Defence begins 'cyber-worthiness' ratings

Australia’s nascent cyber warfare unit has been tasked with rating the “cyber-worthiness” of military equipment and systems before they are used in operations.

Vice Admiral Ray Griggs told a senate estimates hearing last night that cyber-worthiness ratings were being assessed by the joint information warfare unit set up in July last year.

“One of the things the team is working on is the notion of cyber worthiness,” Griggs said.

“It’s not the same as sea- and air-worthiness but a similar notion so that when we provide forces [with] units to an operational theatre, they are seaworthy or airworthy and also cyberworthy, which is an increasingly big body of work for [the information warfare unit] team.”

Defence first raised the prospect of cyber-worthiness in an research paper published mid last year.

“A complementary program could be implemented that would provide a group of independent
experts who could be engaged by prime defence contractors, or by Defence itself, to assess designs and systems for cyber resilience and cyber-worthiness on behalf of Defence,” it said. [pdf]

Griggs’ comments appeared to be the first confirmation that the idea had been picked up and implemented.

He noted that Australia was likely to have coined the assessment function as cyber-worthiness, “others [internationally] are working on the same sorts of issues”.

Major General Marcus Thompson, who is deputy chief of the information warfare unit, said that the unit “is developing quickly”.

“At maturity, it will have the task of defending deployed military networks and contributing to the offensive mission of the Australian Signals Directorate,” he said.

“In the unit right now, we have in the order of 40 or 50 people, but that will grow in accordance with the [Defence] white paper workforce guidance trials over the next nine years.”

The unit’s approach to cyber warfare can be broken into essentially three domains, which span both defensive and offensive capabilities.

“Our approach to defence is in three tranches: self-defence, passive defence and active defence,” Thompson said.

“Self defence is not the exclusive domain of the joint cyber unit - that’s everyone’s responsibility. It’s about culture, awareness, and basic operational security measures.

“Passive defence is the domain of communicators and system administrators who have responsibility for military networks and mission systems.

“Active defence is necessarily smaller numbers of highly trained people who reside on our networks and mission systems and actively hunt for and negate threats on those.”

Thompson said the unit was focused not just on networks but also mission systems, plant and other equipment that - at some point - had a connection out to the internet.

“I say networks and mission systems because so many of our military combat systems are based on internet protocol now, even in some cases through to individual weapons systems,” Thompson said.

“Often the cyber discussion gets focused on networks,” Griggs added.

He said that “anything that can interface externally through the internet or an external communications channel can be at risk”.

“That can be down to not just weapons systems but pumps and component parts like that that are connected to a control and monitoring system, and that system can be accessed,” Griggs said.

Cyber security has been boosted within defence ranks in recent times, in part with the establishment of the information warfare unit, as well as this year’s recognition of cyberspace “as a warfighting domain along with sea, land, air and space”.

That notion is somewhat controversial, and Thompson noted “there are some folk around the world who dispute whether it’s a domain in its own right”.

“But our doctrine includes cyberspace as a warfighting domain,” he said.

“It’s a challenging domain to qualify because cyber can mean so many things to so many people.”

Thompson was concerned not so much at attacks launched only in cyberspace, but with cyber being integrated into activities in other, more established warfighting domains.

“Effects in cyberspace in and of themselves are unlikely to be decisive,” he said.

“Cyber effects are at their best when they are fully integrated with other military capabilities across the warfighting domains.”