Developing cyber-security policies that penetrate Australian defence acquisitions

Abstract

Technological edge on the battlespace has been one of Australia's military advantages within Southeast Asia. This is partly due to the relative larger size of the Australian economy and its ability to procure advanced defence systems compared to the region. However, by 2030, it is envisaged that Australia will slip to being the 23rd largest economy in the world, slightly smaller than Thailand's and similar in size to Malaysia's (Hawksworth and Chan, 2015). This will significantly erode Australia's financial advantage, as other regional nations will be able to afford advanced weapon systems, including cutting-edge cyber capabilities. As all nations continue to develop their offensive cyber capabilities, Australian defence systems will become increasingly vulnerable. Joiner (2017) has reviewed the options of the Australian Department of Defence (Defence) for cyber-security test and evaluation and has highlighted that there are significant difficulties in attributing and predicting the final effects of cyber threats that are currently manifesting, making it very difficult for Australia to rely on deterrence from an ally like the US. In an attempt to address these challenges, cyber security has become an increasing focus for Defence. The release of the 2016 Cyber Security Strategy (Commonwealth of Australia, 2016) and the 2016 Defence White Paper (Australian Government, 2016) shows that decision-makers at all levels have demonstrated an understanding of the importance of cyber security. However, this enthusiasm for protecting Defence capability from hostile cyber attacks has yet to translate into a comprehensive and coordinated set of policies at the working level (Joiner, 2017). This is not necessarily due to ignorance or indifference. Translating the aspirations of a cyber-hardened and cyber-resilient arsenal of military systems into a workable and robust set of policies is a difficult challenge. It is amplified by the large expenditure of public funds and the lengthy acquisition process typically associated with Defence's capability development, often cultivating a culture of risk aversion and an environment where a cyber-resiliency policy cannot simply be iteratively developed over a number of projects in any reasonable timeframe. If new Defence capability lifecycle policies are not implemented properly, cyber resiliency may be overlooked and a vulnerability may develop, or there may be significant wastage that does not materially contribute to the cyber resiliency of the capability being procured.This research article examines how Australian Defence acquisition policies can adapt, mainly using U.S. Defense experiences, to deal more effectively and systematically with cyber resilience.