Australia’s 2023 cybersecurity strategy makes clear that most of the things we need to do to protect ourselves in cyberspace are essentially defensive. The strategy is usefully organised according to six ‘shields’.
But sometimes we also need a sword. Offensive cyber is the pointy end of cybersecurity. It can be understood expansively as encompassing all the threats that defensive cyber is, in the strategy’s terms, trying to ‘block’. ASPI’s cyber, technology and security program defines offensive cyber as operations that ‘manipulate, deny, disrupt, degrade or destroy targeted computers, information systems or networks’. Offensive cyber is usually—but contestably—distinguished from operations whose main goal is to collect intelligence.
Offensive cyber is fraught with risk. The long list of unintended potential consequences includes spillovers, blowback and escalation. One of the earliest and most successful offensive cyber operations was the US–Israeli attack on Iran’s nuclear program. The Stuxnet virus destroyed Iranian centrifuges but probably went on to infect more than 100,000 computers around the world before it was stopped. The attack also accelerated the development—and destructive use—of Iran’s offensive cyber capabilities.
Liberal democracies are much more interested than states like Iran in preventing cyberspace from becoming a battlespace and, more broadly, in maintaining the integrity of the global information environment. The decisions they make about when and how to engage in offensive cyber operations involve fundamental questions about international order and the future of the digital information revolution. They demand extremely complex assessments of cause and effect.
Leading Western cyber powers are developing more sophisticated doctrines and concepts to guide these decisions. After Stuxnet, President Barack Obama’s administration put the United States Cyber Command on a tight leash. That was reversed by Donald Trump, who promulgated a defend-forward doctrine. Joe Biden’s administration has embraced that approach: USCYBERCOM’s more assertive posture probably blunted the Russian cyber offensive that accompanied the invasion of Ukraine. The UK is developing its own concept of responsible cyber operations accompanied by a doctrine of cognitive effects.
This work is unfinished. The issues are complex and consequential. Compelling arguments have been made that there’s no meaningful distinction between offensive and defensive cyber operations or even between information and cyber operations. Importantly, much of this discussion and debate is taking place in public.
Offensive cyber operations are usually undertaken covertly. But that’s precisely why democratic governments need to be clear with their citizens about how decisions to undertake them are made. Debating these matters publicly also allows for better consideration of the big issues involved, especially because a wider range experts can be engaged.
Australia shouldn’t be a bystander to these debates. The Australian Signals Directorate’s REDSPICE project, announced by the previous government, includes a tripling of Australia’s offensive cyber capability. The new cybersecurity strategy promises to ‘build world-class innovative offensive cyber capabilities that can deliver real world impact to deter, disrupt, degrade and deny cybercrime’. The strategy commits an additional $587 million from 2023 to 2030 for cybersecurity. That’s in addition to the $10 billion that REDSPICE will add to ASD’s budget over 10 years.
So, what is Australia’s concept of offensive cyber? Despite promising to make Australia a ‘world leader’ in cybersecurity, the strategy sheds little light. It commits to ‘transparency about the rights and obligations that govern’ the use of offensive cyber capabilities but doesn’t say much more than that Australia will comply with existing laws and help develop new ones. The best sources are the speeches of ASD’s directors-general. Since Prime Minister Malcolm Turnbull first revealed Australia’s offensive cyber capability in 2016, these speeches have incrementally disclosed more about what ASD does and why.
Australia frequently reiterates that its use of offensive cyber complies with international and domestic law. Notably, ASD’s current director-general, Rachel Noble, has emphasised that Australia defines offensive cyber operations conducted by other countries against Australia as criminal activity to which Australia may respond in kind. But international norms are unclear, are contested and lag rapid technological change. Saying that Australia complies with them therefore doesn’t reveal much about when and how it uses offensive cyber capabilities.
Following the release of ASD’s November 2023 threat report, Defence Minister Richard Marles was asked whether Australia was ‘striking back’ at cyber attackers. He responded only that, ‘We have a full range of capabilities in the Australian Signals Directorate and we’re making sure that we are as capable as we can be.’ He could have provided a much more useful and informative answer if Australia had, as the US and UK have done, developed a public offensive cyber doctrine. Australians should be told more.
The government’s public discussion of its approach to offensive cyber still falls well short of those of its Five Eyes partners. The charge that Australia has put ‘capability before concept’ in its decision to acquire nuclear-powered submarines can be more accurately applied to its approach to offensive cyber. But fixing this doesn’t require Australia to reinvent the wheel. It can and should build on intellectual work already undertaken by its Five Eyes partners.
Australia will be compelled by an increasingly complex and contested world to compete more in the grey zone. Decision-makers will face tough choices. A stronger and more public offensive cyber doctrine would keep them tethered to Australia’s values and interests as they make those decisions.