SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
ASPI demystifies Australia's 'offensive cyber' capabilities
Tue, 10th Apr 2018
FYI, this story is more than a year old

What does Australia's offensive cyber capabilities actually involve? It seems that many people may have the wrong idea, particularly after some labelled it ‘cyber Pearl Harbor'.

The Australian Strategic Policy Institute has drawn attention to some of the misunderstandings this week and aimed to clear the situation up in its Policy Brief: Australia's Offensive Cyber Capability report this week.

According to the report, authored by head of the International cyber Policy Centre Fergus Hanson and visiting cybersecurity fellow Tom Uren, the government has used its offensive cyber capabilities to target Islamic State, and against ‘organised offshore cyber criminals'.

The report says that Australia has been ‘remarkably transparent' about its cyber capabilities against cyber attacks, offshore cybercriminals, and to support military operations.

Who controls Australia's offensive cyber capabilities?

The Australian Signals Directorate (ASD) controls the country's offensive cyber capabilities, however military and law enforcement have different chains of command and approval processes.

“The Australian Government's offensive cyber capability sits within ASD and works closely with each of the three services, which embed staff assigned to ASD from the Australian Defence Force's Joint Cyber Unit. Offensive cyber in support of military operations is a civil–military partnership. The workforce to conduct offensive cyber operations resides within ASD and is largely civilian.

Within law enforcement, Australia's offensive cyber capabilities are used against offshore cybercriminals who specifically conduct cybercrimes that affect Australia – however public messaging led people to believe that the government would also use the capabilities to deter all cybercriminals – potentially attacking any offshore criminal networks.

These, the report says, are not the same.

”Decisions on which cybercriminal networks to target follow a similar process to those for military operations, including that particularly sensitive operations could require additional approvals, although the exact processes haven't been disclosed. Again, these operations would have to comply with domestic law and be consistent with Australia's obligations under international law.

Compliance with international law

Australia must also comply with international law when using its offensive cyber capabilities.

“The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.

While not clearly written into law, the report says that those who use offensive capabilities follow four core principles:

1. Necessity: ensuring the operation is necessary to accomplish a legitimate military / law enforcement purpose.

2. Specificity: ensuring the operation is not indiscriminate in who and what it targets.

3. Proportionality: ensuring the operation is proportionate to the advantage gained.

4. Harm: considering whether an act causes greater harm than is required to achieve the legitimate military objective.

The top five pros and cons of offensive cyber capabilities


  • For military tasks, they can be integrated with ADF operations, adding a new capability and creating a force multiplier.
  • They can engage targets that can't be reached with conventional capabilities without causing unacceptable collateral damage or overt acknowledgement.
  • They provide global reach.
  • They provide an asymmetric advantage against an adversary for a relatively modest cost.
  • They can be overt or clandestine, depending on the intended effect.


  • Capabilities need to be highly tailored to be effective (such as the Stuxnet worm that targeted Iran's nuclear centrifuges), meaning that they can be expensive to develop and lack flexibility.
  • When used in isolation, they are unlikely to be decisive.
  • Major, blunt attacks (such as Wannacry or NotPetya) are relatively cheap and easy, but are unusable by responsible state actors such as Australia. Achieving the appropriate specificity and proportionality requires investment of time and effort.
  • The capability requires constant, costly investment as cybersecurity evolves.
  • Government must compete for top-tier talent with private industry.

The report provides seven recommendations. They include more streamlined communications that prevent confusion about the country's cyber offensive capabilities; better staff recruitment; more industry engagement; declassifying more information; investing in asymmetric cyber spending including training; and updates to existing policies to include offensive cyber.