Over the long-term the benefits for Australia developing an offensive cyber capability outweigh the costs. Australia should develop the capacity to utilise technological means to achieve the same purpose as it acquires traditional military weapons.
Australian defence has had a healthy focus on defending defence and critical infrastructure systems from cyber attacks however the next logical step is for Australia to expand its defensive capabilities into offensive ones. The Stuxnet virus, dubbed the “world’s first cyber super weapon”, that infected an Iranian nuclear facility exemplifies the uses and limitations of cyber weapons to achieve strategic aims. The virus, causing damage by making roughly a fifth of the centrifuges at the Natanz facility in Iran spin out of control, achieved a noteworthy set-back in Iran’s nuclear program. The bigger issue was that it represented the first real use of a cyber weapon, developed and deployed by a nation-state against another nation-state, to cause physical damage to critical infrastructure.
The purpose of having an offensive cyber capability is so that there is an option to disrupt, destroy or damage an intended target to fulfil a military objective. It is not the same as espionage, which relies upon the continued secrecy of electronic intrusion going undetected. However, initial access is a practical common denominator of both offensive cyber-weapon and cyber-espionage meaning initial access has the potential to serve the dual purposes of intelligence gathering and damaging a particular target. Primary targets include Industrial Control Systems (ICS) such as power grids, water treatment plants or transportation networks which are said to have less security than the four digit pins on ATMs.
Long-term strategic planning is needed to identify and access potential targets. The Stuxnet virus was a long-term project that reportedly began around 2005 when infiltration and mapping of the Natanz facility was initiated. Once access is gained it is a matter of what priority the attackers have. The Stuxnet virus reportedly aimed to maximise damage by only slightly damaging parts, and therefore going undetected for a longer period of time, to the nuclear facility.
Unintended consequences can include, much the same as conventional weapons, collateral damage. Unintended systems can be compromised because the virus is spread by networks or humans. Control of the source coding once released is an issue since it opens the possibility that a third party could access it, improve upon or modify the weapon, before using it against an objective of their own. The cost of developing such weapons will decrease the more they are used. The proliferation of such weapons is a cost because it can shift from nation-states having the capacity to develop and deploy such weapons to individuals hi-jacking the weapon for alternate purposes. For instance the coding used on the Stuxnet virus is now available online.
The development of offensive cyber-capabilities would maintain Australia’s level of technological advantage over other nations in our region. As previously mentioned, cyber-wars are an unlikely future scenario as they imply that cyber confrontation would supplant, but not compliment, traditional military conflicts.
As an offensive weapon cyber weapons enjoy a degree of legal ambiguity that traditional weapons do not although some argue that international law should apply to their use. Alliance matters are different and developing; while the ANZUS alliance has been confirmed to cover cyber-attacks, it has for instance been a subject of much debate whether NATO’s article five includes cyber attacks. Even though most computer hacks can in fact trace the source of attackers as illustrated by the Mandiant report that traced Chinese cyber intrusions, the political role of plausible deniability cannot be underestimated. The effects the cyber attack had on Iran’s nuclear ambitions were as great as a conventional air-strike, but with far less possibility of direct retaliation. Similarly Russia’s use of cyber intrusions to cripple the Ukrainian government has suited its purposes without triggering further international backlash.
The largest benefit however relates to cost; the price for developing, deploying and maintaining offensive cyber capability is said to be a fraction of the cost of conventional weapons. Stuxnet reportedly cost $100 million whilst other cheaper versions can cost up to $10,000. In 2013 America’s National Security Agency had a reported budget of approximately $10.5 billion. If any of those figures are reliable the $100 million cost of Stuxnet, the reported ‘super cyber weapon’ represents slightly less than 1% of the NSA’s annual budget.
It may be hard to identify where and when Australia would utilise an offensive cyber weapon. However, like Australia’s future Joint Strike Fighters, air-warfare destroyers and submarines, it is needed to hedge against potential future threats. It is important that the capability is there, whether it is used is a secondary consideration for decision makers at the time.
The 2013 Defence White Paper called for Australia to have the “capabilities that allow us to gain an advantage in cyberspace, guard the integrity of our information, and ensure the successful conduct of operations.” Leveraging our partnerships through the five eyes intelligence community appears to have compounded and taken advantage of Australia’s international partnerships. Australia has demonstrated access capability, as illustrated by the spying revelations against Indonesia, which could and should be used to develop Australia’s offensive cyber capability.
Australia has a strong cyber espionage and defence network. It should build upon this capacity by developing an offensive cyber capability.
Patrick Hill is a former intern at the AIIA National Office. He has a degree in Law and International Relations from Griffith University and is currently pursuing post-graduate studies in International Security Studies. He can be reached at firstname.lastname@example.org.