Thinking deeper about Australia’s offensive cyber capability
17 May 2016|

At the launch of Australia’s new Cyber Security Strategy last month, the Prime Minister confirmed what many have been guessing for years: Australia possesses offensive cyber capabilities. The announcement, however, provided us with the barest of information about Australia’s offensive cyber capability, and it remains largely unclear how its potential uses have been conceived by government and the national security community. Given the minimal discussion of Defence’s approach to cyber capability in the 2016 Defence White Paper, it’s unlikely that we’ll see this information disclosed anytime soon.

What we do know is that Australia’s offensive cyber capability provides an additional option for government when responding to serious cyber security incidents. We also know that it resides in the Australian Signals Directorate—its natural home considering the Directorate’s technical expertise—and that it will only be used in accordance with stringent legal oversight and consistent with international law. The PM’s announcement was carefully calibrated to clarify that Australia has a sophisticated capability at its disposal, but will exercise significant restraint in employing it.

Offensive cyber capabilities have utility beyond the responsive role outlined by the PM, but there’s little detail of how that capability has been integrated into Defence’s planning, operations and capability development processes. Its exclusion from the Defence White Paper was a glaring omission, and it’s a shame that Defence and PM&C weren’t able to better align the DWP and the Cyber Security Strategy. Publicly releasing a document that outlines Defence’s thinking on Australia’s cyber capability would grow the sophistication of Australia’s cyber policy.

But what might be included in such a document? Given Australia’s strong defence and intelligence relationship with the US and the UK, Australia should draw significantly on their experience to develop concepts and doctrine for offensive cyber operations, adapting them to our own unique requirements. The US and UK have already produced a healthy public cache on cyber operations, their use as a responsive capability and their potential to support conventional military operations. These documents give us some insight into how Australia may consider the development and use of its own offensive cyber capability.

US policy and doctrine characterises cyber operations as an instrument of power in broader conflict, as well as a response to cyber incidents, and seeks to integrate them seamlessly with conventional military operations. The US National Military Strategy characterises cyber operations primarily as a means to defend the US homeland, and defeat an adversary by projecting power across multiple domains. The Department of Defense’s Cyber Strategy states that ‘DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans.’ It goes on to note specific examples of cyber operations in support of this goal including disrupting an adversary’s command and control networks, military-related critical infrastructure and weapons capabilities. US doctrine on cyberspace operations notes that cyber operations are most effective when integrated with other capabilities. The doctrine holds that commanders should seek to integrate ‘cyberspace fires’ with other capabilities to achieve their desired effects.

Similarly, the UK sees significant value in using offensive cyber capabilities to support military operations, as well as a response option for cyber incidents. The 2015 National Security Strategy and Strategic Defence and Security Review states that the Armed Forces will be provided with, ‘advanced offensive cyber capabilities’ that will be used to ‘enable the success of coalition operations’. Further, the Review states that offensive cyber capabilities will be considered amongst the full spectrum of response options that the UK will develop to deter adversaries and ensure there are consequences for actors that threaten the UK’s security.

The announcement that Australia has an offensive cyber capability, and the manner in which it was announced, indicate a growing sophistication and confidence in thinking on cyber policy issues in the Australian Government. To take advantage of the potential offered by such a capability, Defence needs to make a concerted effort to formulate its thinking on the how, when, where and why it will be used, along with how the capability will be developed and sustained. That should include its broader utility in support of conventional military operations as well as its potential role as a retaliatory option for government. Such moves will patch the hole in the DWP, aid the development of cyber capability within Defence and provide further evidence of Australia’s commitment to developing cyber capability that aligns with Australian and international law.