Australian REDSPICE: the challenge is in HR, not AI

Australia is unrolling historic investment in cybersecurity through the REDSPICE program. Credit: Shutterstock/Immersion Imagery

The REDSPICE blueprint, published in November 2023, serves as a strategic framework for the Australian Signals Directorate (ASD) to transform its capabilities, outlining the major skill sets ASD will continue to invest in.

Major elements include hiring for 1900 new cyber roles, representing the largest single investment across ASD's 75-year history. It is expected that AU$9.9bn ($6.4bn) will be invested over a decade in cyber and intelligence capabilities, workforce growth, and the development of new intelligence and cyber capabilities.

This enhancement will strengthen the defence of Australia's national systems and critical infrastructure. The plan will also triple ASD’s offensive cyber capabilities.

Global Defence Technology interviewed Vaughan Shanks, the co-founder and CEO of Australian cybersecurity company Cydarm Technologies, to understand the experience of domestic companies anticipating change in Australia’s cybersecurity sector as the nation introduces a huge wave of investment through the government’s latest initiative, REDSPICE.

Shanks worked in the ASD for around a decade, including three years spent at the NSA in Fort Meade, which means that as well as knowing Australia’s Ministry of Defence as a vendor, delivering a platform for cyber responders, he is also accustomed with the internal mechanisms of Australia’s cybersecurity programmes.

The blueprint highlights the need for collaboration with Australian industry to deliver cyber security, telecommunication, and cloud computing components, as well as workforce and facility solutions, something shanks feels is timely.

“REDSPICE is a recognition that cyber has really come to the fore as a major issue,” said Shanks. “REDSPICE pre-empted the current administration's push for legislative change and a much, much more rigorous cyber posture across the public and private sector.”  

REDSPICE was launched under a previous Australian administration, and as Shanks sees it as a continuation of efforts ASD were already engaged with. The issues it covers straddle the political divide with bipartisan support, and the project adds resources and personnel to the processes that were ongoing.

“The government projects that I've been involved with . . . they operate at a very high standard. When I hear people in the private sector talking about their struggles and how they can't do certain things, I think of how the government has the patience to follow the hard road and to develop incredible capabilities.” 

He finds that ASD, and their international counterparts, GCHQ in the UK, the GCSB in New Zealand, America’s NSA, and the CST in Canada, have talent of the highest order, motivated by both patriotism and curiosity. Shanks accepts there is a dual perception of government as possessing both advanced capabilities and a reputation for extreme waste.

While Shanks expects the REDSPICE programme will “crawl along” towards a ten-year horizon, he has confidence the result will be positive.

Cydarm has not been involved with tenders developing from REDSPICE, and as far as Shanks is aware none have been issued that fall within the company’s business interests, but he firmly expects that the initiative will be generating a lot of activity for companies involved in recruitment.

One of the projects biggest challenges will be in attracting talent to work in the public sector and retain that talent, an issue that has a long history in other areas of the defence industry. Shanks expects REDSPICE to roughly double the size of ASD, and to concentrate that talent in Australia’s capital, Canberra.  

The location poses a separate challenge, particularly in a post pandemic world, where established norms around working from home grant people more freedom to choose where they work. Asking new personnel to relocate is particularly difficult considering the youthful demographic of cybersecurity work, and the range of other attractive alternative locations in Australia.

“There's still a lot of top talent that will stay in the big cities,” said Shanks, “but REDSPICE seeks to mitigate that by having a hub and spoke model where the senior management is in Canberra, but actually having people in the facilities in the state capitals.”

However, finding individuals to move to Canberra, from the top echelon of cybersecurity, among people who are Australian citizens and can achieve security clearance, presents recruiters looking to populate the senior management roles in a state of high competition with other government programmes. “They're going to need to find a way to pay people more than a public service wage to draw them away from better financial opportunities,” said Shanks.  

Regarding the role that artificial intelligence (AI) can play in cybersecurity, Shanks is sceptical, although there is an understanding that threat actors will utilise the technology to move faster and commit more convincing fraud, employing more sophisticated methods of exploiting human vulnerabilities through phishing emails and similar deceptions.

The acceleration that is going on with AI has limited value to governments, however, as the role government often plays is to introduce human judgement to an issue, and abrogating decision making to a machine does not remove the accountability a government endures as a part of leadership.

“There's a constant flow of technology solutions coming into the field. You can see trends in security and defence thinking. It's becoming more and more focused around standards like (NIST) or (SANS),” said Shanks, adding there is a doctrine under development that considers cybersecurity threats as an adversarial service desk, and then what the best practice is to deal with this.

“When you combine that with the waves of technology that are serving that best practice, you do have a maturity building in the industry.”

One project that caught Shanks’s eye is coming out of the office of the Chief Data and AI officer of the US Department of Defense. At a presentation to DEFCON in August 2023, he defined a set of acceptable criteria for applying AI to a problem. Generating the first draft of a document passes the acceptable criteria. Drawing up a battle plan will fail to meet those criteria if it then directly leads to entering a theatre and executing a kinetic action against an enemy force and putting your own force at risk.

AI is already being used in the manifestation of battle plans. For example, defence research conducted for Germany’s Ministry of Defence by Rheinmetall and Fraunhofer IOSB producing a Position Selection Assistant for generating heat maps of acceptable locations for armoured units based on high resolution geographic data.

Shanks rightly points out that this accelerated an existing process, called view shedding. The influence of the machine learning has reduced the time necessary to create a map, but it is still generating a deterministic product that would be found through ordinary processes. The same result would be found, a given the same set of parameters, with human efforts.  However, Shanks accepts that reducing the duration of such a process from one hour down to ten minutes offers significant benefits in processing an OODA (Observe–Orient–Decide–Act) loop.   

The OODA loop, a conceptual pathway for fast paced decision making in an adversarial scenario, has a significance for cybersecurity that echoes that of the concept’s origins, among aerial combatants. The theory stands that of two opposing sides that are given the same technological hardware, the side that can execute its OODA loop at a faster pace than its adversary will be victorious.

“You'll see the same thing in cyber,” said Shanks. “When attackers get a foothold, the common thinking is lateral movement will occur within two hours,” referencing action taken by an attacker to move from opening an exploit to attacking a system.

“And the question is, can your defenders go from receiving a signal that tells them there's an intruder on the network, to a response activity that has them kicked off and access blocked before the attacker can make lateral movement. At each stage of an attack, there's that ability to respond quickly.”

Calling back to the OODA loops instructions to observe and orientate, Shanks highlighted that often a cyber defender does not know the digital terrain to be protected because the networks themselves are so vast and unmaintained. “It is often very hard to know where the attacker is going to exploit a vulnerability.”

While Shanks sees the threat from an accelerated decision pathway for threat actors by AI as limited, this does not mean he is complacent about future threats. Instead, Shanks anticipates a greater game changer on the horizon - quantum computing. “It will actually just lay waste to a lot of our existing encryption algorithms.”

Australia could be one of the main beneficiaries of this dramatic increase in demand, where private companies and local governments alike are eager to expand the country’s nascent rare earths production. In 2021, Australia produced the fourth-most rare earths in the world. It’s total annual production of 19,958 tonnes remains significantly less than the mammoth 152,407 tonnes produced by China, but a dramatic improvement over the 1,995 tonnes produced domestically in 2011.

The dominance of China in the rare earths space has also encouraged other countries, notably the US, to look further afield for rare earth deposits to diversify their supply of the increasingly vital minerals. With the US eager to ringfence rare earth production within its allies as part of the Inflation Reduction Act, including potentially allowing the Department of Defense to invest in Australian rare earths, there could be an unexpected windfall for Australian rare earths producers.