1

Australian Defence Force

Joint Capability Coordination

RADM Peter Quinn, CSC, RAN

Head Joint Capability Coordination

VICE CHIEF OF DEFENCE FORCE GROUP

R22371339

The military defensive cyber security challenge:

What are our requirements of both military forces and

contractors providing operationally critical services?

16 June 2015

2

Introduction

Presentation Scope:

• The modern ADF

• The threat environment

• Challenges for the ADF

• Building the capability

• Requirements of the ADF and partners:

– Defence’s approach: Responsibility, Resilience and Risk

2

3

The Modern ADF - Context

• Highly networked operations

• A tri-service and multi-agency federation

• Well integrated through cyberspace

• Logistics support– Reliant on military partners

– Reliant of commercial partners

– Reliant on partners security • trust vs audit?

3

4

4

5

?

• ?

5

6

The Threat Environment

• Novice to Level 3 actors

• Nation state vs non-state

• Insider and external threats

• Asymmetrical threat– The great equaliser

• Hard targets (platform mission systems) vs soft targets (supply chain)

Threat Actor – Level 1• Inexperience

• Limited funding

• Opportunistic

• Target known Vulnerabilities

• Thrills, bragging

• Easily detected Threat Actor – Level 2• Higher order skills

• Well financed

• Targeted activity

• Target known Vulnerabilities

• Target & exploit valuable data

• Detectable, but hard to attributeThreat Actor – Level 3• Very sophisticated tradecraft

• Foreign intel agencies

• Very well financed

• Target tech and info

• Use unknown vulnerabilities

• Persistent

• Very hard to detect & attribute

6Reference: U.S. Department of Homeland Security

7

Challenges for the ADF

• Normalising cyber defence– Inherent part of operations

– Identify important vs vital cyber ground

• Integrating a coherent, ubiquitous cyberspace defence strategy in Defence including partners– Addressing soft and hard

targets

– Implementing a

comprehensive

Information Assurance

strategy

Policy and Compliance

Intrusion Detection

and Prevention

Surveillance

and

Pattern Matching

Vulnerability Assessment

and Penetration Testing

Disaster Recovery

7

8

Building the Capability

• Building a new ADF capability within a fiscally constrained environment

• Building a sustainable workforce– Recruitment, training, retention

– Working with industry – flexible work arrangements

8

9

• Taking responsibility– Build a coherent ADF plan

– Build a defensive cyber capability

– Build strong, transparent & agile partnerships

– New generation contracts• Service with security, partnering in cyber security

• Assisting support and operational partners best practice

• Assuring supply chain

– Cyber security as inherent part of operations• Commanders to take the reins (not just a J6 problem)

• U.S. “Cybersafe” program

• RAN baseline

• Program managers responsible for ensuring acquisition

aligns with standards

9

Defence’s Approach

10

• Building Resilience– “Cybersafe”

• Set standards

• Baseline cyber status; monitoring and auditing. Strict adherence to baseline

– Investing in building a defendable architecture (CIOG and Services)

– Up-skilling current network operators • Network security specialists

– Investing in up-skilled partners• Prioritisation of security requirements

10

Defence’s Approach

11

Defence’s Approach

• Managing Risk

– The cyber threat will always get through

– Build a layered, multi-faceted cyber security defence

– Accreditation and certification• Cybersafe: Certification authority makes final

decisions and assumes risk & accountability

• Beyond just Defence (partnerships)

11

12

Summary

• Normalise cyberspace operations

• Commanders must appreciate the threat– Accept responsibility

• Build transparency through the “logistics” supply chain– No soft targets

– Work together (your threat is our threat)

• Identify and classify vital vs important networks– Scalable and defendable

• Build an agile, integrated and defendable capability

12

13

QUESTIONS

13