DDCIS speech to Old Crows Association 2012

Speech by Deputy Director (First Assistant Secretary) Cyber and Information Security Division Mike Burgess to Australian Chapter of Old Crows Association Australian EW, IO and Cyber Convention, Adelaide, 16 April 2012

Download Speech by DDCIS to Old Crows Association (PDF), 16 April 2012

Throughout history, new technologies have revolutionised warfare. Think of the chariot, gunpowder, aircraft, radar, nuclear technology. Of course we know the greatest of these accomplishments is radar…

However, does anyone remember the Cold War? Back when the world stage had only two main players – the United States and the Soviet Union?

Each country knew its boundaries – don’t get me wrong, it didn’t stop them trying to claim new ground in foreign theatres, but each nation knew what the other wanted and where they stood.

Remember when aggressive moves were either kinetic in nature – aircraft carriers being moved offshore, military deployments – or resulted in tense diplomatic relations – enforcing embargoes and even seeking sanctions from the United Nations Security Council?

OK, so there was the fear of nuclear annihilation. However the legitimate fear of mutually assured destruction gave an ironic stability to the global sphere … and interestingly also gave us the internet today.

My name is Mike Burgess and I am the Deputy Director of Cyber and Information Security at the Defence Signals Directorate. Today I will be speaking to you about cyberspace and the future security challenges we face in this new and unprecedented threat environment.

We hear and talk about the internet on an almost daily basis – but what is it? The term stands for INTERconnected NETworks. The Internet is a loose association of thousands of networks and billions of computers across the world that all work together to share information. Today the Internet remains one of the most revolutionary mediums for accessing and sharing information.

The Internet actually has its origins in the United States Department of Defense as a strategy for ensuring vital communication networks would survive a nuclear attack. The solution was to develop a network of geographically disperse computers capable of communicating with each other. The project was named ARPANet, which stood for Advanced Research Projects Agency Net.

The US Department of Defense placed the ARPANet under the supervision of the US Defense Communications Agency. The network grew to incorporate university researchers and US Defense contractors – and grew into the information technology behemoth we know – and love – today.

What is cyber?

Understanding what the Internet is leads me to offer you my definition of ‘cyber’ and ‘cyber space’. I prefer a relatively simple definition – ‘The internet and everything connected to it.‘

Now, although this is quite a clear and simple definition, I concede it is still broad. At the end of 2010, CISCO estimated the number of devices connected to the internet at approximately 12.5 billion. This equates to roughly two devices per person on earth. And CISCO predicts that there will be around 25 billion devices connected to the internet by 2015. Today, over 80% of Australians have access to the internet.

Although I don’t normally like throwing out random statistics, I believe this one shows the level of growth we have seen in a very short time. When our US colleagues first invented what would later become ‘the Internet’, all the computers were contained in buildings and rooms, often in guarded compounds. With mobile computing devices, this is no longer the case. Everything is connected, everything is online and everything is accessible.

Cyber warfare and Australia

In June 2002, Defence officially recognised the need to adapt to the rapidly growing information age. A vision statement, titled Force 2020 articulated the fundamental need to transform the ADF from a platform-centric force to a network-centric one.

Defence is big – and sometimes it can move slowly. But give us a new capability which could provide a tactical advantage – let's just say it didn't take long for Defence to make cyber work effectively in real time.

At a Network Centric Warfare conference in May 2003, General Cosgrove attributed success in the 2003 Iraq war to employing network warfare, stating that ‘the Iraqi forces were beaten quickly, spectacularly and comprehensively by a force using what were, on balance, mostly first-generation network-centric technologies and concepts.’

These were pivotal revelations for Australia in the security realm. But this increased reliance on networked warfare to conduct military operations also carried with it a new set of risks. If Australia came under attack, how would our increasing reliance on network technologies impact our warfighting and peacekeeping abilities?

In the 2009 Defence White Paper, the need to enhance Australia’s cyber capabilities was officially recognised. With Defence’s increasing reliance on the use of the networked operations, the White Paper acknowledged that Australia could potentially be compromised by cyber attacks – not only on Defence, but also on wider government, commercial or infrastructure-related information networks. ii 

The White Paper also recognised that the cyber threat would require ‘significant and sustained investment by Defence in new technology and analytical capability to guard the integrity of its own information and ensure the successful conduct of ADF operations.’ iii  Such a ‘cyber investment’, as I like to call it, would allow Australia ‘an edge’ in cyberspace and assist us to ‘protect ourselves’.

Australia’s major enhancement of Defence’s cyber warfare capability led to the establishment of the Cyber Security Operations Centre. The centre opened in January 2010. It is located within DSD and operates under our existing legal framework as articulated in the Intelligence Services Act 2001.

The main function of the Cyber Security Operations Centre is to provide enhanced situational awareness and incident response capability. And just like many of the military areas you have worked in, or when you were deployed, DSD is staffed 24/7. This enables us to provide collaborative cyber warfare support to ADF operations and also serve broader national security goals by responding to significant cyber events on Australian networks.

So why was DSD chosen to host the Cyber Security Operations Centre? Well, DSD already possessed ‘significant cyber expertise’. So, as the technical authority on information security, we already had the credentials required to perform this work.

Did you know DSD is the oldest intelligence agency in the Australian Intelligence Community? And we have two missions. The first is collecting and analysing foreign signals intelligence. The second is information security, which is where our cyber capability fits. So in the cyber safari, DSD is the poacher and the gamekeeper – hence our mission statement of ‘reveal their secrets, protect our own’.

I am very proud to say that in 2012 the Cyber Security Operations Centre continues to provide the Australian government with a better understanding of the cyber threat and continues to provide effective response to significant cyber events.

However, the challenges and threats are so large, and so diverse, not even my agency can tackle them alone. So within the Cyber Security Operations Centre, we draw on the expertise of the ADF, including members from the Royal Australian Air Force.

We also have Defence civilian personnel from DIO, the Defence Science and Technology Organisation, as well as our colleagues within ASIO, the Attorney-Generals Department’s Computer Emergency Response Team and the AFP.

But the collaboration doesn’t stop there – we also work very closely with industry and international partners to bring all the skills and capabilities together to tackle this very complex problem.

Now on the subject of cyber warfare, it’s important to make a point of definition. An act of cyber attack or cyber warfare is intended to degrade, destroy or deny computer accesses and systems. A cyber intrusion is when a hacker wants to get into your network and steal your information. So if someone tries to hack into your banking records, some may be angry enough to feel it is an act of war – but Defence defines that as a cyber intrusion. However, others would define this differently … unfortunately …

So what has changed in Australia’s approach to cyber since 2009? The answer is – working collaboratively.

Working collaboratively

During the Australia-US Ministerial talks in 2011, Australia and the US marked the 60th anniversary of the ANZUS treaty by issuing a Joint Statement on Cyber. The statement recognises the need to work collaboratively to address mutual threats and challenges emerging in and from cyberspace. It also stipulates a cyber-related event will only be defined as a cyber-attack through bilateral consultation and examined on a case by case basis.

But to give a broad definition – a true act of cyber warfare would have to be potentially lethal, instrumental and political. iv  To date, not one single cyber offense on record constitutes an act of war on its own.

This year the Department of the Prime Minister and Cabinet are developing a Cyber White Paper. The White Paper will examine all aspects of cyber affecting Australia’s social well-being, economic prosperity and broader national interests.

Unfortunately many of the cyber capabilities within Defence are classified, so I can’t discuss them here. But I can tell you that we are conducting this challenging work collaboratively. And as I’ve already outlined – cyber is an ongoing strategic priority for Australia.

What is the cyber threat?

Let me give you my appraisal of the cyber threat, based on extensive intelligence work over the last 3 years, both here and overseas.

While Hollywood may like to exaggerate the nature of the cyber threat, showing chaotic images such as traffic lights stopping, electricity grids failing and the stock market being wiped clean, the reality is that there is often no physical manifestation of force in a cyber-intrusion. You won’t see any uniformed personnel carrying guns, or aircraft carriers off our shores – no exciting or frightening imagery which makes for good television. Therefore, it is easy to dismiss the threat as minimal.

However, the cyber threat is complex, multifaceted and potentially very dangerous. Australian networks - government, commercial and personal - are facing an unprecedented level of intrusion activities.

The cyber threat comes from a wide range of sources including individuals, issue-motivated groups, organised criminal syndicates and state-sponsored hackers. We consider the single biggest cyber threat remains state-sponsored intrusions against both government and commercial networks. The likelihood of a cyber-attack, on the other hand, we would assess to be fairly low.

Now you may all think you are not a target for cyber intrusion. ‘Why would someone be interested in me?’ Never assume your information is of no interest. A lot of the information being targeted is not classified – the focus is on stealing information for commercial gain.

In fact, more than 65% of intrusions we are seeing in Australia are economically motivated.

For example, there is alarming evidence overseas of organised crime extracting significant sums of money from the economy through network-based fraud. In Australia, the security company Symantec put the cost to Australia from cyber crime at 4.5 billion – that’s more than the cost of burglary and assault combined.

There is also a perception – partially cultivated by television – that cyber crime is incredibly complicated and only understood by machines and technical masterminds. The reality is, however, that cyber adversaries demonstrate a broad range of skills of varying levels of sophistication.

One of the most common and effective intrusion techniques is the socially engineered email. This is an email designed to appeal to the addressee. For example, a potential intruder may send you an email with an attachment or link claiming to be about a new radar capability. And this email may look like it is from one of your members within the Old Crows Association.

But once you click on that link, or open the attachment, you receive a small piece of software that allows them to effectively take over your machine and extract information covertly.

What is Australia doing about the cyber threat?

I am not trying to start a cyber-fear campaign. But as you are all aware with your Elint backgrounds, you need to be aware of your own capabilities and limitations … and those of your adversary … to conduct a successful military campaign.

In fact I like to use a phrase that I have borrowed from Vice Admiral Ray Griggs, Chief of the Navy. When Ray was head of Strategic Reform, he talked of the challenge from moving from the mindset of ‘we can’t do that because’ to a mindset of ‘we can do that if.’ And this is the mindset my organisation is working to apply to cyber security.

So for the first time in its history, DSD is trying to move beyond the ones and zeros in the server room. We now have dedicated sections within DSD which focus on cyber messaging. Remember your Elint days – what good is intelligence if you don’t find out what works, what doesn’t, and get feedback on what can be done differently?

One of my favourite examples of how DSD is doing its messaging differently comes from a few years ago when one of my staff assisted ASIO in responding to a major incident on the network of one of Australia’s biggest companies. The first thing he was asked by techies from the affected company was ‘what can we do to stop this?’ As legend has it, my staff member wrote down a list of things to do, right there and right now … on the back of a cocktail napkin.

But the suggestions didn’t involve buying new technology or IT security systems. That legendary cocktail napkin, or more correctly what was written on it, became a flagship document called 35 Strategies to Mitigate Targeted Cyber Intrusions, which DSD published back in 2009 and is being updated again in 2012.

In fact, we have found that if organisations implemented just the top 4 of these strategies, over 85% of the cyber intrusions the operations centre responds to would have been averted. DSD’s top 4 is a good example of how DSD fights cyber intrusions not just through our technical prowess, but also through education.

The future of cyber

I have put this cartoon up in good fun. As a Defence organisation, DSD fully recognises that Australia will always need the ADF for its fighting, peacekeeping and emergency response capabilities. The outstanding work our Defence personnel do on a daily basis worldwide cannot … and will not … be replaced by bits and bytes.

To us – this cartoon represents how cyberspace has changed the threat dynamic for Australia and therefore Australia needs to be flexible and timely in its responses to this new challenge.

I find it interesting that cyber and electronic warfare have some strategic similarities. Effective use of EW and cyber techniques can enhance the protection of Australia’s deployed forces and increase their effectiveness. But in using such techniques – we also become of interest to potential cyber adversaries.

At DSD we fully understand Australia’s future depends on being connected – we can’t survive as a country without taking full advantage of the digital revolution and all that it offers. But we need to be conscious about the risks that come with this connectivity. We can address these risks by being cyber aware – as we all face these risks together.

In a ‘cyber’ conclusion, I would like to note that the role of Defence is to protect Australia and its national interests. This role naturally relies on the Australian Defence Force.

Although, today in Australia – the ADF are supported by IT professionals – and I am very proud to work with these ‘IT warriors’ in helping to protect Australia’s national interests. Thank you for your time.

Footnotes

  1. CDF Speech to ADO Network-Centric Warfare Conference, ‘Innovation, People, Partnerships: Continuous Modernisation in the ADF’ by General Peter Cosgrove, AC, MC, Tuesday 20 May 2003. Accessed 10 April 2012.
  2. Paragraph 9.85, ‘Cyber Warfare’ Defending Australia in the Asia Pacific Century: Force 2030, Defence White Paper 2009, p 83.
  3. Paragraph 9.86. ibid.
  4. Rid, Thomas (October 2011), ‘Cyber War will not take place’, Journal of Strategic Studies
  5. ibid.

Contact

Australian government agencies seeking further information should contact DSD.