In a review of the government's readiness for cyber warfare, ASPI has recommended a "substantial" increase in spending on cyber, beyond that flagged in the 2016 Defence White Paper, as the government looks to prepare to face future adversaries, as well as a focus on better training.
"The 2016 Defence White Paper noted that ‘enhancements in intelligence, space and cyber security will require around 900 ADF positions’. Those positions were part of the $400 million in spending announced in the white paper and will be spread across the ADF," the report said.
"While this is significant, given the limits of what can be achieved with current spending on conventional kit, the Australian government should consider conducting a cost/benefit analysis on the relative value of substantial further spending on cyber to provide it with an asymmetric capability against future adversaries. This would need to include a considerable investment in training."
Another key recommendation in the report, authored by head of the International Cyber Policy Centre Fergus Hanson and ASPI visiting fellow Tom Uren, suggests increasing the salary of Australian Signals Directorate (ASD) staff and establish an alumni network in an effort tackle recruitment and retention issues that the government faces due to competition with the private industry.
"Recruiting and retaining Australia’s top technical talent is a major hurdle. In the medium term, ASD will have to continue to invest heavily in training, raise salaries ... and develop an alumni network and culture that allow former staﬀ to return in new roles after a stint in private industry," the report said.
The report comes after Prime Minister Malcolm Turnbull in 2016 confirmed Australia's offensive cyber capability while announcing Australia would use this capability against offshore cyber criminals. While the capability allows Australia to respond to serious cyber attacks, and support for military operations, including those against Daesh in Iraq and Syria, and counter offshore cyber criminals, it is not without its weaknesses.
The report said capabilities need to be highly tailored to be effective, like the Stuxnet worm that targeted Iran’s nuclear centrifuges, meaning that they can be expensive to develop and lack flexibility.
When used in isolation, they are unlikely to be decisive and while major, blunt attacks (such as WannaCry and NotPetya) are relatively cheap and easy, they are unusable by responsible state actors such as Australia. Achieving the appropriate specificity and proportionality requires investment of time and eﬀort.
The report also flagged the capability requiring constant, costly investment as cyber security evolves as another weakness, as well as the capability not being able to be showcased as a deterrent in the same way that conventional capability can, because revealing specific capability renders it redundant as defences are repaired.