Late last month, the government announced a record $9.9 billion investment package to boost Australia’s national security. Introduced by Treasurer Josh Frydenberg in his budget speech, the investment, named Project REDSPICE (which stands for ‘Resilience, Effects, Defence, Space, Intelligence, Cyber, and Enablers’), aims to build new national cyber and intelligence capabilities and, in particular, increase the offensive capabilities of Australia's electronic spy agency, the Australian Signals Directorate (ASD).  

Project REDSPICE (or simply, ‘REDSPICE’), is not exactly the kind of budget announcement we have come to expect over the years. As Mr Frydenberg himself acknowledged, REDSPICE is a “game-changer” and is Australia’s “biggest ever investment in Australia’s cyber preparedness” to date.

That is not to say of course that REDSPICE was introduced in a vacuum. As Defence Minister Peter Dutton observed on budget night, the package is introduced against the background of “deteriorating strategic circumstances in our region, characterised by rapid military expansion, growing coercive behaviour and increased cyber-attacks”. According to Mr Dutton, REDSPICE also acknowledges that “the nature of conflict has changed, with cyber-attacks now commonly preceding other forms of military intervention” and that those cyber-attacks have most recently been demonstrated “by offensive cyber activity against Ukraine.”

These statements, along with the purported intent behind the REDSPICE investment package, are also consistent with recent measures that have been introduced to protect the critical infrastructure of Australia against the threat of cyber-attacks, in particular, through amendments to the Security of Critical Infrastructure Act 2018 (Cth). We have discussed these reforms and the most recent amendments to Australia’s critical infrastructure laws (See our article - The curtain falls - Final reforms to Australia’s critical infrastructure laws). By building on this momentum, REDSPICE looks to enhance the ASD’s offensive cyber capabilities, its ability to detect and respond to cyber-attacks, and introduce new intelligence capabilities.

However, while the government has clearly stated its intention to build Australia’s cyber capabilities; it may not have been apparent from the budget speech alone as to what REDSPICE will involve specifically. Helpfully, the government has released the ‘REDSPICE Blueprint’, which provides some more specific insights into what REDSPICE will deliver, and a vision of what the ASD will look like in the future. We set out some of the key points from the Blueprint we think you should know about.

Project REDSPICE – the key initiatives

According to the REDSPICE blueprint, REDSPICE will “expand the range and sophistication of our [Australia’s] intelligence, offensive and defensive cyber capabilities, and build on our [Australia’s] already-strong enabling foundations”.

Specifically, the blueprint sets out the following as the key initiatives of the REDSPICE program:

• Investing $9.9 billion over the decade, the largest ever in cyber and intelligence capabilities.
• Workforce growth of 1900 over the decade.
• Growing and delivering asymmetric strike capabilities and offensive cyber for the ADF.
• Enabling next-generation data science and artificial intelligence (AI) capabilities.
• Hardening networks against cyber-attack with sharpened response capability.
• Enhancing intelligence capabilities.
• Improving core ASD resilience by bolstering our national and international footprint.
• Providing opportunities for Australian industry, including cyber, ICT, cloud computing and enabling services.

The 5 broad goals of REDSPICE

With the above initiatives, REDSPICE aims to achieve the following 5 broad goals:

• Scaling cyber effects capabilities.
• Developing new intelligence capabilities.
• Enhancing Australia’s cyber defence.
• Increasing resilience and redundancy.
• Improving foundational technologies.

The following infographic taken from the blueprint gives greater detail as to how the government intends to achieve these goals:

What will REDSPICE mean?

In many ways, it seems fitting that REDSPICE, the “most significant single investment” in the ASD, is announced on the year of its 75th anniversary milestone. Its introduction closely follows the strengthening of Australia’s tools to protect its critical infrastructure, as well as a recent meeting of the Quad Senior Cyber Group (the US, Australia, India and Japan) in Sydney to discuss the strengthening of cybersecurity cooperation and the resilience of the group's critical infrastructure. Taken together, these developments further underscore the government’s recognition of cybersecurity as a key concern for Australia’s national security and cyber resilience.

Australia is also not alone in prioritising the enhancement of national cyber capabilities, with overseas governments also pursuing a similar route in recent times. For example, the UK released its £2.6 billion National Cyber Strategy last December and is currently consulting on proposals for new laws to improve the cyber resilience of organisations that are important to the UK economy. Meanwhile, in addition to signing its own critical infrastructure protections into law last month, the Biden administration also published a fact sheet calling on enterprises to take urgent steps to “harden cyber defenses immediately”.

However, although the REDSPICE blueprint discusses the key initiatives and intended outcomes of the program, there are still some important matters of detail that remain unknown for the time being.

For instance, although REDSPICE intends to triple the ASD’s offensive cyber capabilities and double its persistent cyber-hunt activities, we are mostly left to imagine what these capabilities and activities will look like. We are also not told how and what specific AI, machine learning and cloud technologies the ASD will deploy to achieve this.

While this uncertainty could suggest we cannot speculate what this means for business, and certainly, our everyday lives, we think it is still possible to form some conclusions. For instance, the foundational technologies being advanced will likely be used to set up AI-empowered capabilities, such as the automated prevention and detection of more predictable cyber-attacks, and similarly, automated responses to such incidents. Further, with the lifting of cybersecurity capabilities in the government it is likely that the private sector will also be expected to play a part and follow suit. In this sense, REDSPICE is yet another reminder of the need for businesses operating in Australia to consistently put themselves in the best position to prevent, detect and respond to cyber incidents.

Authors: Edward Zheng, Kevin Stewart and Michael Caplan