Unmasking Australia’s offensive cyber capability

| April 11, 2018

In 2016, the Australian government announced that Australia had an offensive cyber capability and was using it against Islamic State. Last June the government announced the creation of an ADF Information Warfare Division responsible for cyber defence and offence. It also announced that this capability will be used by law enforcement agencies to tackle organised offshore cyber criminals.

Today’s launch of ASPI’s policy brief, Australia’s offensive cyber capability, marks another step out of the shadows for our cyber warriors. This groundbreaking report builds on official government statements about this new ADF investment and includes more detail on the strengths and weaknesses of offensive cyber power, the risks involved in its use, authorisations, approval mechanisms, and checks and balances.

The report defines an offensive cyber operation as one intended to manipulate, deny, disrupt, degrade or destroy targeted computers, information systems, or networks. And it explores the types of effects such operations might achieve, such as altering databases, defacing webpages, encrypting or deleting data, or even affecting critical infrastructure.

We’ve seen states conducting these types of cyber operations, with outcomes that range from the devastating to the disappointing.

The devastating state-based attacks that we’ve seen have been very poorly targeted and have caused vast collateral damage. The WannaCry worm in May 2017, attributed to North Korea, spread worldwide and seriously affected many industries, notably the UK’s National Health Service.

Similarly, the Russian NotPetya attack, notionally targeted at Ukrainian companies, caused worldwide damage well in excess of US$1 billion and affected companies as diverse as Merck (US pharmaceuticals), Maersk (Danish shipping), Fedex (US logistics), Saint-Gobain (French construction) and Mondelez International (UK chocolate).

US offensive cyber efforts against Islamic State, however, reportedly received mixed assessments. Former Secretary of Defense Ash Carter ‘was largely disappointed in Cyber Command’s effectiveness against ISIS’.

Perhaps the first example of a state offensive operation was the Stuxnet worm that disrupted Iran’s nuclear weapons program by destroying industrial centrifuges used to enrich uranium fuel. This was a tightly focussed attack, designed to affect specific Iranian centrifuges and avoid other collateral damage.

Stuxnet probably delayed but didn’t halt Iran’s nuclear program, although assessing the operation’s success is difficult as we don’t know the attacker’s ultimate goals. The operation was less decisive than a destructive physical attack could have been, yet provided a clandestine capability that could be used when a kinetic attack was politically or practically impossible.

Although the technical capability for offensive cyber operations resides within the Australian Signals Directorate (ASD), operations in support of military operations will be joint civil–military partnerships, with operational plans constructed by the ADF and governed by ADF rules of engagement. Operations in support of law enforcement will have a separate approval and command process and won’t involve the ADF, although the details of these processes haven’t been disclosed.

The legal principles considered when designing and approving offensive operations are necessity, specificity, proportionality and limiting unnecessary harm. ASD’s legal authority and oversight mechanisms are also spelt out, and one of the policy brief’s recommendations is that thought be given to updating the policy and legislative framework as cyber capabilities develop.

The brief also describes the strengths and weaknesses of cyber operations from an ADF point of view. Among the advantages, integration with traditional ADF operations could well be a force multiplier and an asymmetric approach that provides new capability. Offensive operations provide global reach, and they can be either overt or clandestine.

On the negative side, offensive cyber operations are unlikely to be decisive on their own, need to be highly tailored so as not to cause indiscriminate damage, and will require constant effort as the cybersecurity landscape evolves. Crucially, unlike conventional capabilities, cyber capability cannot be demonstrated for the purpose of deterrence because revealing a specific capability allows effective defences to be developed.

The report concludes with a number of recommendations. Some recognise the challenge of attracting and retaining talented staff and suggest innovative recruitment and retention strategies, use of security-cleared reservists and deepened industry engagement.

Chief among the recommendations is that leaders carefully structure public statements about cyber capability to reassure regional states and encourage responsible behaviour. The government’s statements in June 2017 are a case in point.

Statements about the creation of the ADF’s Information Warfare Division and reports about action against offshore cyber criminals on the same day were conflated in the media in ways that suggested that Australian military forces were going to target cyber criminals. That confusion could have encouraged militaries in the region to launch cyberattacks against individuals in Australia whom they consider cyber criminals.

In the relatively new field of military cyber operations, such missteps are bound to happen. With this policy brief we aim to promote greater transparency and a better understanding of this complex topic.

This post was published by The Strategist.