ASPI has released a new report into Australia’s offensive cyber capabilities, looking to dispel some of the myths around what this warfighting domain looks like.
“Australia has been among the most transparent countries in the world when it comes to discussing our offensive cyber capability, but this hasn’t been without challenges. In some cases, these communications have created confusion and misperceptions,” wrote the report’s authors Fergus Hanson and Tom Uren.
“There’s also disconnect between popular perceptions, typified by phrases like ‘cyber Pearl Harbor’, and the reality of offensive cyber operations, and reporting has at times misrepresented how these tools will be used.”
The authors argue there is a need for improved communications, use of innovative staff recruitment and retention strategies, deepened industry engagement and a review of classification levels in some areas.
It calls on the government to consider increasing its investment in Australia’s offensive capability to create an asymmetric capability. The report clarifies the nature of Australia’s offensive cyber capability and provides a series of recommendations to address emerging policy challenges.
The report also looks at the organisational arrangements for use of the capability as well as command and approvals processes. It examines the checks and balances in place as well as the risks associated with the use of offensive cyber capabilities.
While oversight arrangements may be sufficient for now, it suggests updating the existing policy and legislative framework that governs the employment of offensive cyber in deployed operations to account for future battlefield scenarios.
According to the ASPI report, the government has been remarkably transparent in declaring the existence of its offensive cyber capability and its applications; to respond to serious cyberattacks, to support military operations, and to counter offshore cybercriminals. It has also established robust structures to ensure its compliance with international law.
Three additional disclosures about Australia’s offensive cyber capability have followed the Prime Minister’s initial April 2016 announcement. In November 2016, he announced that the capability was being used to target Islamic State, and on 30 June 2017 Australia became the first country to openly admit that its cyber offensive capabilities would be directed at ‘organised offshore cyber criminals’.
The same day, the then Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, announced the formation of an Information Warfare Division within the ADF. Defence is moving relatively quickly on affirming cyber as a warfighting domain in and of itself.
While these disclosures have raised awareness of Australia’s offensive cyber capability, the limited accompanying detail has meant that the ensuing public debate has often been inaccurate or misleading.
One major news site, for example, led a report with the title ‘Australia launches new military information unit to target criminal hackers’. Using the ADF to target criminals would have been a radical departure from established protocols.