Cyberattacks: "By the time we realize who it is, it's too late!"

It was just a year ago when a cyberattack kept the Austrian foreign ministry on tenterhooks. The military now wants to be better prepared for these kinds of attacks and is turning to JKU expertise.

Prof. Stadlmeier teaching at the military academy.
Prof. Stadlmeier teaching at the military academy.

Prof. Sigmar Stadlmeier, head of the JKU Institute of International Law, Aviation Law and International Relations and a renowned author in the field of cyber warfare, is a part of a team developing a new UAS course at the Theresian Military Academy focusing on information and communication technology (ICT) in military command and control.

What is your part in developing the program?
Sigmar Stadlmeier: A program like this has to be accredited in adherence to requirements as outlined by the Accreditation Ordinance for the Universities of Applied Sciences Act. As I am familiar with this area through my publications about cyber warfare and occasional presentations at the military academy, I was asked to take part. I structured the legal subject areas in the curriculum together with the Military Academy’s legal advisor.

In the future, how will the war play out, or rather, when it comes to future conflicts, how important will cyber warfare be?
Sigmar Stadlmeier: Over the past decade and in addition to kinetic means, cyberattacks have been used in armed conflicts to obstruct or cripple web-based services. For example, we saw this during Georgian conflict in 2008. Critical infrastructure (water, heat, the energy supply, telecommunications, financial services, blue-light organizations, etc.) becomes an obvious target in particular as it massively impacts daily life. The damage is great and this kind of attack garners great attention. This type of infrastructure is digitally vulnerable, making it a target for cyberattacks. Modern conflicts are mostly asymmetric conflicts involving non-state players; however, in turn, they can easily procure hardware and software and with little to no risk because -- unlike war materials -- these are not subject to any controlling regime.

Why should a small country like Austria invest in this area when the army is apparently underfunded anyway?
Sigmar Stadlmeier: The defense sector is continually subject to budget cuts so this is exactly why threats have to be prioritized using any still available funds. Moreover, the entire state should be interested and involved in preparing for any potential cyberattackscan range from being a simple crime to organized crime, terrorism, or an attack on the state. Our legal system, justice systems, and our home affairs office face the same challenges as the defense sector.

Is Austria prepared to face a cyberattack?
Sigmar Stadlmeier: Official documents, such as the Austrian Security Strategy, show that the overall challenging nature has been recognized; civilian and military CERTs (Computer Emergency Response Teams) have done a good job in the area of cyberattacks on public institutions (particularly the one on the foreign ministry a year ago). Statistics still show there is room for significant improvement in both the private and business sectors. In recent years and according to a recently published study, the cybercrime detection rate has been around 40%. However, these are all only reactive measures. In addition, we have to apply expertise and human resources in a forward-thinking way. Civilian and military UAS courses - such as those offered in Hagenberg or the one the Theresian Military Academy plans to offer beginning in 2002 and other things - will serve this purpose.

As part of your personal risk assessment, who do you think could attack Austria's infrastructure?
Sigmar Stadlmeier: The question should be who can do it. According to the corresponding materials and literature on the subject, two dozen states are systematically preparing cyber warfare operations and have included them in their military doctrines. Over a hundred states (and that is already the majority when considering there are 195 states on this planet!) have developed selective capabilities. Since the cyberattack in Vienna last November, I don’t often hear the question, "Who would do this to our country?". By the time we have the answer, it would already be too late.