Cyber has become a supposedly cheap first-strike weapon of political choice by potential adversaries in a milieu placing insurgency, terrorism, international crime and state-based influences in close un-regulated proximity. The merging of electronic and cyber warfare means that not even submarines, however unconnected or firewalled they may be, are immune. The quantum attack surface of submarines is as much in their past, as they are in their designs today and their operations tomorrow: they must survive to be credible andideally they should even be a contemporary offensive cyber deterrent. Such critical defensive systems require robust security systems engineering and cybersecurity test and evaluation to build and sustain their cyber-resilience. This paper uses Australia’s future submarine program[1]1 to outline key facets needed in a submarine program to achieve cyber resilience, including how to adapt U.S. Department of Defense(DoD) best practices to engineer, test and sustain cyber-resilient submarine systems. Strategies are needed that provision sovereign-owned and operated land-based test sites to design, build, demonstrate and sustain critical submarine systems. This work is most relevant to countries allied to the U.S. and importing submarine capabilities, such as within lesser European powers and also in the Indo-Pacific where both cyber warfare and submarines are proliferating.
References
[1]
Joiner, K.F., Atkinson, S.R. and Sitnikova, E. (2017) Cybersecurity Challenges and Processes for Australia’s Future Submarine. Proceedings of the 4th Submarine Science, Technology and Engineering Conference, Adelaide, 13-16 November 2017, 166-174.
[2]
ANAO (2016) Performance Audit, Future Submarine—Competitive Evaluation Process. Report No. 48: 2016-17, Australian National Audit Office, Canberra.
[3]
Stanford, J. (2017) Australia’s Future Submarine Getting This Key Capability Right. In: Stanford, J., Ed., Public Policy Report to Submarines for Australia, Public Policy Report, Insight Economics Pty. Ltd., Canberra.
[4]
Joiner, K.F. and Atkinson, S.R. (2016) Australia’s Future Submarine: Shaping Early Adaptive Designs through Test and Evaluation. Australian Journal of Multi-Disciplinary Engineering, 12, 3-26.
https://doi.org/10.1080/14488388.2016.1238025
[5]
ANAO (2002) Test and Evaluation of Major Defence Equipment Acquisitions. Audit Report No. 30: 2001-02, Australian National Audit Office, Canberra.
[6]
RAND Corporation (2011) Learning from Experience, Volume IV—Lessons from Australia’s Collins Class Submarine Program. RAND Corporation on Behalf of Australian Department of Defence, Santa Monica, CA.
http://www.dtic.mil/dtic/tr/fulltext/u2/a552686.pdf
[7]
Stewart, C. (2016) Our French Submarine Builder in Massive Leak Scandal. The Australian Newspaper.
http://www.theaustralian.com.au/national-affairs/defence/our-french-submarine-builder-in-massive-leak-scandal/news-story/3fe0d25b7733873c44aaa0a4d42db39e
[8]
Keany, F. (2016) French Shipbuilder DCNS Learned of Submarine Breach via the Media: Pyne Accuses Xenophon Staffer of Leak. ABC News.
http://www.abc.net.au/news/2016-12-15/submarine-french-company-unaware-of-breach-until-media-reports/8122548
[9]
Austin, G. (2016) Australia Rearmed! Future Needs for Cyber-Enabled Warfare. Discussion Paper No. 1 of the Australian Centre for Cyber Security at University of New South Wales, Canberra.
https://www.unsw.adfa.edu.au/unsw-canberra-cyber/sites/accs/files/uploads/DISCUSSION%20PAPER%20AUSTRALIA%20REARMED.pdf
[10]
Fitsanakis, J. (2013) Chinese Hackers “Stole Blueprints” of Australian Spy Agencies New HQ. IntelNews. https://intelnews.org/2013/05/28/01-1267/
[11]
Grubb, B. (2013) Blueprints for New ASIO Headquarters “Stolen”. The Sydney Morning Herald.
http://www.smh.com.au/it-pro/security-it/blueprints-for-new-asio-headquarters-stolen-20130527-2n7kz.html
[12]
Pearce, R. (2016) Cyber Deterrant: PM Talks up Australia’s Offensive Capabilities. Computerworld. https://www.computerworld.com.au/article/598443
[13]
Heinbockel, W.J., Laderman, E.R. and Serrao, G.J. (2017) Supply Chain Attacks and Resiliency Mitigations: Guidance for System Security Engineers. Mitre Technical Report MTR170477.
https://www.mitre.org/sites/default/files/publications/pr-18-0854-supply-chain-cyber-resiliency-mitigations.pdf
[14]
Australian DoD (2016) Defence White Paper 2016. 50, 81-82.
http://www.defence.gov.au/
[15]
Joiner, K. (2017) How Australia Can Catch up to U.S. Cyber Resilience by Understanding That Cyber Survivability Test and Evaluation Drives Defense Investment. Information Security Journal: A Global Perspective, 26, 74-84.
[16]
Joiner, K., Sitnikova, E. and Tutty, M.G. (2016) Structuring Defence Cyber-Survivability T&E to Research Best Practice in Cyber-Resilient Systems. Systems Engineering Test and Evaluation Conference, Melbourne, 50-63.
[17]
Joiner, K.F. and Tutty, M.G. (2018) A Tale of Two Allied Defence Departments: New Assurance Initiatives for Managing Increasing System Complexity, Interconnectedness, and Vulnerability. Australian Journal of Multi-Disciplinary Engineering.
[18]
Alberts, C., Haller, J., Wallen, C. and Woody, C. (2017) Assessing DoD System Acquisition Supply Chain Risk Management. CrossTalk, 30, 4-8.
[19]
U.S. Defense Acquisition University (DAU) (2016) The Road Ahead for Defence Acquisition.
http://dau.dodlive.mil/2016/04/18/cybersecurity-the-road-ahead-for-defense-acquisition/
[20]
U.S. DoD Defense Science Board (DSB) (2016) Summer Study on Autonomy. 28-30. https://autonomousweapons.org/department-of-defense-science-board-summer-study-on-autonomy/
[21]
Reay Atkinson, S. and Bogais, J.J. (2017) Socio-Ethics to Critical Thinking. Royal Australian Navy Fleet Air Arm Tactical Forum 24 Aug., HMAS Albatross, Nowra.
[22]
Reay Atkinson, S., Bogais, J.J. and MacLeod, R. (2016) Future Submarine Systems and Cultural Awareness Systems Brief. CISS Think Piece, 2 Sep.
[23]
Reay Atkinson, S. and Bogais, J.J. (2017) Quantum AI—Future Imperfect? Data Centre Dynamics (DCD) Converged, International Convention Centre, Sydney.
[24]
Reay Atkinson, S. (2009) Cyber: Envisaging New Frontiers of Possibility. UKDA Advanced Research and Assessment Group, Occasional Series, 03/09.
[25]
Barrett, T. (2016) An Expanded Submarine Fleet: Meeting the Challenges. Presentation to 8th Biennial Conference of the Submarine Institute of Australia, Canberra, 15 November 2016.
[26]
Sammut, G. (2016) The Future Submarine Program. Presentation to 8th Biennial Conference of the Submarine Institute of Australia, Canberra, 15 November 2016.
[27]
Bradley, J.M., Joiner, K.F., Efatmaneshnik, M. and Keating, C.B. (2017) Evaluating Australia’s Most Complex System-of-Systems, the Future Submarine: A Case for Using New Complex Systems Governance. Proceedings 27th Annual INCOSE International Symposium, Adelaide, 15-20 July 2017, 187-199.
https://doi.org/10.1002/j.2334-5837.2017.00353.x
[28]
Christensen, P. (2017) Cybersecurity Test and Evaluation: A Look Back, Some Lessons Learned, and a Look Forward! ITEA Journal, 38, 221-228.
[29]
Australian Senate (2012) Senate Inquiry into Defence Procurement. Chapter 12, Australian Parliament House, Canberra.
[30]
Brown, C., Christensen, P., McNeil, J. and Messerschmidt, L. (2015) Using the Developmental Evaluation Framework to Right Size Cyber TandE Test Data and Infrastructure Requirements. ITEA Journal, 36, 26-34.
[31]
Mead, N.R. and Woody, C.C. (2017) Cyber Security Engineering: A Practitional Approach for Systems and Software Assurance. Pearson Education, London.
[32]
Joiner, K.F. (2015) How New Test and Evaluation Policy Is Being Used to De-Risk Project Approvals through Preview TandE. ITEA Journal, 36, 288-297.
[33]
Australian National Audit Office (2015) Report No. 9 2015-16: Test and Evaluation of Major Defence Equipment Acquisitions. ANAO, Canberra.
[34]
Australian National Audit Office (2010) Report No. 37 2009-10: Lightweight Torpedo Replacement Project—Department of Defence. ANAO, Canberra.
[35]
Australian National Audit Office (2013) Report No. 26 2012-13: Remediation of Lightweight Torpedo Replacement Project. ANAO, Canberra.
[36]
Australian Parliament (2016) Joint Parliamentary Committee for Accounts and Audit (JCPAA) Hearing with Defence and the Australian National Audit Office.
http://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/ Reports_Nos_52_3_and_9
http://parlview.aph.gov.au/mediaPlayer.php?videoID=296010andoperation_mode=parlview
[37]
Zhu, L., Staples, M. and Nguyen, T. (2014) The Need for Software Architecture Evaluation in the Acquisition of Software-Intensive Systems. Aerospace Division, Defence Science and Technology Organisation, Fishermans Bend.
[38]
Fowler, S., Sweetman, C., Ravindran, S., Joiner, K.F. and Sitnikova, E. (2017) Developing Cyber-Security Policies That Penetrate Australian Defence Acquisitions. Australian Defence Force Journal, No. 202, 17-26.
[39]
Reay Atkinson, S., Levula, A.V., Caldwell, N.H.M., Wigand, R.T. and Hossain, L. (2014) Signalling Decision Making and Taking in a Complex World. International Conference on Information Technology and Management Science, Hong Kong, 1-2 May 2014.
[40]
Wickens, C.D., Lee, J., Liu, Y. and Becker, S.D. (2014) An Introduction to Human Factors Engineering. 2nd Edition, Pearson Prentice Hall, New York.
[41]
Elele, J.N., Hall, D.H., Davis, M.E., Turner, D., Faird, A. and Madry, J. (2016) MandS Requirements and VVandA Requirements: What’s the Relationship? ITEA Journal, 37, 333-341.
[42]
Hecht, M. (2015) Verification of Software Intensive System Reliability and Availability through Testing and Modeling. ITEA Journal, 36, 304-312.
[43]
Normann, B. (2015) Continuous System Monitoring as a Test Tool for Complex Systems of Systems. ITEA Journal, 36, 298-303.
[44]
Cofer, D. (2015) Taming the Complexity Beast. ITEA Journal, 36, 313-318.
[45]
Heinl, C.H. (2016) The Potential Military Impact of Emerging Technologies in the Asia-Pacific Region: A Focus on Cyber Capabilities. In: Bitzinger, R.A., Ed., Emerging Critical Technologies and Security in the Asia-Pacific, Palgrave Macmillan, Hampshire, 123-137. https://doi.org/10.1057/9781137461285_10
[46]
Sheldon, J.B. (2012) Toward a Theory of Cyber Power: Strategic Purpose in Peace and War. In: Reveron, D.S., Ed., Cyberspace and National Security Threats, Opportunities, and Power in a Virtual World, Georgetown University Press, Washington DC, 212.
[47]
Reveron, D.S. (2012) Cyberspace and National Security Threats, Opportunities, and Power in a Virtual World. Georgetown University Press, Washington DC.
[48]
RAND Corporation (2015) Perspective on 2015 DoD Cyber Strategy.
http://www.dtic.mil/get-tr-doc/pdf?AD=ADA621794
[49]
Bitzinger, R.A. (2016) Emerging Critical Technologies and Security in the Asia Pacific. Pallgrave Macmillan, Hampshire, 37-62 and 91-106.
[50]
Hashim, A. (2013) Warfare in New Domains: The Future of Asymmetric Operations and Information Warfare. 15th Asia Pacific Programme for Senior Military Officers—The Future of War, RSIS Singapore, 5 August.
[51]
Adres, R.B. (2012) The Emerging Structure of Strategic Cyber Offense, Cyber Defense, and Cyber Deterrence. In: Reveron, D.S., Ed., Cyberspace and National Security Threats, Opportunities, and Power in a Virtual World, Georgetown University Press, Washington DC, 92.
[52]
Fidler, D.P. (2012) Inter Arma Silent Leges Redux? The Law of Armed Conflict and Cyber Conflict. In: Reveron, D.S., Ed., Cyberspace and National Security Threats, Opportunities, and Power in a Virtual World, Georgetown University Press, Washington DC, 76.
[53]
Geers, K., Kindlund, D., Moran, N. and Rachwald, R. (2017) World War C: Understanding Nation-State Motives behind Today’s Advanced Cyber Attacks. Fireeye Corporation.
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-wwc-report.pdf
[54]
Demchak, C. (2012) Cybered Conflict, Cyber Power, and Security Resilience as a Strategy. In: Reveron, D.S., Ed., Cyberspace and National Security Threats, Opportunities, and Power in a Virtual World, Georgetown University Press, Washington DC, 120.
[55]
Hardung, B., Kozlow, T. and Kruger, A. (2004) Reuse of Software in Distributed Embedded Automotive Systems. Proceedings of the 4th ACM International Conference on Embedded Software, Pisa, 27-29 September 2004, 203-210.
https://doi.org/10.1145/1017753.1017787
[56]
Pretschner, A., Broy, M., Kruger, I.H. and Stauner, T. (2007) Software Engineering for Automotive Systems: A Roadmap. Future of Software Engineering, Minneapolis, 23-25 May 2007, 55-71.
[57]
U.S. DoD (2015) Cybersecurity TandE Guidebook. Version 1.0.
[58]
Ross, R., McEvilley, M. and Oren, J.C. (2016) NIST Special Publication 800-160, Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. U.S. Department of Commerce.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
[59]
Nejib, P., Beyer, D. and Yakabovicz, E. (2017) Systems Security Engineering: What Every System Engineer Needs to Know. 27th Annual INCOSE International Symposium, Adelaide, 15-20 July 2017, 434-445.
[60]
Reay Atkinson, S., Maier, A.M., Caldwell, N.H.M. and Clarkson, P.J. (2011) Collaborative Trust Networks in Engineering Design Adaptation. International Conference of Engineering Design, Denmark, 15-19 August 2011, 152-161.
[61]
Ferguson, G. (2012) Product Innovation Success in the Australian Defence Industry—An Exploratory Study. The University of Adelaide, Adelaide.
https://digital.library.adelaide.edu.au/dspace/bitstream/2440/79198/8/02whole.pdf
[62]
Australian DoD (2017) Defence Procurement Policy Manual.
http://www.defence.gov.au/casg/DoingBusiness/ ProcurementDefence/ContractingWithDefence/PoliciesGuidelinesTemplates/ ProcurementPolicy/dppm.aspx
[63]
Australian DoD (2017) Defence Information Security Manual.
https://acsc.gov.au/infosec/ism/
