Canberra is significantly boosting the cyber capabilities of the Australian Signals Directorate (ASD) – the government agency responsible for signals intelligence, support to military operations, cyber warfare and information security. Project Redspice, announced in March, will increase ASD’s budget by almost $10 billion over 10 years.
Unfortunately, ASD’s 21-page “Blueprint” offers few insights into how the new money will be spent. In essence, we know only that the organisation’s staffing will almost double, its “persistent cyber hunt” activities will expand at the same rate, and its “offensive cyber capability” will grow even faster; tripling over the same period.
Hardly shy of criticising China, the government remains peculiarly leery of identifying Beijing as the source of constant cyber operations against Australia.
Prime Minister Scott Morrison has explained this move as necessary in order to be prepared for war: “the first shot fired in any conflict that Australia might be involved in won't be in a metal casing, it'll be in bits and bytes”. According to Defence Minister Peter Dutton, that was “most recently demonstrated by offensive cyber activity against Ukraine”.
Competition short of war
That’s all true, but the cyber threat is more immediate and it’s coming from China. Hardly shy of criticising China, the government remains peculiarly leery of identifying Beijing as the source of constant cyber operations against Australia. Canberra joined allies to name China as the perpetrator of a Microsoft Exchange hack identified in January 2021, but still generally prefers euphemisms such as “state-based actor” (or allusions like “Redspice”).
Canberra’s focus on a future war is also misleading. China’s aggressive actions in cyberspace are part of a growing competition short of war in what is often, if unhelpfully, described as the grey zone. Australia’s goal in this contest is not simply to win cyber battles – by having superior offensive capabilities – but to prevent cyberspace being transformed into a battlespace.
Australia wants an open and secure global internet in which states behave according to accepted rules. So Canberra must use its growing offensive cyber capability strategically to avoid undermining this greater goal.
Public messaging is an essential part of this strategic approach, not least because the opacity of cyberspace can foster misunderstanding. Clear communication is essential to both deter adversaries and reassure international partners.
There are, of course, limits on what the government can say about the activities its intelligence organisations perform. But in 2016, Australia was among the first countries to reveal its offensive cyber capability. In doing so, then Prime Minister Malcolm Turnbull said this would add “a level of deterrence… [and]… adds to our credibility as we promote norms of good behaviour on the international stage”.
ASD’s leaders have since then slowly added to the picture. They’ve explained that “offensive cyber” (which doesn’t include reconnaissance or espionage) encompasses anything from sabotage of critical infrastructure down to subtle manipulation of data. ASD’s former Director-General Mike Burgess has emphasised that most of the agency’s operations are low key: “our targets may find their communications don’t work at a critical moment – rather than being destroyed completely”. Burgess and his successor Rachel Noble have described ASD’s operations against non-state actors (terrorists and criminals), but not other states.
Still, it’s clear that ASD is legally able to undertake offensive cyber activity against other states in situations short of war. ASD may conduct offensive cyber operations to disrupt criminal activity. Cybercrime is defined broadly enough to include other states’ cyber intrusions. ASD Director-General Rachel Noble last year underscored that “we consider both state actors and serious and organised criminals to be undertaking criminal activity when going after Australian networks”.
Canberra often emphasises that its offensive cyber operations accord with international and domestic law. The bigger question is whether Australia should use its offensive cyber capabilities against other states and, if so, how?
US public discussion of these issues has evolved faster than Australia’s in recent years. When Turnbull revealed Australia’s capability, President Barack Obama was still keeping tight control over US cyber operations. President Donald Trump reversed this approach in 2018, partly because that was his modus operandi and partly because cyber security agencies argued for a new approach.
Advocates argue that America can only counter its adversaries’ continual cyberattacks by operating in their networks.
President Joe Biden appears to have maintained the policy of “defend forward”, articulated in Trump’s 2018 Department of Defense Cyber Strategy. Washington’s current approach to competition in cyberspace is described as “persistent engagement” by Paul Nakasone, the dual-hatted head of the National Security Agency (NSA) and Cyber Command (both of which are ASD’s close American counterparts.)
Still, the US debate about “persistent engagement” continues. Advocates argue that America can only counter its adversaries’ continual cyberattacks by operating in their networks. Opponents maintain that the risks of unintended consequences and escalation are too great. But most of them would acknowledge that those risks are at least mitigated by Washington’s relatively transparent discussion of cyber strategy.
The need for cyber doctrine
Australia’s offensive cyber capability is now growing faster than its public discussion about why these tools are needed and how they should be used. Because Australian cyber competition with China will almost inevitably intensify, so too will the need to publicly air the complex questions of strategy and values that this raises. At minimum, Canberra should say whether ASD has also adopted “persistent engagement”.