As Australia prepares the next iteration of its national cyber security strategy, one of the questions it must grapple with is the role of domestic innovation, including the national science and technology (S&T) base in information technology. The challenge is compounded by many factors, not least the globalized (non-national) character of the underlying information and communications technologies (ICT). Australia is a rich developed country, and a member of the G20, but it is tiny in size and relatively lacking in venture capital.
The Cyber Threat
In May 2014, the country’s Defense Science and Technology Organization (DSTO), part of the Department of Defense, published a study, Future Cyber Security Landscape. DSTO is not the lead agency for cyber security, but its threat analysis in this document probably cannot be faulted. It highlights the following:Enjoying this article? Click here to subscribe for full access. Just $5 a month.
- “Attacks will become more opportunistic and difficult to detect or predict”
- “Threats will become more potent”
- “Effects or outcomes of attacks will …. have longer term flow on effects”
- “There will be a move from code exploitation to manipulation of data … and the introduction of systemic effects”
- security will continue to lag behind the technological potential of attackers and emerging vulnerabilities.
This is a very bleak picture.
National Security S&T Strategy
One of the pieces of the response puzzle for Australia has been agreement on, and investment in, what the government calls “national security science and technology research priorities.” In 2009, the same year as Australia announced its first comprehensive cyber security strategy, its Department of Prime Minister and Cabinet (PM&C) also published The National Security Science and Innovation Strategy. The government said that “The Strategy establishes a unified set of national security objectives for science and innovation and an annual process for the national security community to communicate their science and innovation priorities to researchers, entrepreneurs and funding programs.” The 2009 strategy aligned its priorities with the government’s broader innovation priorities, of which seven had been identified. But all of the priorities, the national ones and those from the national security S&T strategy document, were all fairly generalized descriptors verging on motherhood statements.
Practical action was taken. For example, PM&C noted in its annual report for 2010-11 the following measures among others:
- supporting the inaugural National Security Science and Innovation Conference in 2010
- releasing the first Online Directory of National Security Science and Innovation researchers
- conducting workshops, such as the National Security Science and Innovation Commercialization and Capability Realization workshop held in April 2011
- Working with the Australian Research Council (ARC) to incorporate national security priorities into the ARC’s 2011 Future Fellowships program.
In 2009, the government identified the need to set up a Steering Committee for national security innovation to lead the work identified in the 2009 study, but there have been few visible signs in public of significant fruit from this initiative. In fact, according to one official source, the previous Labor government simply dumped the strategy in 2012 without any publicity and it will be up to the new conservative coalition government to breathe life back into it.
By late 2014, the government’s Chief Scientist, Professor Ian Chubb, was lamenting the fact that Australia was the only country in the OECD without a comprehensive national innovation strategy, even though he had led the way months earlier in identifying five breakthrough measures. A country’s overall innovation policy will determine the environment for national security S&T innovation. And so it has been for Australia.
Australian National Security in the Cyber Age
The key however does not lie with the DSTO or the country’s S&T establishment. The priorities for action in cyber security, including development of the S&T base, must lie in the strategic and force structure goals of the country’s “strategic and intelligence” actors. The government must set an overall national policy framework. Here, Australia has been well served by a 2014 study prepared jointly by DSTO and the Deputy Secretary of Defense for Strategy and Intelligence (S&I), with the title DSTO Cyber Science and Technology Plan. One of five priorities identified, which needs far more attention in public by all arms of the Australian government, is that of “system design for resilience.” Resilience has both cyber technical and non-cyber technical and social aspects. These involve large swathes of private sector and citizen actors, as well as State government agencies of different stripes. It is not exclusively an S&T research issue.
Even this DSTO/S&I study does not go beyond what it calls the “cyber-EW continuum” (EW is electronic warfare). Operationalization of this for the Australian Defense Force is an important innovation goal, both inside the S&T community and beyond it. But the impact and potential of cyber-enabled military operations extends well beyond the electronic warfare domain of single service elements. It is in this higher level area, where cyber technologies meet strategic political effects and goals, that Australia is lagging in policy development, capability and action. This subject is covered in a recently published article by the author, titled “Australia’s Digital Skills for Peace and War”, which is a revised version of a public submission to the White Paper process currently under way in Australia.
The article concludes:
Inside Australia, the environment for decision-making on defense policy for the information age is severely hamstrung by the national environment in the civil domain. The picture in that domain is one of falling competitiveness and only medium (to low) levels of innovation. Australia needs a digital age strategy for its civil sector before it can have a digital military strategy.
The article offers nine recommendations, of which the following three are indicative:
- appoint a specialist panel to analyze Australia’s digital work force and to develop a new national strategy dedicated exclusively to its rapid development
- commission a report on community and business attitudes to cyberspace as they pertain to national security needs
- Invite the Australian Army to do an audit of Australia’s military digital readiness.
Three years ago, the United Kingdom invested £650 million ($1 billion) in public, private sector, civil society, and university activity for cyber security. How much should Australia invest in cyber security, including S&T innovation? We will be looking to the forthcoming Australian government review of its cyber security needs to answer some of these questions, including future directions for a resuscitated national security science and innovation framework.