Definition of Data

n/a

Main Focus of Document

Notes Australia's offensive cyber capabilities and seeks to outline measures to curtail cyber security risks.

Target Beneficiaries or Sector

Australians, families and businesses

Key Elements

Acknowledges cyber security risks and discusses plans to curtail such risks by being informative about the various operations against declared attacks. The strategy also clarifies misconceptions from sensationalist reporting pertaining to Australia's cyber security issues. 

Offensive cyber operations are relatively new and developing in a fast-moving environment. Below are issues and recommendations stemming from research underpinning the policy.
RECOMMENDATION 1: The limited detail and mixed reporting of the announcement that Australia would use offensive cyber capability against offshore cybercriminals inadvertently sent the message that it was acceptable for states to launch cyberattacks against people overseas whom they considered to be criminals. This might encourage some states to use crime as a pretext to launch cyber operations against individuals in Australia. To address this, the Australian Government should be careful when publicly discussing the offensive capability, particularly to distinguish the military and law enforcement roles. One option to do this would be to have the Attorney-General, the Minister for Justice or the new Home Affairs Minister discuss operations related to law enforcement aspects of the capability and to have the Minister for Defence discuss those related to military capabilities.
RECOMMENDATION 2: Recruiting and retaining Australia’s top technical talent is a major hurdle. In the medium term, ASD will have to continue to invest heavily in training, raise salaries (ASD becoming a statutory authority will help it address this) and develop an alumni network and culture that allow former staff to return in new roles after a stint in private industry. A pool of alumni working as cleared reservists could also be used as an additional workforce without the significant investment required in conducting entirely new clearances. 
RECOMMENDATION 3: ASD capability being deployed against cybercriminals is likely to generate increased interest from corporate Australia. There’s a policy question about whether or not Australia’s offensive cyber capability should be used in support of Australian corporate interests.  
RECOMMENDATION 4: It has long been argued that overclassification of material, such as threat intelligence, by governments prevents easy information exchange with the outside world, including key partners such as industry. The government has recognised this and is positioning ‘Australian Cyber Security Centre (ACSC) 2.0’ to facilitate a more cooperative and informed relationship with the private sector. Similarly, the government should continue to scope the potential benefits from lowering the classification of information associated with offensive cyber operations. In particular, there are benefits in operating at the SECRET level for workforce generation and training, and providing a ‘halfway house’ to usefully employ incoming staff as they wait during vetting procedures. More broadly, excessive classification slows potentially valuable two-way information exchange with the information security community. 
RECOMMENDATION 5: The 2016 Defence White Paper noted that ‘enhancements in intelligence, space and cyber security will require around 900 ADF positions’. Those positions were part of the $400 million in spending announced in the White Paper and will be spread across the ADF. While this is significant, given the limits of what can be achieved with current spending on conventional kit, the Australian Government should consider conducting a cost–benefit analysis on the relative value of substantial further spending on cyber security to provide it with an asymmetric capability against future adversaries. This would need to include a considerable investment in training. 
RECOMMENDATION 6: There appears to be sufficient legislation, policy and oversight to ensure that ASD and the ADF work together in a lawful, collaborative and cooperative manner to support military operations. The 2017 Independent Intelligence Review noted that ASD’s support to military operations is indispensable, and will remain so. While those oversight arrangements may be sufficient for now, the ADF will inevitably need to incorporate offensive cyber on the battlefield as a way to create local effects, including force protection measures and to deliver effects currently generated by electronic warfare (such as jamming communications technology). It should not always be necessary to reach back to the national authorities for clear-cut and time critical battlefield decisions. There appears to be scope to update the existing policy and legislative framework that governs the employment of offensive cyber in deployed operations to support those kinds of activities.

Policy/Regulation Mirrors

n/a