Story image

ASPI demystifies Australia's 'offensive cyber' capabilities

10 Apr 18

What does Australia’s offensive cyber capabilities actually involve? It seems that many people may have the wrong idea, particularly after some labelled it ‘cyber Pearl Harbor’.

The Australian Strategic Policy Institute has drawn attention to some of the misunderstandings this week and aimed to clear the situation up in its Policy Brief: Australia’s Offensive Cyber Capability report this week.

According to the report, authored by head of the International cyber Policy Centre Fergus Hanson and visiting cybersecurity fellow Tom Uren, the government has used its offensive cyber capabilities to target Islamic State, and against ‘organised offshore cyber criminals’.

The report says that Australia has been ‘remarkably transparent’ about its cyber capabilities against cyber attacks, offshore cybercriminals, and to support military operations.

Who controls Australia’s offensive cyber capabilities?

The Australian Signals Directorate (ASD) controls the country’s offensive cyber capabilities, however military and law enforcement have different chains of command and approval processes.

“The Australian Government’s offensive cyber capability sits within ASD and works closely with each of the three services, which embed staff assigned to ASD from the Australian Defence Force’s Joint Cyber Unit. Offensive cyber in support of military operations is a civil–military partnership. The workforce to conduct offensive cyber operations resides within ASD and is largely civilian.”

Within law enforcement, Australia’s offensive cyber capabilities are used against offshore cybercriminals who specifically conduct cybercrimes that affect Australia – however public messaging led people to believe that the government would also use the capabilities to deter all cybercriminals – potentially attacking any offshore criminal networks.

These, the report says, are not the same.

”Decisions on which cybercriminal networks to target follow a similar process to those for military operations, including that particularly sensitive operations could require additional approvals, although the exact processes haven’t been disclosed. Again, these operations would have to comply with domestic law and be consistent with Australia’s obligations under international law.”

Compliance with international law

Australia must also comply with international law when using its offensive cyber capabilities.

“The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.”

While not clearly written into law, the report says that those who use offensive capabilities follow four core principles:

1. Necessity: ensuring the operation is necessary to accomplish a legitimate military / law enforcement purpose.

2. Specificity: ensuring the operation is not indiscriminate in who and what it targets.

3. Proportionality: ensuring the operation is proportionate to the advantage gained.

4. Harm: considering whether an act causes greater harm than is required to achieve the legitimate military objective.

The top five pros and cons of offensive cyber capabilities


  • For military tasks, they can be integrated with ADF operations, adding a new capability and creating a force multiplier.
  • They can engage targets that can’t be reached with conventional capabilities without causing unacceptable collateral damage or overt acknowledgement.
  • They provide global reach.
  • They provide an asymmetric advantage against an adversary for a relatively modest cost.
  • They can be overt or clandestine, depending on the intended effect.


  • Capabilities need to be highly tailored to be effective (such as the Stuxnet worm that targeted Iran’s nuclear centrifuges), meaning that they can be expensive to develop and lack flexibility.
  • When used in isolation, they are unlikely to be decisive.
  • Major, blunt attacks (such as Wannacry or NotPetya) are relatively cheap and easy, but are unusable by responsible state actors such as Australia. Achieving the appropriate specificity and proportionality requires investment of time and effort.
  • The capability requires constant, costly investment as cybersecurity evolves.
  • Government must compete for top-tier talent with private industry.

The report provides seven recommendations. They include more streamlined communications that prevent confusion about the country’s cyber offensive capabilities; better staff recruitment; more industry engagement; declassifying more information; investing in asymmetric cyber spending including training; and updates to existing policies to include offensive cyber.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.