Story image

ASPI demystifies Australia's 'offensive cyber' capabilities

10 Apr 18

What does Australia’s offensive cyber capabilities actually involve? It seems that many people may have the wrong idea, particularly after some labelled it ‘cyber Pearl Harbor’.

The Australian Strategic Policy Institute has drawn attention to some of the misunderstandings this week and aimed to clear the situation up in its Policy Brief: Australia’s Offensive Cyber Capability report this week.

According to the report, authored by head of the International cyber Policy Centre Fergus Hanson and visiting cybersecurity fellow Tom Uren, the government has used its offensive cyber capabilities to target Islamic State, and against ‘organised offshore cyber criminals’.

The report says that Australia has been ‘remarkably transparent’ about its cyber capabilities against cyber attacks, offshore cybercriminals, and to support military operations.

Who controls Australia’s offensive cyber capabilities?

The Australian Signals Directorate (ASD) controls the country’s offensive cyber capabilities, however military and law enforcement have different chains of command and approval processes.

“The Australian Government’s offensive cyber capability sits within ASD and works closely with each of the three services, which embed staff assigned to ASD from the Australian Defence Force’s Joint Cyber Unit. Offensive cyber in support of military operations is a civil–military partnership. The workforce to conduct offensive cyber operations resides within ASD and is largely civilian.”

Within law enforcement, Australia’s offensive cyber capabilities are used against offshore cybercriminals who specifically conduct cybercrimes that affect Australia – however public messaging led people to believe that the government would also use the capabilities to deter all cybercriminals – potentially attacking any offshore criminal networks.

These, the report says, are not the same.

”Decisions on which cybercriminal networks to target follow a similar process to those for military operations, including that particularly sensitive operations could require additional approvals, although the exact processes haven’t been disclosed. Again, these operations would have to comply with domestic law and be consistent with Australia’s obligations under international law.”

Compliance with international law

Australia must also comply with international law when using its offensive cyber capabilities.

“The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.”

While not clearly written into law, the report says that those who use offensive capabilities follow four core principles:

1. Necessity: ensuring the operation is necessary to accomplish a legitimate military / law enforcement purpose.

2. Specificity: ensuring the operation is not indiscriminate in who and what it targets.

3. Proportionality: ensuring the operation is proportionate to the advantage gained.

4. Harm: considering whether an act causes greater harm than is required to achieve the legitimate military objective.

The top five pros and cons of offensive cyber capabilities

Pros:

  • For military tasks, they can be integrated with ADF operations, adding a new capability and creating a force multiplier.
  • They can engage targets that can’t be reached with conventional capabilities without causing unacceptable collateral damage or overt acknowledgement.
  • They provide global reach.
  • They provide an asymmetric advantage against an adversary for a relatively modest cost.
  • They can be overt or clandestine, depending on the intended effect.

Cons:

  • Capabilities need to be highly tailored to be effective (such as the Stuxnet worm that targeted Iran’s nuclear centrifuges), meaning that they can be expensive to develop and lack flexibility.
  • When used in isolation, they are unlikely to be decisive.
  • Major, blunt attacks (such as Wannacry or NotPetya) are relatively cheap and easy, but are unusable by responsible state actors such as Australia. Achieving the appropriate specificity and proportionality requires investment of time and effort.
  • The capability requires constant, costly investment as cybersecurity evolves.
  • Government must compete for top-tier talent with private industry.

The report provides seven recommendations. They include more streamlined communications that prevent confusion about the country’s cyber offensive capabilities; better staff recruitment; more industry engagement; declassifying more information; investing in asymmetric cyber spending including training; and updates to existing policies to include offensive cyber.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.