport sectors have reported the most cyber intrusion attempts. These sectors are more likely to have implemented the required capabilities to identify cyber intrusions as they are well aware of the impact of cyber threats on their business. Other industry sectors, like mining and resources and agriculture, also face similar risks, but report far fewer incidents. Government is encouraging the private sector to implement adequate measures and share information. However, without adequate understanding of the risk, there’s often little incentive to invest in expensive cyber security capabilities until a major incident has damaged a business’ reputation and bottom line. This is a shared problem, and many of our key partners such as the United States are struggling with the same issue.

While the Government’s work to build stronger cyber defences appear to be successful in the face of more numerous and sophisticated cyber adversaries, it seems that the private sector is still struggling to come to terms with cyber threats. ACSC offers its usual advice—that implementing ASD’s Top Four Mitigation Strategies will assist in deflecting all but the most determined adversary—but Government can do more. Better two-way information sharing with businesses will highlight the need for investment in cyber defence, a task made difficult by the classified nature of much of the cyber threat intelligence Government holds, and the sensitive nature of ACSC’s current accommodation which it shares with ASIO. This makes it difficult for business to engage with ACSC and to use the information it can furnish. The forthcoming Cyber Security Review should provide greater clarity on how Government intends to address the threats outlined in ACSC’s report, and hopefully how it will work with the private sector to make all of Australia a difficult cyber target.