17 March 2023

Subduing the enemy without fighting

Iain Lindsay-German MBE

In this post, elevenM Principal Iain Lindsay-German MBE analyses recent high-profile media coverage suggesting a devastating conflict is imminent between Australia and China. Drawing on his military experiences and extensive study of war and conflict, Iain evaluates the likely impacts of such a conflict and how cyber tactics might play a role.

“The supreme art of war is to subdue the enemy without fighting”Sun Tzu

Last week, the Sydney Morning Herald (SMH) ran a series titled ‘Red Alert’ on the threat posed by China to Australia. The series emphasised how unprepared we are for a major conflict in the region, and the extent of the dangers we face as nation. It was perhaps best summed up with this line:

“Within 72 hours of a conflict breaking out over Taiwan, Chinese missile bombardments and devastating cyberattacks would begin pummelling Australia.”

SMH has attracted some criticism for following an alarmist and escalatory narrative, to which it has also recently responded.

It’s true that the series likely focused on the most dangerous scenario or course of action (more on that later). Two things are nevertheless still true.

Firstly, whether we like it or not, Australia is involved in the broader geopolitical tensions involving China. This is the strategic backdrop to announcements such as this week’s major AUKUS submarine deal.

Secondly, even if the most dangerous course of action doesn’t eventuate, our lives will likely still face some level of significant disruption, becoming increasingly likely as tensions grow.

In this post I will explore these ideas, the likely role of cyber in any upcoming conflict, and how we might prepare as a nation.

Most dangerous versus most likely

In military planning, the potential enemy (or threat) and their courses of action are identified by looking at the operating environment, the threat capabilities and the aims and objectives of the adversary. Generally, a “most likely” course of action is developed as well as a “most dangerous” course of action.

Plans are developed with these two scenarios in mind. We plan for the most likely course of action, however, we must be able to identify and be in a position to know what we will do if the enemy enacts what we perceive as the most dangerous course of action. As our plan is executed, we should also have a system of indicators and warnings to identify what plan the enemy is actually executing, so that we can anticipate any deviance from the most likely towards the most dangerous course of action.

In their Red Alert series, the experts assembled by SMH were most likely referring to the most dangerous course of action. However, as I outlined earlier, whether we like it or not Australia is involved in this geopolitical tussle. Increasingly, the US is routinely basing its military capabilities in Australia, including strategic bombers, and there are more recent reports of US Navy nuclear submarines being rotationally based here ahead of our own AUKUS nuclear powered boats coming online. This is on top of the routine basing of US Marines in Darwin and the shared surveillance capability of Pine Gap.

In short, even if we take no active part in hostilities, we are already involved. This means it is prudent we consider the potential courses of action to which we could be subjected.

But even before we contemplate “Chinese missile bombardments … pummelling Australia” – the most dangerous course of action as described by SMH –  there is still a significant amount of disruptive and coercive effect that could be applied to Australia, and for which we must prepare. That’s the essence of the Sun Tzu quote that inspires the title of this piece: “The supreme art of war is to subdue the enemy without fighting”.

One of our nation’s greatest strengths is our liberal democracy. However, it is also a targetable vulnerability. I have studied warfare for 30 years, and it’s well understood that “generations of warfare” have developed over time, marked by the steady accumulation of new strategies and tactics.

Most recently, as warfare has moved through the fourth generation into what is being described as its fifth generation, it has developed an increased focus on the information and cyber environments. When I studied fourth generation warfare almost 15 years ago, a key feature was the asymmetry of contemporary conflicts (then Iraq and Afghanistan) and how threat forces were seeking to erode political will in Western liberal democracies by reducing popular consent and support for them in the voting public.

This is now even more so the case now through increased use of social media, amongst other platforms, to shape the thinking of populations and influence events such as election results or incite violence and disruption. Last week FBI Director Christopher Wray told a Senate Intelligence Committee hearing that the Chinese government could harness TikTok, used by over 100 million US citizens, to control software on millions of devices and drive narratives to divide Americans over Taiwan or other issues. US National Security Agency Director Paul Nakasone also highlighted TikTok’s data collection and potential to facilitate broad influence operations. If significant disruption can be achieved to our daily way of life whilst concurrently using social media and other platforms to cause additional disruptive influence within our populations, the will of our politicians can quickly be eroded, and policies changed.

The role of cyber

How could our day to day lives be so significantly disrupted without the forecasted “Chinese missile bombardments”. One of the key answers is the use of cyber effects.

One year into Russia’s invasion of eastern Ukraine a lot has been made of the surprising lack of effective cyber actions generated by Russia. It would, however, be a mistake to draw too many conclusions from this when attempting to anticipate how China would operate in similar circumstances.

China is different to Russia in the cyber domain in both scale and sophistication. China has a larger number of more technically advanced units and operators working directly for the state. Additionally, Russia has been in conflict with Ukraine since 2014 and as such has already used a number of its cyber capabilities whilst the Ukrainians (now supported by NATO and other allies) have in the same period developed a sophisticated and highly experienced cyber defence capability. Having been attacked almost constantly for over nine years, Ukrainian critical infrastructure has been ‘hardened’ out of necessity as opposed to legislative requirement.

One of the common observations about Russian cyber operations made over the last twelve months is that few have been used in conjunction with other effects. In the military, combining capabilities – such as artillery supporting armoured forces moving with support from tanks and engineers – is referred to as “combined arms” activity. The same concept applies when using cyber effects. Rarely is there merit in using a cyber effect in a ‘stand-alone’ way. It will be more effective when applied in conjunction with other actions – whether those be a military manoeuvre, diplomatic pressure, an information operation, or perhaps even all these concurrently.

In thinking about how China might deploy cyber tactics, the use of “combined arms” activity should certainly be contemplated. To understand how this might play out, consider the early days of the Covid pandemic, and the effects of supply chain disruptions on our way of life. Imagine that instead of not being able to find toilet roll on supermarket shelves there was a national shortage of fuel, specifically diesel due to a cyber-related disruption to fuel pumping or storage facilities at ports around the country. Imagine if this was further supported by an information campaign focused on harnessing and accelerating public discontent with the government, whilst also applying economic sanctions against targeted elements of international trade – with these cumulative effects, the sitting government’s position could be made significantly uncomfortable, maybe even unpleasant enough to bend or amend policy.

It is also worth considering that cyber actions need not only be focused on the national level but could be targeted to areas where US military capabilities are, or would be, based. Disrupting essential services or supply chains in and around these facilities may disrupt the ability to effectively sustain or operate them – creating negative public opinion in the area. Examples of target areas could be bases where our own or US aircraft and navy platforms are based out of. Causing disruption or congestion to logistic supply chains whilst a military force is being prepared for deployment (by air or sea) may cause enough delay for an adversary to gain a more advantageous position, to seize and hold the initiative.

Security of critical infrastructure

In the face of the increased threat of regional conflict, we must start to develop our understanding of the threats posed against us to drive national resilience. We are already involved in any regional conflict with China, like it or not, and it will take everything we have to reduce the impact such a conflict may have on our digitally reliant society and daily functions.

These strategic developments and the disruptive tactics of adversaries that I describe above underscore the importance of uplifting the security and resilience of our critical infrastructure sectors. This focus is also reflected in the recent Security of Critical Infrastructure reforms.

The broad intent of these reforms is to encourage us as a nation – and, more pointedly, to require our critical infrastructure sectors – to seek to understand the environment we operate in, identify the threats we face, understand our weaknesses and look to close the gaps whilst concurrently developing strategies to respond when, not if, cyber and other effects are used against us, either by a Nation State or sophisticated criminal group.

Recent rules issued by the Federal Government for critical infrastructure organisations to implement a Risk Management Program provide a clear direction and meaningful structure for how these can be achieved. If you would like to explore how we can support your organisation to develop a risk management program or seek to better understand the strategic threat environment, please contact us at hello@elevenm.com.au