{"id":84050,"date":"2023-12-08T06:00:20","date_gmt":"2023-12-07T19:00:20","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=84050"},"modified":"2023-12-07T15:20:32","modified_gmt":"2023-12-07T04:20:32","slug":"australia-needs-to-talk-more-openly-about-offensive-cyber-operations","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/","title":{"rendered":"Australia needs to talk more openly about offensive cyber operations"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"658\" height=\"400\" class=\"alignnone size-full wp-image-84052\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg 658w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building-205x125.jpeg 205w\" sizes=\"(max-width: 658px) 100vw, 658px\" \/><\/figure>\n<p>Australia\u2019s <a href=\"https:\/\/www.homeaffairs.gov.au\/cyber-security-subsite\/files\/2023-cyber-security-strategy.pdf\" target=\"_blank\" rel=\"noopener\">2023 cybersecurity strategy<\/a> makes clear that most of the things we need to do to protect ourselves in cyberspace are essentially defensive. The strategy is usefully organised according to six \u2018shields\u2019.<\/p>\n<p>But sometimes we also need a sword. Offensive cyber is the pointy end of cybersecurity. It can be understood expansively as encompassing all the threats that defensive cyber is, in the strategy\u2019s terms, trying to \u2018block\u2019. ASPI\u2019s cyber, technology and security program <a href=\"https:\/\/www.aspistrategist.ru\/report\/defining-offensive-cyber-capabilities\" target=\"_blank\" rel=\"noopener\">defines<\/a> offensive cyber as operations that \u2018manipulate, deny, disrupt, degrade or destroy targeted computers, information systems or networks\u2019. Offensive cyber is usually\u2014but contestably\u2014distinguished from operations whose main goal is to collect intelligence.<\/p>\n<p>Offensive cyber is fraught with risk. The long list of unintended potential consequences includes spillovers, blowback and escalation. One of the earliest and most successful offensive cyber operations was the US\u2013Israeli attack on Iran\u2019s nuclear program. The Stuxnet virus destroyed Iranian centrifuges but probably went on to infect <a href=\"https:\/\/www.tandfonline.com\/doi\/abs\/10.1080\/09636412.2017.1306396?journalCode=fsst20\" target=\"_blank\" rel=\"noopener\">more than 100,000 computers<\/a> around the world before it was stopped. The attack also accelerated the development\u2014and <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/shamoon-destructive-threat-re-emerges-new-sting-its-tail\" target=\"_blank\" rel=\"noopener\">destructive use<\/a>\u2014of Iran\u2019s offensive cyber capabilities.<\/p>\n<p>Liberal democracies are much more interested than states like Iran in preventing cyberspace from becoming a battlespace and, more broadly, in maintaining the integrity of the global information environment. The decisions they make about when and how to engage in offensive cyber operations involve fundamental questions about international order and the future of the digital information revolution. They demand extremely complex assessments of cause and effect.<\/p>\n<p>Leading Western cyber powers are developing more sophisticated doctrines and concepts to guide these decisions. After Stuxnet, President Barack Obama\u2019s administration put the United States Cyber Command on a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Presidential_Policy_Directive_20\" target=\"_blank\" rel=\"noopener\">tight leash<\/a>. That was <a href=\"https:\/\/media.defense.gov\/2018\/Sep\/18\/2002041658\/-1\/-1\/1\/CYBER_STRATEGY_SUMMARY_FINAL.PDF\" target=\"_blank\" rel=\"noopener\">reversed<\/a> by Donald Trump, who promulgated a <a href=\"https:\/\/www.lawfaremedia.org\/article\/operationalizing-defend-forward-how-concept-works-change-adversary-behavior\" target=\"_blank\" rel=\"noopener\">defend-forward<\/a> doctrine. Joe Biden\u2019s administration has embraced that approach: USCYBERCOM\u2019s more <a href=\"https:\/\/www.cybercom.mil\/Media\/News\/Article\/3229136\/before-the-invasion-hunt-forward-operations-in-ukraine\/#:~:text=Late%20last%20year%20with%20the,cyber%20activity%20on%20Ukrainian%20networks.\" target=\"_blank\" rel=\"noopener\">assertive posture<\/a> probably <a href=\"https:\/\/www.foreignaffairs.com\/articles\/ukraine\/2022-04-06\/myth-missing-cyberwar\" target=\"_blank\" rel=\"noopener\">blunted the Russian cyber offensive<\/a> that accompanied the invasion of Ukraine. The UK is developing its own concept of <a href=\"https:\/\/www.gov.uk\/government\/publications\/responsible-cyber-power-in-practice\/responsible-cyber-power-in-practice-html\" target=\"_blank\" rel=\"noopener\">responsible cyber operations<\/a> accompanied by a <a href=\"https:\/\/www.gchq.gov.uk\/news\/ncf-responsible-cyber-power-in-practice\" target=\"_blank\" rel=\"noopener\">doctrine of cognitive effects<\/a>.<\/p>\n<p>This work is unfinished. The issues are <a href=\"https:\/\/www.stiftung-nv.de\/en\/publication\/active-cyber-defense-toward-operational-norms\" target=\"_blank\" rel=\"noopener\">complex and consequential<\/a>. Compelling arguments have been made that there\u2019s no meaningful distinction between <a href=\"https:\/\/www.lowyinstitute.org\/the-interpreter\/binary-error-how-why-governments-need-cyber-security-rethink\" target=\"_blank\" rel=\"noopener\">offensive and defensive cyber operations<\/a> or even between information and cyber operations. Importantly, much of this discussion and debate is taking place in <a href=\"https:\/\/www.foreignaffairs.com\/articles\/united-states\/2020-08-25\/cybersecurity\" target=\"_blank\" rel=\"noopener\">public<\/a>.<\/p>\n<p>Offensive cyber operations are usually undertaken covertly. But that\u2019s precisely why democratic governments need to be clear with their citizens about how decisions to undertake them are made. Debating these matters publicly also allows for better consideration of the big issues involved, especially because a wider range experts can be engaged.<\/p>\n<p>Australia shouldn\u2019t be a bystander to these debates. The Australian Signals Directorate\u2019s <a href=\"https:\/\/www.asd.gov.au\/about\/what-we-do\/redspice\" target=\"_blank\" rel=\"noopener\">REDSPICE<\/a> project, announced by the previous government, includes a tripling of Australia\u2019s offensive cyber capability. The new cybersecurity strategy promises to \u2018build world-class innovative offensive cyber capabilities that can deliver real world impact to deter, disrupt, degrade and deny cybercrime\u2019. The strategy commits an additional <a href=\"https:\/\/www.afr.com\/politics\/federal\/government-hits-back-at-cybercriminals-with-600m-boost-20231121-p5eljq\" target=\"_blank\" rel=\"noopener\">$587 million<\/a> from 2023 to 2030 for cybersecurity. That\u2019s in addition to the $10 billion that REDSPICE will add to ASD\u2019s budget over 10 years.<\/p>\n<p>So, what is Australia\u2019s concept of offensive cyber? Despite promising to make Australia a \u2018world leader\u2019 in cybersecurity, the strategy sheds little light. It commits to \u2018transparency about the rights and obligations that govern\u2019 the use of offensive cyber capabilities but doesn\u2019t say much more than that Australia will comply with existing laws and help develop new ones. The best sources are the speeches of ASD\u2019s directors-general. Since Prime Minister Malcolm Turnbull first <a href=\"https:\/\/pmtranscripts.pmc.gov.au\/release\/transcript-40308\" target=\"_blank\" rel=\"noopener\">revealed<\/a> Australia\u2019s offensive cyber capability in 2016, these speeches have incrementally disclosed more about what ASD does and why.<\/p>\n<p>Australia frequently reiterates that its use of offensive cyber complies with international and domestic law. Notably, ASD\u2019s current director-general, Rachel Noble, has <a href=\"https:\/\/www.asd.gov.au\/news-events-speeches\/speeches\/director-general-asd-speech-national-press-club\" target=\"_blank\" rel=\"noopener\">emphasised<\/a> that Australia defines offensive cyber operations conducted by other countries against Australia as criminal activity to which Australia may respond in kind. But international norms are unclear, are contested and lag rapid technological change. Saying that Australia complies with them therefore doesn\u2019t reveal much about when and how it uses offensive cyber capabilities.<\/p>\n<p>Following the release of ASD\u2019s November 2023 threat report, Defence Minister Richard Marles was asked whether Australia was \u2018striking back\u2019 at cyber attackers. He <a href=\"https:\/\/www.minister.defence.gov.au\/transcripts\/2023-11-15\/radio-interview-abc-am\" target=\"_blank\" rel=\"noopener\">responded<\/a> only that, \u2018We have a full range of capabilities in the Australian Signals Directorate and we\u2019re making sure that we are as capable as we can be.\u2019 He could have provided a much more useful and informative answer if Australia had, as the US and UK have done, developed a public offensive cyber doctrine. Australians should be told more.<\/p>\n<p>The government\u2019s public discussion of its approach to offensive cyber still falls well short of those of its Five Eyes partners. The charge that Australia has put \u2018<a href=\"https:\/\/www.duckofminerva.com\/2021\/09\/vulgar-balancing-is-bad-statecraft.html\" target=\"_blank\" rel=\"noopener\">capability before concept\u2019<\/a> in its decision to acquire nuclear-powered submarines can be more accurately applied to its approach to offensive cyber. But fixing this doesn\u2019t require Australia to reinvent the wheel. It can and should build on intellectual work already undertaken by its Five Eyes partners.<\/p>\n<p>Australia will be compelled by an increasingly complex and contested world to compete more in the grey zone. Decision-makers will face <a href=\"https:\/\/www.lowyinstitute.org\/publications\/sharper-choices-how-australia-can-make-better-national-security-decisions\" target=\"_blank\" rel=\"noopener\">tough choices<\/a>. A stronger and more public offensive cyber doctrine would keep them tethered to Australia\u2019s values and interests as they make those decisions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Australia\u2019s 2023 cybersecurity strategy makes clear that most of the things we need to do to protect ourselves in cyberspace are essentially defensive. The strategy is usefully organised according to six \u2018shields\u2019. But sometimes we &#8230;<\/p>\n","protected":false},"author":1435,"featured_media":84052,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[416,391,2138],"class_list":["post-84050","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australian-government","tag-cyber","tag-cybersecurity"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Australia needs to talk more openly about offensive cyber operations | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Australia needs to talk more openly about offensive cyber operations | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Australia\u2019s 2023 cybersecurity strategy makes clear that most of the things we need to do to protect ourselves in cyberspace are essentially defensive. The strategy is usefully organised according to six \u2018shields\u2019. But sometimes we ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-07T19:00:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-12-07T04:20:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"658\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ben Scott\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ben Scott\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg\",\"width\":658,\"height\":400},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/\",\"name\":\"Australia needs to talk more openly about offensive cyber operations | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#primaryimage\"},\"datePublished\":\"2023-12-07T19:00:20+00:00\",\"dateModified\":\"2023-12-07T04:20:32+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/030bdd7f4959b13c7a1e757262643b54\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Australia needs to talk more openly about offensive cyber operations\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/030bdd7f4959b13c7a1e757262643b54\",\"name\":\"Ben Scott\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f73f8a5d2b079e67e446fedccc7090ce?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f73f8a5d2b079e67e446fedccc7090ce?s=96&d=mm&r=g\",\"caption\":\"Ben Scott\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/ben-scott\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Australia needs to talk more openly about offensive cyber operations | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/","og_locale":"en_US","og_type":"article","og_title":"Australia needs to talk more openly about offensive cyber operations | The Strategist","og_description":"Australia\u2019s 2023 cybersecurity strategy makes clear that most of the things we need to do to protect ourselves in cyberspace are essentially defensive. The strategy is usefully organised according to six \u2018shields\u2019. But sometimes we ...","og_url":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2023-12-07T19:00:20+00:00","article_modified_time":"2023-12-07T04:20:32+00:00","og_image":[{"width":658,"height":400,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg","type":"image\/jpeg"}],"author":"Ben Scott","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Ben Scott","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/12\/ASD-building.jpeg","width":658,"height":400},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/","url":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/","name":"Australia needs to talk more openly about offensive cyber operations | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#primaryimage"},"datePublished":"2023-12-07T19:00:20+00:00","dateModified":"2023-12-07T04:20:32+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/030bdd7f4959b13c7a1e757262643b54"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/australia-needs-to-talk-more-openly-about-offensive-cyber-operations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Australia needs to talk more openly about offensive cyber operations"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/030bdd7f4959b13c7a1e757262643b54","name":"Ben Scott","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f73f8a5d2b079e67e446fedccc7090ce?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f73f8a5d2b079e67e446fedccc7090ce?s=96&d=mm&r=g","caption":"Ben Scott"},"url":"https:\/\/www.aspistrategist.ru\/author\/ben-scott\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/84050"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1435"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=84050"}],"version-history":[{"count":6,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/84050\/revisions"}],"predecessor-version":[{"id":84057,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/84050\/revisions\/84057"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/84052"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=84050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=84050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=84050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}