Tag Archive for: cyber capability

Australia needs a civilian cyber reserve. State emergency services are the model

Australia should follow international examples and develop a civilian cyber reserve as part of a whole-of-society approach to national defence.

By setting up such a reserve, the federal government can overcome a shortage of expertise in cybersecurity and increase national resilience to cyber threats. It could be modelled along the lines of state emergency services.

In doing so, the government should consider the way state emergency services are formed and mobilised when needed. Legal safeguards will also be needed to protect the recruits and also organisations that would receive assistance from the reserve when subject to cyberattack.

Malicious cyber activities are a persistent threat faced by nation states globally—from cyber operations against critical infrastructure, to cyber-enabled disinformation operations seeking to undermine social cohesion.

As noted by the director-general of the Australian Security Intelligence Organisation, Mike Burgess, the cyber threats faced by Australia include those from nation states seeking to pre-position themselves in Australia’s critical infrastructure, allowing them to carry out more disruptive and destructive attacks in the future. At the same time, a global skills shortage in the cybersecurity workforce undermines the capacity to defend against these threats.

In response to these issues, several countries are seeking to harness volunteers in cybersecurity and defence. Funded by the Department of Defence’s Strategic Policy Grants Program, we are currently carrying out research mapping out some of the key initiatives around the world.

The United States, for example, is carrying out a pilot project establishing a Civilian Cybersecurity Reserve. This was in response to recommendations made by the US National Commission on Military, National, and Public Service which in 2020 argued that a federal civilian cybersecurity reserve would allow US agencies to obtain additional cybersecurity capacity from cyber experts when needed. These recommendations were echoed in the 2020 final report of the US Cyberspace Solarium Commission which argued that a cyber reserve would play a key role in mobilising surge capacity using existing links between the private sector and the government.

The developments in the US follow similar developments elsewhere. Ukraine’s IT Army made headlines in 2022 when it called on hackers from around the world to join Ukraine’s defence against Russian aggression.

Estonia’s Cyber Defence Unit, within its Defence League, was established already in 2011 following large scale distributed denial of service attacks against Estonia a few years prior. Another example is the Cyber Peace Builders NGO which helps connect corporate volunteers with not-for-profit organisations to improve their cybersecurity.

The proposed US federal-level cyber reserve also follows from developments in several US states that already have similar structures in place. These began with the Michigan Civilian Cyber Corps, established in 2013; a growing number of states including Ohio, California and Texas have followed suit. These civilian cyber reserves engage in a variety of activities, ranging from education in schools and public organisations, cybersecurity audits, and incident response. They can provide high-level training and certifications for their members for free and organise cyber war games exercises for participants.

Often compared to volunteer firefighters or other volunteer-based emergency services, cyber reserve organisations provide an opportunity for cyber experts to give back to society and help increase cybersecurity awareness, resilience and preparedness. For example, in March 2025 the Ohio Cyber Reserve responded to a cyber incident affecting the municipal court of the city of Cleveland, and it also deployed in 2024 when the city of Cleveland was subject to a ransomware attack by Russia-affiliated actors.

Australia should follow and create a civilian cyber reserve. However, several considerations must be addressed for it to be effective. These include the appropriate structure, membership, criteria for organisations to be eligible for support, and relevant legal safeguards.

In terms of structure, it could be modelled on existing organisations such as state emergency services which operate at the state level and are designed to help communities both prepare and respond to natural disasters. Initial members could be recruited from those with a high level of cybersecurity expertise, but gradually the membership base can be built through training and upskilling of volunteers with general cybersecurity skills or other relevant subject matter knowledge.

The identification of eligible organisations should start with public organisations at the state and local levels, including schools and hospitals. Finally, appropriate legal structures will need to be explored to protect volunteers, as well as to protect the confidentiality of organisations seeking support.

Creating a civilian cyber reserve can promote a culture of cybersecurity and be an avenue through which volunteers can use their expertise to help others and give back to the community. Having a structure like this in place in peacetime also provides a potential capability that can be harnessed in times of crisis or conflict.

New Chinese reform addresses overlaps, reflects challenge of military control

The Chinese government announced the establishment of a new arm of its military, the Information Support Force (ISF), on 19 April. The ISF is tasked with strategic support for network information systems that are under the direct control of the Central Military Commission (CMC). In other words, its main mission is likely to be providing information support for the implementation of integrated operations in each of the theater commands.

The reorganisation addresses overlaps in the previous structure and looks like part of the fight against military corruption.

An editorial in the PLA Daily points out that network information technology is the ‘biggest variable’ in the development of combat capability and that the establishment of the ISF is aimed at enhancing joint combat capability and all-domains operational capability based on network information systems.

The government has also announced that it will dismantle the Strategic Support Force (SSF) and create two new forces—the Aerospace Force (AF) and the Cyberspace Force (CF)—in addition to ISF.

So the SSF has been broken down into three components: the ISF, which provides information support; the CF, which conducts cyber operations; and the AF, which supports and conducts space operations. According to the 2019 Defense White Paper, the SSF was also supposed to be in charge of testing new technology and development of new-type combat forces; it is unclear where those functions now have been allocated. In any case, as a result of the reform, the PLA’s forces now consist of four services—the Army, Navy, Air Force and Rocket Force—and four branches—the ISF, AF, CF and Joint Logistics Support Force.

Xi appointed Bi Yi as commander of the ISF and Li Wei as political commissar. Bi Yi is from the Army and is a former deputy commander of the SSF; Li Wei was a former political commissar of the SSF. Bi Yi served primarily as an Army training officer before his transfer to the SSF July 2023, so he is unlikely to be familiar with information support missions.

The SSF was established at the end of 2015 and did not last 10 years. Xi Jinping’s reorganisation does not indicate a policy change in military development, but rather exposes a problem in organisational management of the armed forces.

Organisational readjustment was probably needed. In the SSF there was a Network Systems Department and a Space Systems Department, with overlapping missions such as space offensive and defensive operations and strategic intelligence. It has also been pointed out that the Information Department of the CMC’s Joint Staff Department also overlapped with the SSF. The latest reorganisation is aimed at minimising duplication, which would also improve warfighting capability.

On the other hand, the reorganisation probably reflects organisational and systemic problems facing the Chinese Communist Party and the People’s Liberation Army. Over the past few years, it has become clear that corruption continues within the PLA, despite repeated exposure. Investigations of Ju Qiansheng, commander of the SSF, and Shang Hong, commander of the Space Systems Department of the SSF, have been reported.

The SSF was broadly involved in informatisation, space assets and even emerging technologies. Meanwhile, China’s military-civil fusion strategy failed to improve transparency.

If Ju is not appointed as the commander of the Cyberspace Force, it will mean that massive corruption has occurred not only in the Rocket Force, as previously reported, but also in the SSF. In a sense, the reorganisation can be seen as an extension of ongoing anti-corruption measures.

Establishment ceremonies for the Aerospace Force and the Cyberspace Force have not been held, nor has their leadership been announced.

Xi Jinping’s administration continues to pursue the goal of strong armed forces as well as informatisation and intelligentisation of the military. The PLA has not changed its view that information dominance will make for superiority in modern warfare. In other words, there has been no major change in the direction of Xi Jinping’s program to strengthen the PLA.

Nevertheless, the reorganisation reflects the traditional difficulty of controlling the military of an authoritarian regime. Xi Jinping is having trouble rooting out corruption in the secretive armed forces. His distrust for them is deepening. This implies that detection of corruption will continue, as well as power struggles among military cadres scrambling to gain his trust.

It is likely that the PLA’s strengthening and its systematic corruption will continue side-by-side.

Australia’s offensive cyber capability

In 2016, the Australian government announced that Australia had an offensive cyber capability and was using it against Islamic State. Last June the government announced the creation of an ADF Information Warfare Division responsible for cyber defence and offence. It also announced that this capability will be used by law enforcement agencies to tackle organised offshore cyber criminals.

Today’s launch of ASPI’s policy brief, Australia’s offensive cyber capability, marks another step out of the shadows for our cyber warriors. This groundbreaking report builds on official government statements about this new ADF investment and includes more detail on the strengths and weaknesses of offensive cyber power, the risks involved in its use, authorisations, approval mechanisms, and checks and balances.

The report defines an offensive cyber operation as one intended to manipulate, deny, disrupt, degrade or destroy targeted computers, information systems, or networks. And it explores the types of effects such operations might achieve, such as altering databases, defacing webpages, encrypting or deleting data, or even affecting critical infrastructure.

We’ve seen states conducting these types of cyber operations, with outcomes that range from the devastating to the disappointing.

The devastating state-based attacks that we’ve seen have been very poorly targeted and have caused vast collateral damage. The WannaCry worm in May 2017, attributed to North Korea, spread worldwide and seriously affected many industries, notably the UK’s National Health Service.

Similarly, the Russian NotPetya attack, notionally targeted at Ukrainian companies, caused worldwide damage well in excess of US$1 billion and affected companies as diverse as Merck (US pharmaceuticals), Maersk (Danish shipping), Fedex (US logistics), Saint-Gobain (French construction) and Mondelez International (UK chocolate).

US offensive cyber efforts against Islamic State, however, reportedly received mixed assessments. Former Secretary of Defense Ash Carter ‘was largely disappointed in Cyber Command’s effectiveness against ISIS’.

Perhaps the first example of a state offensive operation was the Stuxnet worm that disrupted Iran’s nuclear weapons program by destroying industrial centrifuges used to enrich uranium fuel. This was a tightly focussed attack, designed to affect specific Iranian centrifuges and avoid other collateral damage.

Stuxnet probably delayed but didn’t halt Iran’s nuclear program, although assessing the operation’s success is difficult as we don’t know the attacker’s ultimate goals. The operation was less decisive than a destructive physical attack could have been, yet provided a clandestine capability that could be used when a kinetic attack was politically or practically impossible.

Although the technical capability for offensive cyber operations resides within the Australian Signals Directorate (ASD), operations in support of military operations will be joint civil–military partnerships, with operational plans constructed by the ADF and governed by ADF rules of engagement. Operations in support of law enforcement will have a separate approval and command process and won’t involve the ADF, although the details of these processes haven’t been disclosed.

The legal principles considered when designing and approving offensive operations are necessity, specificity, proportionality and limiting unnecessary harm. ASD’s legal authority and oversight mechanisms are also spelt out, and one of the policy brief’s recommendations is that thought be given to updating the policy and legislative framework as cyber capabilities develop.

The brief also describes the strengths and weaknesses of cyber operations from an ADF point of view. Among the advantages, integration with traditional ADF operations could well be a force multiplier and an asymmetric approach that provides new capability. Offensive operations provide global reach, and they can be either overt or clandestine.

On the negative side, offensive cyber operations are unlikely to be decisive on their own, need to be highly tailored so as not to cause indiscriminate damage, and will require constant effort as the cybersecurity landscape evolves. Crucially, unlike conventional capabilities, cyber capability cannot be demonstrated for the purpose of deterrence because revealing a specific capability allows effective defences to be developed.

The report concludes with a number of recommendations. Some recognise the challenge of attracting and retaining talented staff and suggest innovative recruitment and retention strategies, use of security-cleared reservists and deepened industry engagement.

Chief among the recommendations is that leaders carefully structure public statements about cyber capability to reassure regional states and encourage responsible behaviour. The government’s statements in June 2017 are a case in point. Statements about the creation of the ADF’s Information Warfare Division and reports about action against offshore cyber criminals on the same day were conflated in the media in ways that suggested that Australian military forces were going to target cyber criminals. That confusion could have encouraged militaries in the region to launch cyberattacks against individuals in Australia whom they consider cyber criminals.

In the relatively new field of military cyber operations, such missteps are bound to happen. With this policy brief we aim to promote greater transparency and a better understanding of this complex topic.

The rationale for offensive cyber capabilities

Image courtesy of Flickr user Christiaan Colen

An early scene in the 1962 film Lawrence of Arabia shows German planes swooping back and forth to bomb the rebel camp and Prince Feisal, who’s heroically mounted on a white charger, chasing the planes with his sword in hand. Horses against aeroplanes aptly describes the circumstance for any nation that wants to defend itself if it lacks military cyber capabilities. You can’t reasonably expect to have a modern, effective military if you can’t carry out cyber operations. This isn’t a like-for-like match of cyber versus cyber—an astute opponent will use cyber techniques to paralyse command and control, interfere with the operation of weapons, and generally attempt to fatally expand the confusion that accompanies any armed conflict.

This isn’t a call for expanded cyber defence. Cyber defence usually means a bigger Computer Emergency Response Team, more technicians, essentially a Maginot line approach. We don’t talk about defensive tanks or defensive fighters. The best weapons can be used for either offence or defence. How they’re used depends on national intent and the risk of using them depends on how closely a nation adheres to international law and the laws of armed conflict—a peaceful nation that adheres to international law has nothing to fear from acquiring ‘offensive’ cyber capabilities. A purely defensive approach cedes the initiative to the opponent and leaves the defender in a reactive posture. No military would choose that.

Nor do we need to moan about the horrors of cyber war. People have let their imaginations run away with the consequences of cyber-attack. It’s not a weapon of mass destruction. It can have strategic effect, but that comes from its ability to precisely target crucial systems. Unlike nuclear weapons, cyber-attacks can have strategic effect without mass consequences.

Nations are experimenting with how to incorporate cyber capabilities into their military operations as they develop strategy and doctrine. The most advanced militaries are creating specific military cyber warfare entities. The growing military dimension makes cybersecurity an essential subject for discussion and for national strategy development.

It may be tempting to select from a menu of clichés—genies out of bottles or Pandoran boxes opened, but all are meaningless and result from the overestimation of the effect of cyber-attacks. Perhaps 30 nations are acquiring offensive cyber capabilities; some would say many more, and some of those are in Australia’s neighbourhood—it’s not just China. Eventually, all modern militaries will have offensive cyber capabilities, just as they have acquired jets, helicopters, missiles and, increasingly, UAVs. Nobody likes warfare, but declining to modernise, sticking to the cyber equivalent of horses and swords against airplanes, is a gift to opponents who will be quick to seize upon a careless attitude towards national defence.

Such developments have implications for both the public discussion and regional stability. On the first matter, the US position is slowly changing. The US first used offensive cyber operations (albeit primitive) in the second half of the 1990s. For more than a decade, there was no public recognition of this capability. Discussion is still limited, but in the last year or two the US has decided to be more open about offensive cyber capabilities. That may seem a bit odd given that PPD-20, the Top-Secret Presidential Directive for military cyber operations, including offensive operations, was leaked a few years ago and lives on The Guardian website. But the US has made strides in beginning a halting discussion of both capabilities and operations, albeit at a very general level.

Such secrecy is unhelpful. A question that outside experts have posed for a decade is, if we could have a robust discussion of nuclear strategy and capabilities, why can’t we have the same discussion of cyber capabilities? That’s slowly beginning to change but the absence of much information outside of classified channels means that much of the media and academic discussion is simply wrong. One possible reason the Obama administration has begun to slowly peel back secrecy is that it has been reminded of a scene in the film, Dr Strangelove, where the American President cautions the Russian ambassador that having a secret weapons capability does little to provide a deterrent or stabilising effect.

Secrecy damages stability. It’s better to have an open discussion of military doctrine and strategy—this openness was the intent of the April 2015 DOD Cyber Strategy(PDF)—than letting others make assumptions about policy and intentions. Transparency builds stability and confidence—that’s the reason confidence-building measures (CBMs) are valuable, and more progress on such measures in the ASEAN region would be helpful.  Australia’s done a good job of working with other ASEAN nations on CBMs, but the only region with adequate CBMs is Europe. That’s thanks to the work of the Organization for Security and Co-operation in Europe, which includes an exchange of military doctrines among members.

Having an offensive capability is nothing to be embarrassed about or keep secret, but it needs to be accompanied by diplomatic initiatives and transparency with voters. We want to normalise cyber capabilities and should treat them like any other military system, rather than as dark secrets from the world of SIGINT.

Thinking deeper about Australia’s offensive cyber capability

At the launch of Australia’s new Cyber Security Strategy last month, the Prime Minister confirmed what many have been guessing for years: Australia possesses offensive cyber capabilities. The announcement, however, provided us with the barest of information about Australia’s offensive cyber capability, and it remains largely unclear how its potential uses have been conceived by government and the national security community. Given the minimal discussion of Defence’s approach to cyber capability in the 2016 Defence White Paper, it’s unlikely that we’ll see this information disclosed anytime soon.

What we do know is that Australia’s offensive cyber capability provides an additional option for government when responding to serious cyber security incidents. We also know that it resides in the Australian Signals Directorate—its natural home considering the Directorate’s technical expertise—and that it will only be used in accordance with stringent legal oversight and consistent with international law. The PM’s announcement was carefully calibrated to clarify that Australia has a sophisticated capability at its disposal, but will exercise significant restraint in employing it.

Offensive cyber capabilities have utility beyond the responsive role outlined by the PM, but there’s little detail of how that capability has been integrated into Defence’s planning, operations and capability development processes. Its exclusion from the Defence White Paper was a glaring omission, and it’s a shame that Defence and PM&C weren’t able to better align the DWP and the Cyber Security Strategy. Publicly releasing a document that outlines Defence’s thinking on Australia’s cyber capability would grow the sophistication of Australia’s cyber policy.

But what might be included in such a document? Given Australia’s strong defence and intelligence relationship with the US and the UK, Australia should draw significantly on their experience to develop concepts and doctrine for offensive cyber operations, adapting them to our own unique requirements. The US and UK have already produced a healthy public cache on cyber operations, their use as a responsive capability and their potential to support conventional military operations. These documents give us some insight into how Australia may consider the development and use of its own offensive cyber capability.

US policy and doctrine characterises cyber operations as an instrument of power in broader conflict, as well as a response to cyber incidents, and seeks to integrate them seamlessly with conventional military operations. The US National Military Strategy characterises cyber operations primarily as a means to defend the US homeland, and defeat an adversary by projecting power across multiple domains. The Department of Defense’s Cyber Strategy states that ‘DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans.’ It goes on to note specific examples of cyber operations in support of this goal including disrupting an adversary’s command and control networks, military-related critical infrastructure and weapons capabilities. US doctrine on cyberspace operations notes that cyber operations are most effective when integrated with other capabilities. The doctrine holds that commanders should seek to integrate ‘cyberspace fires’ with other capabilities to achieve their desired effects.

Similarly, the UK sees significant value in using offensive cyber capabilities to support military operations, as well as a response option for cyber incidents. The 2015 National Security Strategy and Strategic Defence and Security Review states that the Armed Forces will be provided with, ‘advanced offensive cyber capabilities’ that will be used to ‘enable the success of coalition operations’. Further, the Review states that offensive cyber capabilities will be considered amongst the full spectrum of response options that the UK will develop to deter adversaries and ensure there are consequences for actors that threaten the UK’s security.

The announcement that Australia has an offensive cyber capability, and the manner in which it was announced, indicate a growing sophistication and confidence in thinking on cyber policy issues in the Australian Government. To take advantage of the potential offered by such a capability, Defence needs to make a concerted effort to formulate its thinking on the how, when, where and why it will be used, along with how the capability will be developed and sustained. That should include its broader utility in support of conventional military operations as well as its potential role as a retaliatory option for government. Such moves will patch the hole in the DWP, aid the development of cyber capability within Defence and provide further evidence of Australia’s commitment to developing cyber capability that aligns with Australian and international law.