This report looks at measures that governments in various parts of the world have taken to defend their economic ‘crown jewels’ and other critical knowledge-intensive industries from cyber threats. It should serve as inspiration for other governments, including from those economies studied in State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft. Despite accounting for the bulk of GDP growth, innovation and future employment, such intellectual property (IP)-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure and critical information infrastructure (Figure 1).
Figure 1: Various layers of cybersecurity protection regimes
Source: Developed by the authors.
Since 2022, an increasing number of governments have introduced new policies, legislation, regulations and standards to deal with the threat to their economies from cyber-enabled IP theft. Most prominently, in October 2023, the heads of the major security and intelligence agencies of Australia, Canada, New Zealand, the UK and the US (also known as the ‘Five Eyes’) appeared together in public for the first time, in front of a Silicon Valley audience, and called out China as an ‘unprecedented threat’ to innovation across the world.1 That was followed up in October 2024 with a public campaign called ‘Secure Innovation’.
There is, however, variation in how governments frame their responses. Countries such as the UK and Australia take a national-security approach with policy instruments that seek to monitor the flow of knowledge and innovation to and from specific countries (primarily China). Other countries, such as Malaysia and Finland, take a due-diligence risk approach with a focus on awareness building and providing incentives to organisations to do their due-diligence checks before engaging with foreign entities. Countries such as Japan and Singapore, by contrast, take an economic-security approach in which they focus on engaging and empowering at-risk industries proactively.
This report is the third in a compendium of three. The first report, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, published in 2022, looked at the scale, scope and impact of state-sponsored cyber-espionage campaigns aimed at extracting trade secrets and sensitive business information. The second report, State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, looks at the extent to which agreed norms effectively constrain states from conducting economic cyber-espionage and also examines the varying levels of vulnerability experienced by selected major emerging economies.
This third report complements those diagnoses by offering policymakers an action perspective based on good practices observed across the world. Various practices and examples have been selected, drawing from a multi-year capacity-building effort that included engagements in Southeast Asia, South Asia and Latin America and consultations with authorities in developed economies such as the US, Australia, Japan, Singapore and the Netherlands. Many of the practices covered in this report were presented at the Track 1 Dialogue on Good Governmental Practices that ASPI hosted during Singapore International Cyber Week 2023.
International guardrails
The issue of economic cyber-espionage2 is inherently international. It’s an issue caused by malicious or negligent behaviour of other states. Accordingly, international law and norms are as critical as domestic responses in countering the threat posed. This section offers a review of the most relevant international initiatives that touch on the governance of cyberspace and the protection of IP.
Through the UN First Committee process, states have introduced a set of voluntary and non-binding norms (Figure 2). That has included the following provisions:
States should not knowingly allow their territory to be used for internationally wrongful acts; that is, activities that constitute (serious) breaches of international obligations, inflict serious harm on another state or jeopardise international peace and security.
States should not conduct or support cyber activities that damage critical infrastructure or impair the operation of critical infrastructure that provides services to the public.
States should offer assistance upon request and respond to requests to mitigate ongoing cyber incidents if those incidents affect the functioning of critical infrastructure.
Figure 2: UN norms of responsible state behaviour in cyberspace
The G20 norm complements the work of the UN First Committee, providing that:
States should not engage in cyber-espionage activities for the purpose of providing domestic industry with illegitimately obtained commercially valuable information.
The extent to which states accept that economic cyber-espionage without commercial intent is an acceptable tool of statecraft remains a live debate. In 2017, the authors of the Tallin Manual 2.0 asserted that although ‘peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so’.3 Other states, however, such as the members of MERCOSUR (the trade bloc comprising Argentina, Brazil, Paraguay, Uruguay and Venezuela [currently suspended]) and China hold the view that ‘[n]o State shall engage in ICT-enabled espionage or damages against other States’.4 Austria recently (2024) added to this debate, arguing that ‘cyber espionage activities, including industrial cyber espionage against corporations, within a state’s territory may also violate that state’s sovereignty.’5
The Budapest Convention on Cybercrime and the new UN Cybercrime Convention don’t address the theft of IP or offer mechanisms to deal with state-sponsored cyber activities.6 Both frameworks merely offer mechanisms for the harmonisation of legal regimes to enable states to collaborate on investigations and prosecutions of cyber-related crimes.
The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), administered by the World Trade Organization (WTO), sets minimum standards for IP protection. Article 39 provides perpetual trade-secret protection, provided that the secret is not ‘generally known or readily accessible’ to the general public, has ‘commercial value because it is a secret’, and the owner has taken reasonable precautions to protect the secret.77 However, TRIPS doesn’t take into account any cyber-related threats to IP protection; nor does it provide dispute-settlement mechanisms to address state-sponsored or state-supported acts of theft.
Finally, there are international agreements that regulate certain technology transfers. For instance, the Wassenaar Arrangement—a voluntary export-control regime established to promote responsible transfers of conventional arms and dual-use technologies and goods—offers a list of technologies that are considered sensitive and ought to be subject of additional layers of review before being approved for export. While it doesn’t address cyber-enabled IP theft, it does regulate the trade in technologies that could facilitate such theft, such as intrusion software and surveillance tools.
However, despite the serious impact of IP theft, there’s a clear gap in current international law and norms that would otherwise offer national governments guardrails for introducing measures that would help states to prevent, deter, detect and recover from economic cyber-espionage. Therefore, the onus for protection presently lies on national governments taking ownership and responsibility within their own borders.
References
Zeba Siddiqui, ‘Five Eyes intelligence chiefs warn on China’s “theft” of intellectual property’, Reuters, 19 October 2023, online. ↩︎
‘Economic cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one state against another or by one state against a private entity. ‘Industrial or commercial cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one private entity against another private entity. ↩︎
Michael N Schmitt, Tallinn manual 2.0 on the international law applicable to cyber operations, 2nd edition, Cambridge University Press, 2017. ↩︎
On China, see “China’s views on the application of the principle of sovereignty in cyberspace,” United Nations, online; on Mercosur, see “Decision rejecting the acts of espionage conducted by the United States in the countries of the region,” United Nations, 22 July 2013, online. ↩︎
Przemysław Roguski, “Austria’s Progressive Stance on Cyber Operations and International Law,” Just Security, 25 June 2024, online. ↩︎
See, for instance, Brenda I Rowe, ‘Transnational state-sponsored cyber economic espionage: a legal quagmire’, Security Journal, 13 September 2019, 33:63–82. ↩︎
‘Article 39 of the Agreement on Trade-Related Aspects of Intellectual Property Rights’, World Trade Organization, online. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/03161955/State-sponsored-economic-cyber-espionage-for-commercial-purposes.png504885markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2025-02-19 16:40:492025-03-12 14:57:53State-sponsored economic cyber-espionage for commercial purposes: Governmental practices in protecting IP-intensive industries
Strategic competition is deepening existing tensions and mistrust between states and prompts nations to develop capabilities that they consider central to sovereign national power. Technological capabilities sit at the centre of this. It’s therefore not surprising that governments around the world are seeking technological advantage over their competitors and potential adversaries. In this context, safeguarding intellectual property (IP) has become necessary not just because it’s an essential asset for any modern economy—developed or emerging—but because it’s also increasingly underwriting national and regional security.
Today, middle-income countries1 ‘World Bank country and lending groups’, World Bank, 2024, online. that are seeking to progress in the global value chain are home to vibrant knowledge-intensive sectors. Some of the world’s largest science and technology clusters are located in São Paulo and Bengaluru, for example.2 Other exemplars include the biochemical industry in India, information and communication technology (ICT) firms in Malaysia and petroleum processors in Brazil. In fact, countries such as Brazil, India, Indonesia, Mexico and Vietnam have emerged as increasingly major producers of knowledge and innovation.3
Perhaps reflecting that changing reality, it’s middle-income countries that are confronted by increasing attempts to deprive them of their economic crown jewels. In our report State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, ASPI estimated that the number of state-sponsored cyber incidents affecting private entities in Southeast Asia, South Asia, Latin America and the Middle East increased from 40% in 2014 to nearly 60% in 2020.4 To be clear: economic espionage isn’t new. But it’s the growing scale and intensification of economic cyber-espionage for commercial purposes—and as an integrated tool of statecraft—that is a cause for concern.
The promise of 2015
In September 2015, a bilateral summit between Chinese President Xi Jinping and then US President Barack Obama laid the foundation for an international norm against cyber-enabled theft of IP for commercial gain. The joint communique produced at the end of the summit highlighted that China and the US had reached an understanding not to ‘conduct or knowingly support cyber-enabled theft of IP, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors’. This—critically—recognised a distinction between hacking for commercial purposes and hacking for national-security purposes. Building on that apparent progress, the 2015 G20 Antalya leaders’ communique on ICT-enabled theft of IP established bounds for responsible state behaviour in cyberspace—what was described at the time as a landmark moment.
However, the promise of that seemingly historic moment has not been realised since. Rather than seeing this practice stop, cyber-enabled theft of IP quadrupled between 2015 and 2023. Higher barriers to market access across China, the US and Europe—the result of tit-for-tat behaviour seeking to bolster local technological capabilities, reduce dependence on high-risk vendors, achieve greater strategic autonomy and/or counter unfair advantage—have combined to incentivise irresponsible behaviour by malign states.
China’s and the US’s adherence was always going to be critical to the continued strength and legitimacy of any international norm against cyber-enabled economic espionage. However, bilateral relations between Beijing and Washington devolved in the period after 2015. During the first Trump administration, the US drew a clearer connection between economic and national security. That included explicitly calling out in 2020 China’s theft of American technology, IP and research as a threat to the safety, security and economy of the US. The Trump administration also established the China Initiative, which investigated and prosecuted perceived Chinese spies in American research and industry. While the Biden administration closed the China Initiative, it has continued efforts to protect American IP. That includes through the passing of the Protecting American Intellectual Property Act of 2022, which empowers the US President to sanction entities seen to benefit from or sponsor trade-secret theft.5
For its part, China may never have intended to uphold its commitment to the norm over the long term. China may have endorsed a commitment against economic cyber-espionage as a strategic move to accelerate domestic initiatives, such as rooting out corruption in the People’s Liberation Army and refining Chinese hacking methods to be more sophisticated and less conspicuous.6 Alternatively, the lack of a clearly articulated distinction between hacking for competitive advantage and hacking for national-security purposes under Obama and Xi’s agreement may have contributed to the current situation. In any case, the threat of economic cyber-espionage continues to spiral rapidly, increasingly affecting emerging economies as well.
Emerging economies in the Global South, including members of the G20, have been the most vulnerable to that backsliding. India, Vietnam and Brazil have become important and impactful IP-producers, but their means to protect that innovation have lagged—unfortunately creating an expanded attack surface without the commensurate resilience. Still coming to terms with the scope and nature of the threat, they and other similar governments have so far introduced higher-end requirements and support arrangements for their own systems, and for operators of critical infrastructure and critical information infrastructure. However, most other industries—even when they’re substantial contributors to national GDP, high-value IP holders and the enablers for economic advancement—have been left out.
Building capacity to defend against cyber-enabled theft of IP
This report is a first-ever analytical exercise that examines the vulnerability of emerging economies in the face of economic cyber-espionage. It’s a culmination of two years of research and stakeholder engagement across the Indo-Pacific and Latin America. The focus has been on investigating perspectives on the threat of economic cyber-espionage and the degree to which major emerging economies are prepared to respond. The first of the three reports in the compendium—published in late 2022—examined state practices of cyber-enabled theft of IP. It found that, since 2015, the number of reported cases of economic cyber-espionage had tripled. Further, it found that the scale and severity of incidents had grown proportionally with the use of cyber technology as a tool of statecraft for securing economic and strategic objectives.
This specific report is the second in the compendium of three. It considers Chinese and US perspectives in the first instance—recognising their criticality to the effectiveness of any international norm. It goes on to assess the level of vulnerability across Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. This is because it’s those economies in South Asia, Southeast Asia and Latin America that are experiencing some of the world’s most rapid knowledge and innovation production. Each country has been assessed and given a risk label indicating its vulnerability based on a diagnostic tool developed by ASPI.
The third of the three reports in the compendium goes beyond analysing the problem. Through a mapping of responses, it identifies and presents a capture of best practice. The purpose is to support vulnerable states in defending their economic ‘crown jewels’—that is, critical knowledge-intensive industries. It offers a capacity-building checklist intended to help policymakers make sense of the cyber-threat landscape and respond to protect private entities from economic cyber-espionage.
References
‘World Bank country and lending groups’, World Bank, 2024, online. ↩︎
‘Science and technology cluster ranking 2023’, World Intellectual Property Organization (WIPO), online. ↩︎
Gatra Priyandita, Bart Hogeveen, Ben Stevens, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, ASPI, Canberra, 2022, online. ↩︎
‘Protecting American Intellectual Property Act of 2022’, US Congress, online. ↩︎
Jack Goldsmith, ‘US attribution of China’s cyber-theft aids Xi’s centralization and anti-corruption efforts’, Lawfare, 21 June 2016, online. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/03152958/State-sponsored-economic-cyber-espionage-for-commercial-purposes-Banner.png370791markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2025-02-19 15:30:472025-03-12 14:52:29State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft
The global rise of ransomware and Australia’s policy options
What’s the problem?
As the Covid-19 pandemic has swept across the world, another less visible epidemic has occurred concurrently—a tsunami of cybercrime producing global losses totalling more than US$1 trillion.1
While cybercrime is huge in scale and diverse in form, there’s one type that presents a unique threat to businesses and governments the world over: ransomware.
Some of the most spectacular ransomware attacks have occurred offshore, but Australia hasn’t been immune. Over the past 18 months, major logistics company Toll Holdings Ltd has been hit twice; Nine Entertainment was brought to its knees by an attack that left the company struggling to televise news bulletins and produce newspapers; multiple health and aged-care providers across the country have been hit; and global meat supplies were affected after the Australian and international operations of the world’s largest meat producer, JBS Foods, were brought to a standstill. It’s likely that other organisations have also been hit but have kept it out of the public spotlight.
A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed. Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets. The number of attacks will continue to grow unless urgent action is taken to reduce the incentives to target Australian companies and other entities.
What’s the solution?
All governments, civil society groups and businesses—large and small—need to know how to manage and mitigate the risk of ransomware, but organisations can’t deal with the attacks on their own. Given the significant—and increasing—threat ransomware presents to Australia, new policy measures are fundamental to dealing with this challenge. While there’s no doubt ransomware is difficult to tackle using traditional law enforcement methods because the criminal actors involved are usually located offshore, there are domestic policy levers that can be pulled, for example, to support cybersecurity uplift measures across the economy. Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response.
This policy report addresses key areas in Australia where new policies and strategies and improved guidance are needed and also where better support for cybersecurity uplift can be achieved.
Our recommendations include arguments for greater clarity about the legality of ransomware payments, increased transparency when attacks do occur, the adoption of a mandatory reporting regime, expanding the official alert system of the Australian Cyber Security Centre (ACSC), focused education programs to improve the public’s and the business community’s understanding and, finally, incentivising cybersecurity uplift measures through tax, procurement and subsidy measures. We also recommend the establishment of a dedicated cross-departmental ransomware taskforce, which would include state and territory representatives, that would share threat intelligence and develop federal-level policy proposals to tackle ransomware nationally.
Introduction: What’s ransomware?
Ransomware is a form of malware designed and deployed by state and non-state cybercriminals who seek out vulnerabilities in the computer systems of organisations, both large and small, locking up, encrypting and extracting data, and rendering computers and their files unusable.2 Attacks are accompanied by a demand for ransom to be paid in return for decrypting and unlocking systems.
Increasingly, ransomware attacks include an extortion element that usually involves threats to leak stolen data publicly or on the dark web if payment isn’t made (known as ‘hack and leak’) to exert pressure on the victim to pay the ransom.
Furthermore, payments can be difficult to trace because they’re generally made using cryptocurrency.3
This also makes it hard—but not impossible (as we saw with the Colonial Pipeline attack)—to investigate and prosecute the criminals responsible for ransomware attacks. Generally, those criminals operate with impunity in extraterritorial jurisdictions (most notably Russian threat actors) where governments protect or tolerate them or don’t have the legal systems, frameworks or capabilities in place to prosecute them.4
Ransomware is a form of cybercrime that’s both scalable and able to be commoditised. It can be bought as a service, generally on the dark web, where ransomware criminals essentially act as ‘guns for hire’. In 2020, a US analysis found buying malware online was ‘incredibly easy’, and that advanced malware tools sell for as little as US$50.5 The analysis also found that ‘almost all premium malware sellers provide buyers with in-depth tutorials and ideas about using their products for technically unskilled buyers.’6
The most common way ransomware is deployed into a system is via email phishing campaigns, remote access vulnerabilities and software vulnerabilities.7 In the case of phishing, a criminal sends an email containing a malicious file or link that deploys malware when it’s clicked. Phishing campaigns continue to evolve and are becoming increasingly sophisticated and targeted. Remote access vulnerabilities, such as weak username and password combinations, allow criminals access to and control of the computer remotely. Cybercriminals exploit such vulnerabilities via sustained attacks or by obtaining user credentials, which are often purchased on the dark web, enabling the deployment of malware onto a system.8 Finally, cybercriminals leverage security weaknesses in popular software programs to gain control of systems and deploy ransomware.9
It’s important to note that ransomware attacks are entirely foreseeable and almost always defendable.
In the physical world, organisations pay for security alarms, high fences and sensors to protect their property. And the digital world should be no different. Ransomware is simply another crime type and the threat should be viewed as another organisational risk because, behind every ransomware attack, are cybercriminals who have watched their victim’s network, laying the ground for encryption and data theft to hold the victim to ransom.
The domestic landscape
In 2019–20, the ACSC reported an increase in the number of ransomware attacks on Australian organisations, although specific metrics weren’t released.10 According to the ACSC, the top five sectors to report ransomware incidents during that period were health; state and territory governments; education and research; and transport and retail.11 It’s worth noting that the health sector was disproportionately affected, in line with global trends,12 reflecting its attractiveness as a target due to the value of the troves of personal health data stored and, most importantly, the criticality of the services provided. Put simply, a ransom is more likely to be paid if human life is endangered.
It should be noted that transnational cyberattacks are a serious concern for Australians. The recently published results of the 2021 Lowy Institute Poll reported that 98% of the poll’s nationally representative sample viewed ‘cyber attacks from other countries’ as a critical (62%) or important (36%) threat to Australia over the next decade.13 That makes transnational cyberattacks the highest of the 12 threats to Australia’s vital interests that the Lowy Institute asked people about, rating higher than climate change, Covid-19 and other potential epidemics, international terrorism, a severe downturn in the global economy and Australia–China relations.
In a bid to better gauge the public’s understanding of what ransomware is, what it does and what to do in the event of an attack, the Cyber Security Cooperative Research Centre conducted a nationally representative online survey of 1,000 Australian adults in April 2021 on ‘Understanding ransomware’. The results—though not unexpected—painted an alarming picture of just how little the Australian public understands ransomware.
Twenty-five per cent of respondents said ransomware was the most significant cybersecurity threat to Australian businesses, coming in behind hacking (48%). Seventy-seven per cent said they wouldn’t know what to do if they fell victim to a ransomware attack but, when given a set of options, 56% said they would contact the ACSC. Of the respondents, 42% said they understood how a ransomware attack occurred, and 44% indicated that they knew what happened in a ransomware attack. Respondents believed financial gain was the key aim of an attack (71%), followed by data theft (14%).
While this survey wasn’t exhaustive, it clearly shows that the community, generally, has little understanding of ransomware, illustrating that a more concerted effort to educate Australians about it is required. That effort should be teamed with effective tools and policies to mitigate the risk of falling victim to a ransomware attack.
Major reported ransomware attacks in Australia in 2020 and 2021
Major attacks on Australian targets in 2020 and so far in 2021 included the following:
February and May 2020: Toll Holdings Employee and commercially sensitive data was stolen in two separate ransomware attacks on Toll Holdings, which is an Australian logistics giant.14 Some of the stolen data was leaked on the dark web.15 It’s understood that Toll didn’t pay either ransom.16 As a result of the attack, the company has undertaken substantial remediation and cybersecurity uplift programs.17
May 2020: BlueScope Steel A ransomware attack on a US-based system of BlueScope Steel had global ramifications, affecting production at the organisation’s Port Kembla facility in Australia.18 Details of the attack, including whether payment was made, were undisclosed.
June 2020 (two attacks): Lion Dairy and Drinks Dairy processor and drink manufacturer Lion was forced to shut down production as a result of two separate ransomware attacks, which had significant impacts on its vast domestic supply chain.19 Sensitive data was stolen in the attacks, and the criminals responsible threatened to publish it on the dark web.20 It’s unknown whether a ransom was paid.
December 2020: Law in Order Law in Order provides document-management services to the legal profession and purports to have ‘iron-clad security’.21 The criminals who attacked it threatened to publish stolen data on the dark web.22 It’s unknown whether a ransom payment was made.
March 2021: Nine Entertainment In late March, Nine Entertainment’s news and newspaper production were severely damaged by a ransomware attack.23 As a result, news teams were forced to work remotely, and most production had to be done out of Nine’s Melbourne office, which was the least affected. It took weeks for production to return to normal.24 It’s unknown whether the ransom was paid.
March 2021: Eastern Health Eastern Health, which operates several hospitals in Melbourne, was brought to a halt by a ransomware attack that resulted in multiple surgery cancellations and prevented access to patient medical records, internal emails and IT systems.25 Systems were reportedly damaged for weeks. It’s unknown whether a ransom was paid.
April 2021: Uniting Care Qld Uniting Care Qld, which operates several hospitals and disability and aged-care facilities across the state, had its access to internal IT systems and patient records severely compromised in a ransomware attack attributed to the REvil group.26 It’s unknown whether a ransom was paid.
June 2021: JBS Foods JBS Foods, the world’s largest meat supplier, had its global production brought to a standstill by a ransomware attack affecting 47 facilities in Australia.27 The company confirmed that it paid US$11 million to the attackers.28
Ransomware payments and regulating cryptocurrency
Cryptocurrencies are the preferred channel of payment for ransomware attacks because of the assumed untraceability of those payments. However, successful steps are being taken to crack down on cryptocurrency providers via law enforcement and recovery action. In the US, steps have been taken to regulate the use of cryptocurrencies more tightly and to recoup stolen funds; for example, US$2.3 million was recovered after the Colonial Pipeline ransomware attack.29
The US Treasury announced in May 2021 that, under a proposed reporting regime, cryptocurrency transfers of more than $10,000 would have to be reported to the Internal Revenue Service—a step that could help to improve the effectiveness of cryptocurrency tracking.30 There’s also a move in the US towards KYC (‘know your customer’) and AML (anti-money-laundering) cryptocurrency regulation. KYC policies govern the types of information banks must collect, and retain, about their customers; AML regulations require financial institutions to monitor the use of funds by their customers.31
In 2018, new laws came into force in Australia making it compulsory for digital currency exchange providers operating in Australia to register with AUSTRAC and comply with reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.32 Under those laws, exchanges are required to collect information to establish a customer’s identity, monitor transaction activity and report transactions or activity that’s suspicious or involves amounts of cash over $10,000.33
The legality of ransomware payment in Australia
When a ransomware attack occurs, any payment made has legal implications, but in Australia the legality of such a payment is murky at best. This is an issue that needs to be addressed with haste, without the burden of bureaucratic process and a regulatory quagmire. Importantly, criminalising ransomware payment isn’t the solution. Mandatory reporting of ransomware attacks, however, should be considered.
The ACSC’s advice on payment is clear: don’t pay.34 At first blush, that appears to be straightforward, but any organisation faced with a ransomware attack (in which often every minute matters) grapples with the legal consequences of paying or not paying. This is a highly nuanced issue and one that other nations are also grappling with.
While the payment of a ransom should always be a last resort, criminalisation wouldn’t incapacitate the real offenders; nor would it bring restitution to victims. In fact, it would have the effect of further victimising the victim. There are also ethical considerations that need to be taken into account, the central one being the notion that criminalisation could punish organisations for taking proportionate action to protect stakeholders and the community more broadly. This is especially relevant in relation to critical infrastructure entities.
In the Australian context, the Criminal Code Act’s ‘instrument of crime’ provisions are broad. It’s an offence to ‘deal with’ money or other property if there’s a risk that the money or property will become an instrument of crime or if the payer is ‘reckless’ or ‘negligent’ about the fact that the money or property will become an instrument of crime.35 The Criminal Code also includes terrorism funding offences, which make it illegal to intentionally ‘make funds available to a [terrorist] organisation’ if the funder either knows that the organisation is a terrorist organisation or is reckless about whether the organisation is a terrorist organisation.36
Australia is also bound by UN sanctions laws and, under the Charter of the United Nations Act 1945 (which implements UN Security Council sanctions), it’s an offence to transfer assets to sanctioned people and entities or to contravene UN sanctions enforcement laws.37 Currently, no ransomware actors are explicitly listed on the UN’s sanctions list; however, sanctions laws could apply in relation to sanctioned states or to groups acting on behalf of sanctioned entities.38
The most commonly cited potential defence against a charge of making an ‘illegal’ ransomware payment is duress. A duress defence can be used if a person ‘reasonably believes’ that a threat made will be carried out unless an offence of ransom payment is committed, there’s no reasonable way the threat can be rendered ineffective, and the conduct or payment is a reasonable response to the threat.39 Such a defence would depend on the particular circumstances facing an organisation and its payment of a ransom.
In the US, where the Federal Bureau of Investigation (FBI) reported 2,474 ransomware incidents in 2020, ransom payment isn’t illegal.40 However, a ransomware advisory published by the US Treasury Department in October 2020 highlighted the possibility of sanction breaches that could be associated with ransomware payments to malicious cyber actors.41 The advisory contains a list of malicious cyber actors sanctioned by the department’s Office of Foreign Assets Control, signalling that ransom payments to such actors could be met with civil penalties. Of note, however, is the recognition that ‘a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement [will be] a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus’.42 On this point, a 2019 FBI ransomware alert highlighted the need for ransomware attacks to be reported, regardless of whether money is exchanged.43 Interestingly, the alert highlights the challenges that affected organisations face—and a possible reticence to prosecute for payment—by stating ‘the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers’.44
Given that the measures outlined in the Treasury advisory have, to date, not been applied, and the clear focus on reporting and transparency, it could be reasonably concluded in the US that there’s little appetite for penalising organisations for paying ransoms. Such a model could be employed in Australia, fostering an information-sharing culture without fear of legal consequences for organisations that pay ransoms. There’s also merit in the US approach of publishing a list of known malicious ransomware actors. While that wouldn’t remediate the problem, it would serve to better inform organisations about cyber threat actors.
A mandatory reporting regime could take the form of a legal obligation for an organisation to report the nature and root cause of a ransomware attack to the ACSC within a prescribed time frame (for example, within 21 days). That would be in addition to real-time reporting of a cyber incident.
Furthermore, this should occur regardless of whether payment is made and ensure the confidentiality of victims. It wouldn’t be about naming and shaming. Rather, by compelling victimised organisations to report under law, the ACSC would have improved access to vital and timely intelligence, assisting root-cause analysis and the identification of other attack vectors. Ultimately, when published, this would help better inform other stakeholders on how to reduce vulnerabilities. It would also enhance the operation of the federal government’s proposed changes to the Security of Critical Infrastructure Act 2018.45
It’s worth noting recent steps that the European Commission has taken ‘to tackle the rising number of serious cyber incidents’, announcing on 23 June that it will build a ‘Joint Cyber Unit’.46 The aim of the unit is to provide a coordinated response to ‘large-scale’ cyber incidents and assist in recovery, operating at both the operational and technical levels.47 It will involve key stakeholders from law enforcement, security, defence and diplomacy.48 Its functions will be enhanced by a new US–EU working group, which has been established specifically to address the ransomware threat.49
The joint EU and US approach demonstrates that, while Australia can take significant steps to address ransomware domestically by clarifying our law, there’s a vital need to work closely with allies and like-minded nations to tackle the threat globally. Longer term, sustained intelligence sharing and the adoption of responsibilities flowing from the agreed UN norms of responsible state behaviour in cyberspace will help achieve international consensus on tackling ransomware.50 In April, to that end, the Five Eyes nations committed to tackling the growing threat of ransomware, specifically addressing the issue in the Five Country Ministerial Statement Regarding the Threat of Ransomware.51
What about cyber insurance?
While still relatively immature, Australia’s cyber insurance market has expanded. Cyber insurance policies can be expensive, given the nature of the threat, and broad in scope, covering recovery, replacement and regulatory costs associated with a ransomware attack. Of concern, however, are policies that cover ransom costs, which could serve to encourage attacks targeted at insured entities.52 There are also concerns that ransomware criminals might access systems in search of insurance certificates and then demand ransom payment of the specific amount covered by an insurer.53 While there is a role for cyber insurance to play as part of an organisation’s holistic cyber security strategy, it is not a silver bullet, and it can have unintended consequences. As noted above, a key risk is the targeting of insured organisations by threat actors. There is also the potential for organisations with cyber insurance to be lax in their approach to managing cyber security. As noted in the Harvard Business Review: “Insurance is important, but it’s likely to take a back seat to the broader cyber security discussion…Insurance helps you recover from a situation, filling in the gaps when problems occur that you can’t prevent, but attempts to prevent problems are still crucial”.
Where do we go from here?
To better protect Australians and their businesses against ransomware, we believe that the three key words are transparency, education and incentivisation.
Increased transparency is vital
As it stands, there’s a dearth of official public data relating to ransomware attacks in Australia. For example, and as noted above, in the 2019–20 financial year the ACSC reported an increase in the number of domestic ransomware attacks, but no specific metrics were released.54 This is in stark contrast to the US, which has a much more transparent reporting system. The FBI publicly reported that it recorded 2,474 ransomware incidents in 2020, amounting to US$29.1 million in economic loss55 (and that’s likely to be a significant understatement of the overall incidence of ransomware attacks because reporting is voluntary).
While it’s understandable that the specifics of attacks and victims aren’t released into the public domain, if more insight were provided into the prevalence and root causes of ransomware crimes in Australia there would be greater onus on organisations to harden their systems against attack (especially known vulnerabilities). Furthermore, by building a public narrative on the threat landscape and threat actors, policymakers, organisations and the community more broadly would be better informed about the scale of the attacks. This would have a two-pronged effect—encouraging cybersecurity uplift across the economy and enhancing trust in government, especially in the light of the heightened reporting obligations touted for critical infrastructure entities.56
In April this year, the US Department of Justice established a dedicated ransomware taskforce.
A memo from Acting Deputy Attorney General John Carlin stated that 2020 had been ‘the worst year’ in history for ransomware and cyber extortion. He signalled that steps would be taken to deal with the root causes of ransomware, which could include actions ranging from ‘takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains’.57
The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) also provides regular ransomware alerts and tips to the public,58 which go into significant detail regarding the latest ransomware attacks, the systemic weaknesses that were exploited to gain access for malware to be deployed and steps organisations can take to mitigate those risks. The CISA played a pivotal role in disseminating real-time information about the Colonial Pipeline ransomware attack in May 2021,59 which brought the major provider of fuel to the US east coast to a grinding halt.60
The CISA kept the community and critical infrastructure entities informed during what was arguably the most serious ransomware attack the US has seen, ultimately assisting other organisations to be on guard.61
The US approach illustrates how comprehensive and more transparent official reporting of ransom ware attacks could be used to enhance preparedness for an attack and people’s understanding of the threat environment. While the ACSC does provide high-level threat intelligence to organisations, there’s a requirement for those organisations to register and be accepted into the ACSC Partnership Program. In addition, the alerts and advice are quite technical, which could make them inaccessible to some organisations, especially small and medium-sized enterprises (SMEs). Hence, there’s a need to build on the existing regime, with a view to enhancing transparency across the entire economy and community via public alerts and advice when ransomware attacks occur.
Education is necessary to improve knowledge and mitigate risk
While increased transparency is vital, it’s of little use if organisations don’t understand what ransomware is, what needs to be done to mitigate risk and haven’t implemented appropriate cybersecurity controls. Many ransomware attacks would be avoidable if effective organisational cybersecurity controls were in place and good cyber hygiene was practised. Ransomware is different from most other tools used by criminals in that it can have far-reaching consequences. The threat it poses through its ability to cripple critical infrastructure makes it all the more serious. Hence, there needs to be greater focus on the basics—a concerted education campaign that explains what ransomware is, what it does and how organisations can bolster their defences.
Top of the list must be patching. Patch management is essential for effective cybersecurity and ensures that the security features of software on computers and devices are up to date. All software is prone to technical vulnerabilities and, when a vulnerability is exposed and shared, cybercriminals have a metaphorical front-door key. A 2019 report by the Ponemon Institute on vulnerability responses found that, of the 48% of organisations that had experienced data breaches in the preceding year, 60% reported that the breaches resulted from failure to patch.62
And that brings us to people. Amid the barrage of policies and technical guidance, it’s often forgotten that the route to a cyber breach is surprisingly simple. In most cases, it comes down to a number: 1. That’s the number of people a cybercriminal needs to trick to gain access to a system.
Phishing emails containing malicious links are common lures used to deploy ransomware. The FBI reported 241,342 phishing complaints in 2020 and estimated that phishing cost more than US$54 million.63 Therefore, training employees to be better prepared to identify suspicious emails— and not to click on them—is essential. For large, well-resourced organisations, investing in threat hunting is the key.64 In many cases, the attacker has been inside the victim’s network for a significant period, watching and preparing the environment for an attack. An investment in threat hunting means that network anomalies can be more easily recognised and more swiftly contained. It could prove critical in detecting whether a cybercriminal is planning and plotting within a network.
It’s the responsibility of all executives, business leaders and boards to be aware of and effectively manage cybersecurity risks, to ensure that appropriate measures are in place and to foster a culture in which cybersecurity really does matter. If cybersecurity matters to a chair and board, that will trickle down and become a priority for the whole organisation. To that end, it’s also timely to note that Australian directors increasingly bear personal exposure to cyber risk liability, which may be heightened under the proposed changes to the critical infrastructure regime.
Incentivisation is needed to achieve real cybersecurity uplift
Good cyber hygiene is central to mitigating a ransomware attack, but cybersecurity uplift costs money—a cost that’s borne without immediately ‘tangible’ results for organisations. This is especially pertinent for SMEs, which generally don’t have the same level of resourcing to prioritise cybersecurity. Hence, incentivisation has a key role to play if cyber resilience is to be applied across all levels of the economy.
A clear example of where existing mechanisms could be used to incentivise cyber uplift is via full expensing, previously known as instant asset write-offs. The temporary full expensing scheme, which was extended in the 2021–22 federal Budget, allows organisations with an annual turnover of less than $5 billion to immediately write off the business portion of the cost of eligible new assets they first use or install by 30 June 2023, with no cap on the value of new assets that can be claimed (but there may be certain cost limits on particular assets).65 Put simply, this means organisations can make full or significant deductions for eligible purchases up front, rather than over a period of several years via depreciation. While this doesn’t remove the need for initial outlays, the scheme does offer significant taxation benefits. There’s clear scope for the federal government to provide clear information via the Australian Taxation Office about what cybersecurity asset purchases are covered under the scheme.
As it stands, cybersecurity assets aren’t clearly defined, and only bespoke in-house software is covered.66 If the scheme were broadened to include off-the-shelf products and subscription services (such as cloud services), it would support scalable and more rapid uplift. This relatively simple incentivisation solution, which should be promoted, would have a two-pronged effect, simultaneously easing financial imposts on organisations while also hardening cybersecurity resilience across a greater cross-section of the economy.
Another option is to leverage the power of federal government procurement to drive organisational cybersecurity uplift by mandating minimum cybersecurity standards for organisations feeding into the government supply chain. This has the potential to be transformative, given the government’s huge procurement spend (81,174 contracts with a combined value of $53.9 billion were published on AusTender in 2019–20).67 Despite that massive spend, cybersecurity is mentioned only once in the Commonwealth Procurement Rules, 68 which recommend that cybersecurity risk be considered along with other risks and be evaluated in accordance with the government’s Protective Security Policy Framework.69 Cybersecurity needs to play a more prominent role in government procurement practices, not be viewed as an afterthought or secondary consideration. The important role government procurement could play in cyber uplift was highlighted by Rajiv Shah in his 2020 report Working smarter, not harder.70 Shah observed that the government:
… has an opportunity to leverage its market power to provide for broader benefits to the Australian economy and society … Setting security standards expected from its suppliers may help to lift standards across the board. Companies will be incentivised to lift their standards in order to qualify to do business with the government, and it will often be easier for them to apply those standards across their whole enterprises rather than just for their government contracts.71
A cybersecurity uplift grant or subsidy scheme could be considered, in the vein of a program such as the Skilling Australia’s Defence Industry Grants Program.72 That program provides grants to SMEs with fewer than 200 employees over three years, assisting the development of defence sector skills and human resources practices and training plans. The program provides SMEs that service, or intend to service, the defence industry with the capacity and skills required to operate in that supply chain.
A similar program could be introduced for organisations that feed into the whole-of-government supply chain to uplift cybersecurity resilience via both training and physical upgrades.
Another option could be to expand and extend the remit of the Cyber Security Business Connect and Protect Program beyond assistance and advice to also include financial aid to lift SME cybersecurity.
As it stands, the program (which is currently closed), provides funding to ‘trusted organisations’ to raise awareness of cybersecurity risks to SMEs, promote action to address those risks and support and lift the cyber capability of SMEs. However, the scheme doesn’t provide funding to assist SMEs in the physical implementation of cybersecurity uplift.
Policy recommendations
We make eight policy recommendations under the following themes.
Legal clarity
The Australian Government shouldn’t criminalise the payment of ransoms. Instead, a mandatory reporting regime should be adopted, fostering an information-sharing culture without fear of legal repercussions.
A dedicated cross-departmental ransomware taskforce, including state and territory representatives, should be established to share threat intelligence and develop federal-level policy proposals to tackle ransomware nationally.
Greater transparency
The ACSC’s existing official alert system should be expanded to include the real-time distribution of publicly available alerts and clear, actionable advice when ransomware attacks are reported. The alerts and advice should be updated as required.
The non-punitive mandatory reporting regime should require organisations to report ransomware incidents and known root causes to the ACSC within 21 days. The information would then be de-identified and distributed publicly.
The ACSC should publish a list of ransomware threat actors and aliases, giving details of their modus operandi and key target sectors, along with suggested mitigation methods.
Low-hanging fruit: incentivisation and education
The federal government should implement practical incentivisation measures to drive cybersecurity uplift across the economy via temporary full expensing and changes to procurement practices and grant or subsidy programs.
The government should deliver a concerted nationwide public ransomware education campaign, led by the ACSC, across all media. The campaign should highlight the key causes of ransomware vulnerability and how organisations can bolster their security, and it should draw in external expertise where necessary.
A business-focussed multi-media public education campaign, led by the ACSC, should be launched to educate organisations of all sizes and their people about basic cybersecurity and cyber hygiene. It should focus on the key areas of patching, multifactor authentication, legacy technology and human error.
Conclusion
Ransomware isn’t an abstract possibility. In Australia, the threat’s right here, right now and isn’t going away. Unless a concerted effort is made to mitigate the risk, the problem could continue to get worse.
There’s a key role for the Australian Government to play in leading the way, but tackling ransomware is a shared responsibility. While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support.
The ongoing ransomware attacks that continue to strike unabated around the world must act as a red flag. And, because we’ve been warned, we need a plan.
Acknowledgements
Thank you to Danielle Cave for all of her work on this project. Thank you also to all of those who peer reviewed this work and provided valuable feedback including Michael Sentonas, Dr Natasha Molt, Fergus Hanson, Michael Shoebridge, Bart Hoogeveen, Jocelinn Kang and Tom Uren. ASPI’s International Cyber Policy Centre receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. The Cyber Security CRC is a bronze sponsor of the centre. No specific funding was received, from any organisation, to fund the production of this report.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
ISSN 2209-9689 (online), ISSN 2209-9670 (print).
Funding Statement: No specific sponsorship was received to fund production of this report.
‘New McAfee report estimates global cybercrime losses to exceed $1 trillion’, news release, McAfee, 7 December 2020, online. ↩︎
States are developing and exercising offensive cyber capabilities. The United States, the United Kingdom and Australia have declared that they have used offensive cyber operations against Islamic State,1 but some smaller nations, such as the Netherlands, Denmark, Sweden and Greece, are also relatively transparent about the fact that they have offensive cyber capabilities.2 North Korea, Russia and Iran have also launched destructive offensive cyber operations, some of which have caused widespread damage.3 The US intelligence community reported that as of late 2016 more than 30 states were developing offensive cyber capabilities.4
There is considerable concern about state-sponsored offensive cyber operations, which this paper defines as operations to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.
It is assumed that common definitions of offensive cyber capabilities and cyber weapons would be helpful in norm formation and discussions on responsible use.
This paper proposes a definition of offensive cyber operations that is grounded in research into published state doctrine, is compatible with definitions of non-kinetic dual-use weapons from various weapons conventions and matches observed state behaviour.
In this memo, we clearly differentiate offensive cyber operations from cyber espionage. We address espionage only in so far as it relates to and illuminates offensive operations. Only offensive cyber operations below the threshold of armed attack are considered, as no cyber operation thus far has been classified as an armed attack, and it appears that states are deliberately operating below the threshold of armed conflict to gain advantage.5
This paper examines the usefulness of defining cyber weapons for discussions of responsible use of offensive cyber capabilities. Two potential definitions of cyber weapons are explored—one very narrow and one relatively broad—before we conclude that both definitions are problematic and that a focus on effects is more fruitful.
Finally, the paper proposes normative courses of action that will promote greater strategic stability and reduce the risk of offensive cyber operations causing extensive collateral damage.
Definitions of offensive cyber capabilities
This section examines definitions of offensive cyber capabilities and operations in published military doctrine and proposes a definition consistent with state practice and behaviour. We first define operations and capabilities to clarify the language used in this report.
What are capabilities? In the context of cyber operations, having a capability means possessing the resources, skills, knowledge, operational concepts and procedures to be able to have an effect in cyberspace. In general, capabilities are the building blocks that can be employed in operations to achieve some desired objective. Offensive cyber operations use offensive cyber capabilities to achieve objectives in or through cyberspace.
US military joint doctrine defines offensive cyber operations as ‘operations intended to project power by the application of force in and through cyberspace’. One category of offensive cyber operations that US doctrine defines is ‘cyberspace attack’—actions that manipulate, degrade, disrupt or destroy targets.6
UK military doctrine defines offensive cyber operations as ‘activities that project power to achieve military objectives in, or through, cyberspace. They can be used to inflict temporary or permanent effects, thus reducing an adversary’s confidence in networks or capabilities. Such action can support deterrence by communicating intent or threats.’7 UK doctrine further notes that ‘cyber effects will primarily be in the virtual or physical domain, although some may also be in the cognitive domain, as we seek to deny, disrupt, degrade or destroy.’
In both UK and US military doctrine, offensive operations are a distinct subset of cyberspace operations that also include defensive actions; intelligence surveillance and reconnaissance and operational preparation of the environment—non-intelligence enabling activities conducted to plan and prepare for potential follow-on military operations.
This is consistent with the Australian definition, which is that offensive cyber operations ‘manipulate, deny, disrupt, degrade or destroy targeted computers, information systems or networks’.8
The Netherlands’ defence organisation sees offensive cyber operations as ‘digital resources whose purpose it is to influence or pre-empt the actions of an opponent by infiltrating computers, computer networks and weapons and sensor systems so as to influence information and systems’.9
Two common threads in state definitions are identified. Offensive cyber operations:
are intended to deny, disrupt, degrade, destroy or manipulate targets to achieve broader objectives (henceforth called denial and manipulation effects)
have a ‘direct real-world impact’.10
Another observation is that these definitions stress that ‘while cyber operations can produce stand-alone tactical, operational, and strategic effects and achieve objectives, they must be integrated’ in a military commander’s overall plan.6 This doctrine, however, originates from military establishments within a relatively narrow range of countries. In other states, offensive cyber operations may well be less integrated into military planning and will occur to achieve the political and/or strategic goals of the state leadership.11
This paper proposes that offensive cyber operations manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.
offensive cyber operations manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.
There are relatively few publicly available offensive cyber doctrine documents, but observed behaviour indicates that states such as Iran, North Korea and Russia are using operations that cause denial and manipulation effects to support broader strategic or military objectives.
By definition, offensive cyber operations are distinct from cyber-enabled espionage, in which the goal is to gather information without having an effect. When information gathering is a primary objective, stealth is needed to avoid detection in order to maintain persistent access that allows longer term intelligence gathering.
This definition does classify relatively common events, such as ransomware attacks, website defacements and distributed denial of service (DDoS) attacks, as offensive cyber operations.
Although the ‘manipulate, deny, disrupt, degrade or destroy’ element of the definition lends itself to segmentation into different levels, further examination shows that segmentation based on the type of attack is not particularly useful. Information and communication technology (ICT) infrastructure is inherently interconnected, and even modest disruption can cause relatively drastic second-order effects. Modifying the state of a control system, for example, could lock a person’s garage or launch a nuclear missile.
Conversely, seriously destructive attacks, such as data wipers, can have damaging effects on different scales. Compare the damage caused when North Korea infiltrated the Sony Pictures Entertainment network12 with the damage caused during the Russian-launched NotPetya attack’13 At Sony Pictures, more than 4,000 computers were wiped and, although that cost US$35 million to investigate and repair, it did not significantly affect the broader Sony corporation14 and did not directly affect other entities. The NotPetya event also involved data destruction, but it was probably the most damaging cyberattack thus far: US$300 million in damages for FedEx; US$250–300 million for Danish shipper Maersk15; more than US$310 million for American pharmaceutical giant Merck; US$387 million for French construction giant Saint-Gobain; and US$150 million for UK chocolate maker Mondelez International. It is possible that flow-on effects from the disruption to the logistics and pharmaceutical industries may have affected the broader global economy.
Table 1 is a selected list of state activities that this paper defines as offensive cyber operations. Those operations are assessed for the scale, seriousness, duration and specificity of their effect.
Ultimately, the seriousness of a cyberattack is based on its ultimate effects or on the effects that it enables. The scale and seriousness of incidents should be based upon measuring the ultimate consequences of an incident and the economic and flow-on effects.
Table 1: State offensive cyber operations
Operation
Seriousness
Scale
Duration
Specific
NotPetya
High—data destruction
Global. Affected organisations in Europe, US and Asia (Maersk, Merck, Rosneft, Beiersdorf, DHL and others) but also a concentration in Ukraine (banking, nuclear power plant, airports, metro services).
Short-term, with recovery over months to a year.
No
WannaCry
High—data destruction
Global, but primarily in Russia, Ukraine, India and Taiwan, affecting multinationals, critical infrastructure and government.
Short-term, with recovery over months to a year.
No
Sony Pictures Entertainment
High—data destruction
Focused on Sony Pictures Entertainment (<7,600 employees), a subsidiary of Sony Corporation (131,700 employees in 2015) (a)
Short-term, with recovery in months.
Yes
Stuxnet
High—destruction of centrifuges
Focused on Iran’s nuclear weapon development programme
<1 year
Yes
Various offensive cyber operations against ISIS by US, Australia, UK
Varied—some data destruction but also denial and manipulation effects
Focused on Islamic State
Unknown
Yes
Estonia 2007
Medium—temporary denial of service
Principally Estonian electronic services, affecting many European telcos and US universities
3 weeks
Yes
(a) Sony Corporation, US Securities and Exchange Commission Form 20-F, FY 2016 [online]
Cyber weapons and arms control
Cyber weapons are often conceived of as ‘powerful strategic capabilities with the potential to cause significant death and destruction’,16 and in an increasingly interconnected world it is easy to speculate about catastrophic effects. It is also difficult to categorically rule out even seemingly outlandish offensive cyber scenarios; for example, it seems unlikely that a fleet of self-driving cars could be hacked to cause mass destruction, but it is hard to say with certainty that it is impossible.17 Although the reality is that offensive cyber operations have never caused a confirmed death, this ‘uncertainty of effect’ is potentially destabilising, as states may develop responses based on practically impossible worst-case scenarios.
In a Global Commission on the Stability of Cyberspace issue brief, Morgus et al. look at countering the proliferation of offensive cyber capabilities and conclude that limiting the development of cyber weapons through traditional arms control or export control is unlikely to be effective.18 This paper agrees, and contends that previous arms or export control agreements may succeed where the following three conditions are present:
Capability development is limited to states, usually because weapons development is complex and highly industrialised.
There is a common interest in limiting proliferation.
Verification of compliance is possible.
Perhaps only one of these three conditions—a common interest in limiting proliferation—exists in the world of cyber weapons, although even this is not immediately self-evident.
In the context of international arms control, a limited number of capability developers usually means that only states (and ideally only a small number of states) have the ability to develop weapons of concern, that states have effective means to control proliferation, or both. In cyberspace, however, there are many non-state actors—in the cybersecurity industry and in the criminal underworld19—developing significant cyber capability. Additionally, the exchange of purely digital goods is relatively difficult for states to control compared to exchanges of physical goods. States do not have a monopoly on capability development and find it difficult to effectively control the spread of digital goods, and so therefore cannot credibly limit broader capability development.
For chemical, biological and nuclear weapons, the human suffering caused by their use is generally abhorred and there is a very broad interest in restraining the use of those weapons. Offensive cyber operations, by contrast, could achieve military objectives without causing human suffering; for example, the warfighting capability of an adversary could be degraded by disrupting their logistics such that military objectives could be achieved without fighting. It has been suggested that states have a ‘duty to hack’ when the application of offensive cyber operations will result in less harm than all other applications of force,20 and the UK’s Minister of State for the Armed Forces, Nick Harvey, noted in 2012 that offensive cyber operations could be ‘quite a civilised option’ for that reason.21
Additionally, cyber weapons can be developed entirely in environments where visibility for verification is impossible, such as in air-gapped networks in nondescript office buildings. Unlike for weapons of mass destruction, there are no factories or supply chains that can be examined to determine whether capabilities exist and stockpiles are being generated.22
Unlike many military capabilities—say, nuclear-armed submarines or ballistic missiles—offensive cyber capabilities are unique in that once defenders have technical knowledge of the potential attack, effective countermeasures can be developed and deployed relatively easily.23
For this reason, states already have considerable interest in limiting the proliferation of offensive cyber capabilities—they want to keep those capabilities secret so they can exploit them. The US Vulnerabilities Equities Process (VEP) policy document24 states that when the US Government discovers vulnerabilities25 most are disclosed, but some will be kept secret to satisfy law enforcement or national intelligence purposes where the risk of the vulnerability is judged to be outweighed by possible intelligence or other benefits. Undoubtedly, all states that engage in vulnerability discovery will have a common interest in keeping at least some secret so that they can be exploited for national security purposes.
Defining cyber weapons
Despite scepticism about the effectiveness of traditional arms control, this paper develops both a narrow and a broad definition of cyber weapons to test whether those definitions could be useful in arms control discussions. The definitions have been developed by examining selected international weapons conventions and previously published definitions.
One problem with defining cyber weapons is that cyber technologies are primarily dual-use: they can be used for both attack and defence, for peaceful and aggressive purposes, for legal and illegal activities. Software can also be quite modular, such that many cybersecurity or administrative tools can be brought together to form malware.
Weapons in the physical domain have been categorised into three groups: small arms and light weapons; conventional arms; and weapons of mass destruction (WMD).26 Given that cyber weapons are often conceived of as potentially causing mass destruction and because WMDs are subject to the most rigorous international counter-proliferation regimes, this paper examines definitions through the perspective of the dual-use WMD counter-proliferation Chemical Weapons Convention and Biological Weapons Convention.27
Biological weapons, a class of WMD, are described as (our emphasis):28
microbial or other biological agents, or toxins whatever their origin or method of production, of types and in quantities that have no justification for prophylactic, protective or other peaceful purposes;
weapons, equipment or means of delivery designed to use such agents or toxins for hostile purposes or in armed conflict.
The Chemical Weapons Convention defines chemical weapons as (our emphasis):29
toxic chemicals and their precursors, except where intended for purposes not prohibited under the Convention and as long as the types and quantities are consistent with such purposes; and
munitions and devices, specifically designed to cause death or other harm through the toxic properties of those chemicals …
These conventions, both of which deal with dual-use goods, define by exclusion: only substances that do not or cannot have peaceful purposes are defined as weapons. The material of concern is not inherently a problem—it is how it is used.
In the context of armed conflict, the Tallinn Manual characterises cyber weapons by the effects they have, not by how they are constructed or their means of operation:
cyber weapons are cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects, that is, that result in the consequences required for qualification of a cyber operation as an attack.30
Herr and Rosenzweig define cyber weapons as malware that has a destructive digital or physical effect, and exclude malware used for espionage.31 Herr also considers that malware is modular and consists of a propagation element that the malware uses to move from origin to target; an exploit that will allow the malware to execute arbitrary commands on the target system; and a payload that will execute some malicious instructions.
Rid and McBurney define cyberweapons as ‘computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings’.32
A narrow definition
Following the logic of dual-use weapons conventions, a narrow definition of cyber weapons is software and information technology (IT) systems that, through ICT networks, cause destructive effects and have no other possible uses. The IT system aspect of this definition requires some level of integration and automation in a weapon: code that wipes a computer hard disk is not a weapon by itself—by itself it cannot achieve destructive effects through cyberspace—but could form part of a weapon that wipes hard drives across an entire organisation.
Based on this narrow definition, Table 2 shows our assessment of whether reported malware examples would be defined as cyber weapons.
Table 2: Cyber weapon assessment
Malware or system
Description
Weapon
Distributed denial of service (DDoS) systems
Aggregation of components, including bots and control software, such that they have no other purpose than to disrupt internet services.
Yes, although this is arguable because effects tend to be temporary (disruptive and not destructive). Each individual component is likely to have non-destructive uses.
Dragonfly a.k.a. Energetic Bear campaign (a)
Espionage campaign against energy critical infrastructure operators that developed industrial control system sabotage capabilities.
No. This was both manual and for espionage only; it never disrupted critical operations. However, the intent demonstrated is to develop capabilities to disrupt critical infrastructure.
Blackenergy 2015 Ukrainian energy grid attack (b)
Access to Ukrainian energy company was used to disrupt electricity supply.
No. Blackenergy malware was very modular and this attack was quite manual. This malware does contain destructive capability.
Industroyer a.k.a. Crashoverride malware (c)
Malware in a Ukrainian energy supply company was used to disrupt electricity supply.
Malware intended to sabotage a Saudi Arabian petrochemical plant.
Yes. Malware with no espionage capability was specifically designed to destroy a petrochemical plant.
WannaCry
A self-propagating data wiper.
Yes. Malware with no espionage capability was designed to irreversibly encrypt computer hard drives.
Metasploit
An integrated collection of hacking tools that can be used for defence, for espionage, or for destruction and manipulation.
No. Metasploit has many non-destructive uses and is not integrated into a system that causes destruction.
NotPetya
A self-propagating data wiper.
Yes. Automatically destroyed data.
Flame, Snake, Regin
Very advanced modular malware.
No. These could cause denial and manipulation effects and could be automated but have other uses. They seem to be designed primarily for espionage.
Stuxnet
Self-propagating malware that subverted industrial control systems to destroy Iranian nuclear fuel enrichment centrifuges.
Yes. Highly tailored to automatically destroy targeted centrifuges.
Large-scale man-in-the-middle attack system (e.g. mass compromise of routers) (e)
Compromise of many mid-points could enable large-scale access that could be used to enable intelligence, destruction or manipulation, or even to patch systems.
No. Intent is everything here.
Powershell
A powerful scripting and computer administration language installed by default with the Windows operating system.
No. Many non-destructive uses.
A Powershell script designed to automatically move through a network and wipe computers.
Destructive intent is codified within the script commands.
Yes.
a) Symantec, Dragonfly: Western energy companies under sabotage threat, 2014, online.
b) Kim Zetter, ‘Inside the cunning, unprecedented hack of Ukraine’s power grid’, Wired, 3 March 2016, online.
c) Andy Greenburg, ‘“Crash override”: the malware that took down a power grid’, Wired, 12 June 2017, online; Robert M Lee, ‘Crashoverride’, Dragos, 12 June 2017, online; Anton Cherepanov, Robert Lipovsky, ‘Industroyer: biggest threat to industrial control systems since Stuxnet’, welivesecurity, 12 June 2017, online.
d) Nicole Perlroth, Clifford Krauss, ‘A cyberattack in Saudi Arabia had a deadly goal: experts fear another try’, New York Times, 15 March 2018, online; TRISIS malware: analysis of safety system targeted malware, Dragos, online.
e) US CERT, Russian state-sponsored cyber actors targeting network infrastructure devices, Alert TA18-106A, 16 April 2018, online.
This narrow definition is consistent with the narrowness of definitions from both the Biological Weapons Convention and the Chemical Weapons Convention, both of which deal with dual-use goods.
The definition captures intent by excluding all other tools where intent is ambiguous; only tools that can only be used for destruction are included.
This narrow definition is problematic for at three reasons.
First, it does not map directly onto state definitions of offensive cyber activities—actions that manipulate, disrupt, deny and degrade would likely not be captured and so much offensive cyber activity will not involve cyber weapons. The offensive cyber operation, for example, that US Cyber Command conducted against Islamic State’s propaganda operations did not require cyber weapons. Cyber Command obtained Islamic State administrator passwords and deleted content and changed passwords to lock out the original owners.33 This offensive cyber operation could have been entirely conducted using standard computer administration tools. No malware, no exploit, no software vulnerability and certainly no cyber weapon was needed.
Second, even the most destructive offensive cyber operations could be executed without ever using a cyber weapon. For example, a cyber operation that triggered the launch of conventional or nuclear weapons would not require a cyber weapon.
Third, this definition could easily be gamed by adding non-destructive functionality to otherwise malicious code.
A broader definition
A broader definition of cyber weapons could be software and IT systems that, through ICT networks, manipulate, deny, disrupt, degrade or destroy targeted information systems or networks.
This definition has the advantage that it would capture the entirety of tools that could be used for offensive cyber operations.
Many cyber operations techniques, however, take advantage of computer administration tools, and the difference between espionage and offensive action is essentially a difference in intent; for example, the difference between issuing a command to copy files and issuing one to delete files. Indeed, it is possible to conduct cyber operations—both intelligence and offensive operations—using only legitimate tools such as the scripting language Windows Powershell.34 Yet it makes no sense to define what could be used for destructive effects as a cyber weapon; it is nonsensical to label Powershell as a cyber weapon.
This definition would also include perfectly legitimate tools that state authorities and the cybersecurity community use for law enforcement, cyber defence, or both.
These two definitions highlight the dilemma involved in defining cyber weapons. A narrow definition can perhaps be more readily agreed to by states, but excludes so much potential offensive cyber activity that efforts to limit cyber weapons based on that definition seem pointless. The broader definition would capture tools used for so many legitimate purposes that agreement on their status as weapons is unlikely, and limitations could well harm network defenders more than attackers.
Options for control
This paper therefore agrees with Morgus et al.35 that limiting the development of cyber weapons by controlling the development of defined classes of weapons is unlikely to be effective. There are, however, options for more effective responses that focus on affecting the economics of offensive cyber operations and the norms surrounding their application.
Affecting the markets involved in offensive cyber capability development would raise the cost of capability development and encourage states to conduct operations sparingly.
One market associated with cyber capabilities is that for software vulnerabilities and their associated exploits (code that takes advantage of a vulnerability). Software vulnerabilities are often exploited by malware to gain unauthorised access to computer systems and are often—although not always—required for offensive cyber capabilities. Ablon and Bogart have found that the market price for software exploits is sensitive to supply and that prices can rise dramatically for in-demand, low-supply products.36 A multifaceted approach to restricting supply could raise the cost of acquiring exploits and therefore the cost of building offensive cyber capabilities.
Shifting the balance of vulnerability discovery towards patching (rather than exploitation for malicious purposes) would raise the value of all vulnerabilities. As suggested by Morgus et al., one possibility is that software vulnerabilities are bought for the express purpose of developing fixes and patches, as suggested by Dan Geer in a 2014 BlackHat conference keynote.37
A secondary response would be to enable more effective repair of vulnerabilities that would close the loopholes that enable computer exploitation. NotPetya, assessed by the US Government to be the most destructive cyberattack thus far,38 used publicly known vulnerabilities for which patches had been available for months. Effective cyber hygiene would have prevented much of the damage that NotPetya caused.
From a policy point of view, this could be attacked at several levels by encouraging research into vulnerability mitigation and more effective patching processes; educating decision-makers to prioritise and resource vulnerability discovery and patching; government policy to encourage more effective patching regimes; and promoting VEP policies in other states (discussed below).
Whenever a vulnerability is exploited for any purpose—including cyber espionage, offensive operations and cybercrime—there is a risk of discovery, which could ultimately result in patching and loss of the ability to exploit the vulnerability. Raising the value of all vulnerabilities will encourage states to use offensive cyber capabilities sparingly to avoid discovery and hence loss of capability via patching.
A complementary approach would be to change incentives within software development to encourage secure application development. Again, this could be approached at many levels: altering computer science curriculums; promulgating secure coding standards;39 and altering the balance of liability in commercial code, for example.
Reducing the supply of exploits and raising their cost encourages states to conduct cyber operations in a way that avoids attracting attention to mitigate the risk of discovery and loss of capability. This effort to operate quietly would vastly reduce the risk of inadvertent large-scale damaging events.40
Recommendation: Encourage the establishment of national vulnerabilities equities processes
There is a common interest among all states that are conducting cyber operations—defensive or offensive—in actively assessing the risk and benefits of keeping vulnerabilities secret for exploitation. The US VEP document states that in ‘the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest’. Assuming this is true, the presence of VEP policies in many states would tend to result in more responsible disclosure and patching and therefore result in a reduced supply of vulnerabilities and exploits.
This reduced supply of vulnerabilities would raise the cost of offensive capability development and therefore restrict proliferation and reduce the use of offensive operations.
Recommendation: Promote focused operations
Unlike a kinetic weapon, for which direct consequences such as blast radius may be well understood, offensive cyber operations can easily have unintended consequences. Since states are conducting offensive cyber operations below the threshold of armed conflict, another option to limit offensive operations is to promote operations that are tightly focused so that operations do not affect innocent bystanders.
We have assessed that both the Sony Pictures and Stuxnet attacks were specific, as both affected specific targets and did not cause direct effects elsewhere (Table 1). The NotPetya and WannaCry incidents were not specific: they affected many organisations world-wide.
It is possible, therefore, to conduct focused offensive cyber operations that are specific and limit collateral damage; it is not an inherent fact of cyberspace that operations cannot be targeted and specific. To reduce the risks of collateral damage, there would be merit in promoting a norm of ‘due diligence’ for offensive cyber operations, requiring that states invest in rigorous testing to ensure that effects are contained before engaging in offensive cyber operations.
Recommendation: Measure damage for more effective responses
In addition to altering the computer vulnerability lifecycle, governments should also respond directly to cyber operations. Effective responses should be both directed against perpetrators and proportionate. Currently, both the identification of perpetrators (attribution) and the assessment of damage (to determine a proportionate response) are suboptimal. Much has been said about attribution, and this paper will not cover it further.
When state-sponsored operations such as NotPetya and WannaCry occur, there is no independent assessment of damage. An accurate accounting of harm could be used to justify an appropriately proportionate response.
NotPetya has been called ‘the most destructive and costly cyber-attack in history’.41 It seems that total cost estimates of over US$1 billion are based on collating the financial reports of public companies such as Merck,42 Maersk,43 Mondelez International44 and FedEx,45 and then adding a ‘fudge factor’ to account for all other affected entities. Publicly listed companies have formal reporting obligations, but the vast majority of entities affected by NotPetya do not, and it seems likely that the cost of NotPetya has been significantly understated.
An independent body that identifies common standards, rules and procedures for assessing the cost of cyberattacks could enable a more accurate measure of damage. The International Civil Aviation Organization’s system for air crash investigations may provide a framework.46 It assigns a role for various stakeholders, including the airline, the manufacturer, the registrar and so on. The investigation is assigned to an autonomous safety board with the task of assessing what happened, not who was at fault.47 For a cyber incident, an investigation board could include a national cybersecurity centre, the affected entity, the manufacturer of the affected IT system, relevant software developers and other stakeholders.
Using assessments of scope and seriousness to develop proportionate responses would encourage attackers to construct focused and proportionate offensive cyber operations.
Recommendation: Invest in transparency and confidence building
We have noted above that uncertainty about the effects caused by offensive cyber operations has the potential to be destabilising. State transparency in the use of offensive cyber operations could address this concern and help promote norms of responsible state behaviour.
Figure 1 shows the lifecycle of an offensive cyber capability, starting at the point that a state forms an intent to develop capability. Resources are committed; intelligence is gathered to support capability development; capability is developed; the environment is prepared (by deploying malware, for example); and finally the operation is launched and effects are observed. Crucially, there are distinct elements during this lifecycle that require operation on the public internet and are therefore potentially observable: intelligence gathering, operational preparation of the environment, and offensive cyber effects (in orange).48
Figure 1: Offensive cyber capability lifecycle
Although it is not possible to see or measure cyber weapons, to quantify them or inspect ‘cyber weapon factories’, a level of confidence-building transparency can still be achieved. Public doctrine that defines a nation’s strategic intent and its assessment of acceptable and responsible uses of offensive cyber operations would be extremely helpful.
This visibility may be sufficient to enhance confidence building as predictability is increased. Many responsible states will be reluctant to deviate from public statements regarding offensive cyber capability development because effects will possibly become visible at a later stage that will prompt incident response, forensic analysis and maybe political attribution and embarrassment.
There is already some public documentation of offensive cyber capabilities. There are unclassified doctrines, official statements and unofficial reporting on the states that have—or are developing—offensive capability. There are also voluntary national reports in the context of the UNGGE. Additionally, open source verification by research institutes such as the SIPRI Yearbook, IISS Military Balance and reports similar to the Small Arms Survey are authoritative and credible sources that inform policy actions by states. Finally, independent analysis and reporting from cybersecurity companies such as Symantec, Crowdstrike, BAE Systems and FireEye provides invaluable technical information. These firms also play a key role in early detection and response.
Summary and conclusion
Offensive cyber capabilities are defined as operations in cyberspace to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.
This paper has examined narrow and broad definitions of cyber weapons and found them problematic for use in control discussions.
However, a range of other measures would help limit the use of offensive cyber capabilities and reduce the risk of collateral damage when they are used:
Markets for the vulnerabilities that are used to create offensive cyber capabilities can be affected to make capability development more expensive. VEP processes would form one element of a broader effort to patch vulnerabilities and restrict supply.
Promoting the principle that offensive cyber operations should be focused and taking active steps to limit unintended consequences could limit the effects of operations on innocent bystanders, including through the promotion of the concept of ‘due diligence’.
Responses to cyber incidents could also be improved by better accounting of the damage incurred. A robust assessment of damage using agreed standards would enable a more directly proportionate response and would help reinforce the expectation of specific and proportionate offensive cyber operations.
Finally, increased state transparency would promote acceptable norms of behaviour. Although monitoring and verification are difficult, this paper presents an offensive cyber operation lifecycle that indicates that various stages provide some visibility, which could build confidence.
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.
Michael S Rogers, Commander US Cyber Command, statement to the Senate Committee on Armed Services, 27 February 2018, online; Prime Minister Malcolm Turnbull, ‘Offensive cyber capability to fight cyber criminals’, media release, 30 June 2017, online; Director GCHQ, speech at CyberUK18, 12 April 2018. ↩︎
Council on Foreign Relations, Europe is developing offensive cyber capabilities: the United States should pay attention, 26 April 2017, online. ↩︎
Council on Foreign Relations Cyber Operations Tracker, online. ↩︎
James Clapper, Marcel Lettre, Michael S Rogers, Foreign cyber threats to the United States, joint statement for the record to the Senate Armed Services Committee, 5 January 2017. ↩︎
Although offensive cyber operations have been used by combatants in the context of armed conflicts. ↩︎
The reality of the world we live in today is one in which cyber operations are now the norm. Battlefields no longer exist solely as physical theatres of operation, but now also as virtual ones. Soldiers today can be armed not just with weapons, but also with keyboards. That in the modern world we have woven digital technology so intricately into our businesses, our infrastructure and our lives makes it possible for a nation-state to launch a cyberattack against another and cause immense damage — without ever firing a shot.
ACS’s aim in participating in this policy brief is to improve clarity of communication in this area. For Australia, both defensive and offensive cyber capabilities are now an essential component of our nation’s military arsenal, and a necessary step to ensure that we keep up with global players. The cyber arms race moves fast, so continued investment in cyber capability is pivotal to keep ahead of and defend against the latest threats, while being able to deploy our own capabilities when and where we choose.
So, too, is ensuring that we have the skills and the talent to drive cyber capabilities in Australia. This means attracting and keeping the brightest young minds, the sharpest skilled local talent and the most experienced technology veterans to drive and grow a pipeline of cyber specialists, and in turn help protect and serve Australia’s military and economic interests.
Yohan Ramasundara President, Australian Computer Society
What’s the problem?
In April 2016, Prime Minister Turnbull confirmed that Australia has an offensive cyber capability. A series of official disclosures have provided further detail, including that Australia will use this capability against offshore cybercriminals.
This was the first time any state has announced such a policy.
However, this commendably transparent approach to telegraphing our capability and intentions hasn’t been without challenges. In some cases, these communications have created confusion and misperceptions. There’s a disconnect between popular perceptions, typified by phrases like ‘cyber Pearl Harbor’, and the reality of offensive cyber operations, and reporting has at times misrepresented how these tools will be used. Public disclosures and the release of the report of the Independent Intelligence Review have also raised questions about how Australia will build and maintain this capability.
What’s the solution?
To reduce the risk of misunderstanding and misperception and to ensure a more informed debate, this policy brief seeks to further clarify the nature of Australia’s offensive cyber capability. It recommends improving communications, using innovative staff recruitment and retention options, deepening industry engagement and reviewing classification levels in some areas. Looking forward, the government could consider increasing its investment in our offensive capability to create an asymmetric capability; that is, a capability that won’t easily be countered by many militaries in our region.
Introduction
Governments routinely engage in a wide spectrum of cyber operations, and researchers have identified more than 100 states with military and intelligence cyber units.1
The cyber units range considerably in both their capability and their compliance with international law. Leaks have highlighted the US unit’s advanced capability, and public documents reveal its size. US Cyber Command’s action arm, the Cyber Mission Force, is building to 6,200 military and civilian personnel, or about 10% of the ADF, and for the 2018 financial year requested a US$647 million budget allocation.2 China has been widely accused of stealing enormous quantities of intellectual property. North Korea has used cyber tools to steal money, including in a US$81 million heist on the Bangladesh central bank. Russia is accused of using a range of online methods to influence the 2016 US presidential election and has engaged in a wide spectrum of actions against its neighbours, such as turning off power stations in Ukraine and bringing down government websites in Georgia and Estonia. Israel is suspected of using a cyber operation in conjunction with its bombing raid on a Syrian nuclear reactor in 2007 by temporarily ‘tricking’ a part of Syria’s air defence system to allow its fighter jets to enter Syria undetected.3
In Australia, the government has been remarkably transparent in declaring the existence of its offensive cyber capability and its applications: to respond to serious cyberattacks, to support military operations, and to counter offshore cybercriminals. It has also established robust structures to ensure its compliance with international law. Three additional disclosures about Australia’s offensive cyber capability have followed the Prime Minister’s initial April 2016 announcement. In November 2016, he announced that the capability was being used to target Islamic State,4 and on 30 June 2017 Australia became the first country to openly admit that its cyber offensive capabilities would be directed at ‘organised offshore cyber criminals’.5 The same day, the then Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, announced the formation of an Information Warfare Division within the ADF.
While these disclosures have raised awareness of Australia’s offensive cyber capability, the limited accompanying detail has meant that the ensuing public debate has often been inaccurate or misleading. One major news site, for example, led a report with the title ‘Australia launches new military information unit to target criminal hackers’.6 Using the ADF to target criminals would have been a radical departure from established protocols.
This policy brief seeks to clarify some of the misunderstandings arising from sensationalist reporting.
The report has the following parts: 1. What’s an offensive cyber operation? 2. Organisation, command and approvals 3. Operations against declared targets 4. Risks 5. Checks, balances and compliance with international law 6. Strengths and weaknesses 7. Future challenges and recommendations.
Tom Uren and Fergus Hanson on Offensive Cyber
1. What’s an offensive cyber operation?
For the purposes of this policy brief, we use a draft definition that’s being developed as part of the Department of the Prime Minister and Cabinet’s Cyber Lexicon project. It defines offensive cyber operations as ‘activities in cyberspace that manipulate, deny, disrupt, degrade or destroy targeted computers, information systems, or networks’.7 Given the range of countries with varying capabilities and using examples from open sources, offensive cyber operations could range from the subtle to the destructive: removing computer accounts or changing passwords; altering databases either subtly or destructively; defacing web pages; encrypting or deleting data; or even attacks that affect critical infrastructure, such as electricity networks.
Even though it may use the same tools and techniques, cyber espionage, by contrast, is explicitly designed to gather intelligence without having an effect—ideally without detection. The Global Commission on the Stability of Cyberspace has commissioned ASPI’s International Cyber Policy Centre to do further work on defining offensive cyber capabilities.
2. Organisation, Command and Approvals
Australia’s offensive cyber capability resides within the Australian Signals Directorate (ASD).8 It can be employed directly in military operations, in support of Australian law enforcement activities, or to deter and respond to serious cyber incidents against Australian networks. While physically housed within ASD, the military and law enforcement applications have different chains of command and approvals processes.
MILITARY
The Information Warfare Division within the Department of Defence was formed in July 2017 and is headed by the Deputy Chief Information Warfare, Major General Marcus Thompson.
Major General Thompson has presented the ADF approach to cyber capabilities as two distinct functions: cybersecurity (consisting of self-defence and passive defence 9), and cyber operations (consisting of active defence and offence 10).
The Australian Government’s offensive cyber capability sits within ASD and works closely with each of the three services, which embed staff assigned to ASD from the ADF’s Joint Cyber Unit. Offensive cyber in support of military operations is a civil–military partnership. The workforce to conduct offensive cyber operations resides within ASD and is largely civilian. Advice from Defence is that the laws of armed conflict are considered during the development and execution of operations, and that ASD personnel will act in accordance with legally approved instructions. There’s no reason to doubt that, and the Inspector-General of Intelligence and Security has noted in the context of cyber operations in support of the ADF operations in Iraq and Syria that ‘guidance in place at the time was appropriate and followed by staff, and no issues of legality or propriety were noted’.
The ability to conduct an operational planning process that takes into account the desired outcome, situational awareness and the possible range of effects is a military discipline that resides in the ADF. This arrangement is expected to continue under proposals from the 2017 Intelligence Review to make ASD a statutory authority within the Defence portfolio.
As clarified in Australia’s International Cyber Engagement Strategy, ‘Offensive cyber operations in support of [ADF] operations are planned and executed by ASD and Joint Operations Command under direction of the Chief of Joint Operations.’11 Targeting for offensive cyber operations occurs in the same manner as for kinetic ADF operations. Any offensive cyber operation in support of the ADF is planned and executed under the direction of the Chief of Joint Operations and, as with any other military capability, is governed by ADF rules of engagement.
The announcement that Australia would be using its offensive cyber capability against offshore cybercriminals created considerable confusion. Public messaging was one contributing factor: the announcement about the ADF’s Information Warfare Division bled into the same-day announcement that the government would also be using its offensive cyber capability to deter offshore cybercriminals, making them appear one and the same thing.14
While some media outlets characterised the announcement as Australia potentially attacking the whole suite of ‘organised offshore criminals’, the announcement focused only on offshore actors who commit cybercrimes affecting Australia.
Decisions on which cybercriminal networks to target follow a similar process to those for military operations, including that particularly sensitive operations could require additional approvals, although the exact processes haven’t been disclosed. Again, these operations would have to comply with domestic law and be consistent with Australia’s obligations under international law.
3. Operations against declared targets
Australia has declared that it will use its offensive cyber capabilities to deter and respond to serious cyber incidents against Australian networks; to support military operations, including coalition operations against Daesh in Iraq and Syria; and to counter offshore cybercriminals. Given ASD’s role in intelligence gathering, operations can integrate intelligence with cyber operations—a mission critical element.
…will use its offensive cyber capabilities to deter and respond to serious cyber incidents against Australian networks…
4. Risks
Offensive cyber operations carry several risks that need to be carefully considered. For cyber operations in support of the ADF, as with conventional capabilities, the commander must weigh up the potential for achieving operational goals against the risk of collateral effects and damage.
When offensive cyber capabilities are used, there’s a high chance that future effectiveness might be compromised. Unlike defending against kinetic weapons, an information system might be protected from cyberattack through relatively simple measures, such as upgrades, patches or configuration changes.
Another risk is that, despite extensive efforts to disguise the origin of the attack, the Australian Government could lose plausible deniability or be identified (including contextually) as the source and face embarrassment or retaliation.
5. Checks, balances and compliance with international law
When the first public disclosure of Australia’s offensive cyber capability was made, the Prime Minister emphasised Australia’s compliance with international law: ‘The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.’15
Interviews for this policy brief suggest that the users of the capability take compliance with domestic and international law extremely seriously. The core principles are as follows:
Necessity: ensuring the operation is necessary to accomplish a legitimate military / law enforcement purpose.
Specificity: ensuring the operation is not indiscriminate in who and what it targets.
Proportionality: ensuring the operation is proportionate to the advantage gained.
Harm: considering whether an act causes greater harm than is required to achieve the legitimate military objective.
These capabilities are subject to ASD’s existing legislative and oversight framework, including independent oversight by the Inspector-General of Intelligence and Security. However, there seems to be room for updating these provisions to account for technological developments. Section 7(e) of the Intelligence Services Act 2001, for example, authorises ASD ‘to provide assistance to Commonwealth and State authorities in relation to … (ii) other specialised technologies’—a foundation that could be strengthened for 21st-century technological applications.
When seeking approval for operations from the Minister for Defence, ASD seeks legal, foreign policy and national security advice from sources external to Defence. Every offensive cyber operation is planned and conducted in accordance with domestic law and is consistent with Australia’s obligations under international law
6. Strengths and weaknesses
Offensive cyber capabilities have both strengths and weaknesses.
STRENGTHS
For military tasks, they can be integrated with ADF operations, adding a new capability and creating a force multiplier.
They can engage targets that can’t be reached with conventional capabilities without causing unacceptable collateral damage or overt acknowledgement.
They provide global reach.
They provide an asymmetric advantage against an adversary for a relatively modest cost.
They can be overt or clandestine, depending on the intended effect.
WEAKNESSES
Capabilities need to be highly tailored to be effective (such as the Stuxnet worm that targeted Iran’s nuclear centrifuges), meaning that they can be expensive to develop and lack flexibility.
When used in isolation, they are unlikely to be decisive.
Major, blunt attacks (such as Wannacry or NotPetya) are relatively cheap and easy, but are unusable by responsible state actors such as Australia. Achieving the appropriate specificity and proportionality requires investment of time and effort.
The capability requires constant, costly investment as cybersecurity evolves.
Government must compete for top-tier talent with private industry.
For operations short of ‘cyber attacks’,16 the effects can be relatively short-lasting and limited.
Capability can’t be showcased as a deterrent in the same way that conventional capability can, because revealing specific capability renders it redundant as defences are repaired.
Target development can require intensive intelligence support and can take a very long time.
7. Future challenges and recommendations
Offensive cyber operations are relatively new and developing in a fast-moving environment. Below are issues and recommendations stemming from research for this report.
RECOMMENDATION 1: CAREFULLY STRUCTURE COMMUNICATIONS TO REASSURE NATION-STATES AND ENFORCE NORMS
As Australia’s offensive cyber capability has only recently been publicly acknowledged and is subject to sensationalist reporting, careful communication is required. When he first acknowledged the capability, the Prime Minister said doing so ‘adds to our credibility as we promote norms of good behaviour on the international stage’.17 Poor communications, however, can have the opposite effect. The limited detail and mixed reporting of the announcement that Australia would use offensive cyber capability against offshore cybercriminals inadvertently sent the message that it was acceptable for states to launch cyberattacks against people overseas whom they considered to be criminals. This might encourage some states to use crime as a pretext to launch cyber operations against individuals in Australia.
To address this, the Australian Government should be careful when publicly discussing the offensive capability, particularly to distinguish the military and law enforcement roles. One option to do this would be to have the Attorney-General, the Minister for Justice or the new Home Affairs Minister discuss operations related to law enforcement aspects of the capability and to have the Minister for Defence discuss those related to military capabilities.
RECOMMENDATION 2: USE INNOVATIVE STAFF RECRUITMENT AND RETENTION OPTIONS
Recruiting and retaining Australia’s top technical talent is a major hurdle. In the medium term, ASD will have to continue to invest heavily in training, raise salaries (ASD becoming a statutory authority will help it address this) and develop an alumni network and culture that allow former staff to return in new roles after a stint in private industry. A pool of alumni working as cleared reservists could also be used as an additional workforce without the significant investment required in conducting entirely new clearances.
RECOMMENDATION 3: DEEPEN INDUSTRY ENGAGEMENT
ASD capability being deployed against cybercriminals is likely to generate increased interest from corporate Australia. There’s a policy question about whether or not Australia’s offensive cyber capability should be used in support of Australian corporate interests. Given the finite resources and the tricky situations that could arise, government should consider useful ways industry could engage, clarify the limits of industry engagement and assess how to handle industry requests to use the offensive cyber capability against actors targeting its operations.
RECOMMENDATION 4: CLASSIFY INFORMATION AT LOWER LEVELS
It has long been argued that over-classification of material, such as threat intelligence, by governments prevents easy information exchange with the outside world, including key partners such as industry. The government has recognised this and is positioning ‘Australian Cyber Security Centre (ACSC) 2.0’ to facilitate a more cooperative and informed relationship with the private sector. Similarly, the government should continue to scope the potential benefits from lowering the classification of information associated with offensive cyber operations. In particular, there are benefits in operating at the SECRET level for workforce generation and training, and providing a ‘halfway house’ to usefully employ incoming staff as they wait during vetting procedures. More broadly, excessive classification slows potentially valuable two-way information exchange with the information security community.
RECOMMENDATION 5: INVEST TO CREATE AN ASYMMETRIC CAPABILITY
The 2016 Defence White Paper noted that ‘enhancements in intelligence, space and cyber security will require around 900 ADF positions’.18 Those positions were part of the $400 million 19 in spending announced in the White Paper and will be spread across the ADF. While this is significant, given the limits of what can be achieved with current spending on conventional kit, the Australian Government should consider conducting a cost–benefit analysis on the relative value of substantial further spending on cyber to provide it with an asymmetric capability against future adversaries. This would need to include a considerable investment in training.
RECOMMENDATION 6: CONSIDER UPDATING THE POLICY AND LEGISLATIVE FRAMEWORK
There appears to be sufficient legislation, policy and oversight to ensure that ASD and the ADF work together in a lawful, collaborative and cooperative manner to support military operations. The 2017 Independent Intelligence Review noted that ASD’s support to military operations is indispensable, and will remain so.
While those oversight arrangements may be sufficient for now, the ADF will inevitably need to incorporate offensive cyber on the battlefield as a way to create local effects, including force protection measures and to deliver effects currently generated by electronic warfare (such as jamming communications technology). It should not always be necessary to reach back to the national authorities for clear-cut and time critical battlefield decisions. There appears to be scope to update the existing policy and legislative framework that governs the employment of offensive cyber in deployed operations to support those kinds of activities.
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.
Noah Shachtman, Peter W Singer, The wrong war: the insistence on applying Cold War metaphors to cybersecurity is misplaced and counterproductive, Brookings Institution, Washington DC, 15 August 2011, online. ↩︎
Michael S Rogers, Statement of Admiral Michael S Rogers, Commander, United States Cyber Command, before the House Committee on Armed Services Subcommittee on Emerging Threats and Capabilities, 23 May 2017, p. 1, online; Laura Criste, ‘Where’s the cyber money for fiscal 2018?’, Bloomberg Government, 19 July 2017, online. ↩︎
Thomas Rid, Cyber war will not take place, Oxford University Press, 2013, p. 42. ↩︎
Malcolm Turnbull, ‘Address to parliament: national security update on counter terrorism’, 23 November 2016, transcript, online. ↩︎
Malcolm Turnbull, ‘Offensive cyber capability to fight cyber criminals’, media release, 30 June 2017, online. ↩︎
‘Cyber warfare: Australia launches new military information unit to target criminal hackers’, The Australian, 30 June 2017, online. ↩︎
Australia’s cyber capabilities have evolved rapidly, but they are still largely reactive, not preventative. Rather than responding to cyber incidents, Australian law enforcement agencies should focus on dismantling underlying criminal networks.
On 11 December, Europol announced the takedown of 27 distributed platforms that offered denial of service (DDoS) for hire and the arrest of multiple administrators. Such a criminal operation allows individuals or groups to rent DDoS attack capabilities, which enable users to overwhelm targeted websites, networks or online services with excessive traffic, often without needing technical expertise.
The takedown was a result of Operation PowerOFF, a coordinated and ongoing global effort targeting the cybercrime black market. While the operation has demonstrated the evolving sophistication of international law enforcement operations in tackling cyber threats, it has also exposed persistent gaps in Australia’s cyber enforcement and resilience. To stay ahead of the next wave of cyber threats, Australia must adopt a more preventative approach combining enforcement with deterrence, international cooperation, and education.
Operation PowerOFF represents a shift in global cybercrime enforcement, moving beyond traditional reactive measures toward targeted disruption of cybercriminal infrastructure. Unlike previous efforts, the operation not only dismantled illicit services; it also aimed to discourage future offenders, deploying Google and YouTube ad campaigns to deter potential cybercriminals searching for DDoS-for-hire tools. This layered strategy—seizing platforms, prosecuting offenders and disrupting recruitment pipelines—serves as a best-practice blueprint for Australia’s approach to cybercrime.
The lesson from Operation PowerOFF is clear: Australia must shift its cyber strategy from defence to disruption, ensuring that cybercriminals cannot operate with impunity.
One of the most effective elements of Operation PowerOFF is its focus on dismantling the infrastructure of cybercrime, rather than just arresting individuals. By taking down major DDoS-for-hire services and identifying more than 300 customers, Europol and its partners effectively collapsed an entire segment of the cybercrime market.
This strategy is particularly relevant for Australia. Cybercriminal operations frequently exploit weak legal frameworks and enforcement gaps in the Indo-Pacific region. Many DDoS-for-hire services, ransomware networks and illicit marketplaces are hosted in jurisdictions with limited enforcement capacity, allowing criminals to operate across borders with little fear of prosecution.
Australia must expand its collaboration with Southeast Asian law enforcement agencies on cybercrime, ensuring that cybercriminal havens are actively targeted rather than passively monitored. Without regional cooperation, Australia risks becoming an isolated target rather than a leader in cybercrime enforcement.
Beyond enforcement, Australia must integrate preventative strategies into its cybercrime response. The low barriers to entry for cybercrime mean that many offenders—particularly young Australians—are lured in through gaming communities, hacking forums and social media.
Targeted digital deterrence, including algorithm-driven advertising campaigns, could disrupt this pipeline, steering potential offenders toward legal cybersecurity careers instead of cybercrime. An education-first approach combined with stronger penalties for repeat offenders, will help prevent low-level offenders from escalating into hardened cybercriminals, while helping to ensure that those cybercriminals face consequences.
Australia’s cybercrime laws must also evolve to address the entire cybercriminal supply chain, not just the most visible offenders. Operation PowerOFF showed that cybercrime is not just about the hackers who launch attacks, but also the administrators, facilitators, and financial backers who enable them.
Australian law enforcement should target financial transactions supporting cybercrime, using crypto-tracing and forensic financial analysis to dismantle cybercriminal funding networks. Harsher penalties for those who fund or facilitate DDoS-for-hire services could create a more hostile legal environment for cybercriminal enterprises, ensuring that they cannot simply relocate to more permissive jurisdictions. At the same time, youth diversion programs should be expanded, offering first-time cyber offenders rehabilitation options rather than immediate prosecution, preventing them from becoming repeat offenders.
Operation PowerOFF’s success is a win for international cybercrime enforcement, demonstrating that proactive, intelligence-driven disruption can dismantle even the most entrenched criminal networks.
But it is also a warning: without continuous vigilance, cybercriminals will regroup, rebrand, and relaunch. Australia must act now to strengthen its cyber enforcement, combining international cooperation, legal reform and preventative education to ensure that cybercriminals see Australia as a hostile environment for their activities, not a soft target.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.png00markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2025-03-10 22:00:012025-03-14 15:57:30Reaction isn’t enough. Australia should aim at preventing cybercrime
Australians need to understand the cyber threat from China.
US President Donald Trump described the launch of Chinese artificial intelligence chatbot, DeepSeek, as a wake-up call for the US tech industry. The Australian government moved quickly to ban DeepSeek from government devices.
This came just weeks after the Biden administration stunningly admitted on its way out of office that Chinese Communist Party hackers were targeting not just political and military systems but also civilian networks such as water and health. The hackers could shut down US ports, power grids and other critical infrastructure.
These incidents remind us that China has the intent, and increasingly the capability, to seriously challenge US and Western technology advantage. Australia will be an obvious target if regional tensions continue to rise. It must be well-prepared.
As ASPI’s Critical Technology Tracker highlights, China’s advances in critical technologies have been foreseeable for some time. US and Western confidence is manifesting as complacency.
DeepSeek has emerged as a cheap, open-source AI rival to the seemingly indomitable US models. It could enable Chinese technology to become enmeshed in global systems, perhaps even in critical infrastructure.
Meanwhile, Chinese hackers have stealthily embedded themselves in US critical infrastructure, potentially enabling sabotage, or the coercive threat of sabotage, to extract something Beijing wants. The two main perpetrators of these operations are Salt Typhoon and Volt Typhoon. The Chinese government backs both.
Salt Typhoon’s infiltration of at least nine US telecom networks has enabled CCP-sponsored hackers to geolocate individuals and record phone calls, directly threatening personal privacy and national security. This devastating counterintelligence failure includes the identification of individuals that US agencies suspect are agents working for China. It also enables CCP surveillance and coercion of US nationals and Chinese dissidents.
If anything, Volt Typhoon poses a greater threat, with covert access to critical infrastructure networks. Each reinforces the dangers of the other.
Some US officials involved in the investigation have said the hack is so severe, and the networks so compromised, that the United States may never be sure the intruders have been fully rooted out.
Both operations demonstrate sophisticated stealth. In particular, Volt Typhoon’s technique of living off the land—in which they sit at length in the systems, using its own resources—made detection harder. It could gain outwardly legitimate access without the requirement for malware. This reveals an intent to map and maintain access to critical systems, not for immediate destruction, but for whenever best serves Beijing’s interests. In this sense, it can be seen as a precursor to war.
The focus on critical infrastructure underscores how malicious cyber operations can undermine national resilience during peacetime and crises and sow doubt on a government’s ability to safeguard the people. Through these operations, adversaries could influence a target country’s decisions as leaders avoid taking any action that might provoke a disruption or sabotage.
Australia’s intelligence agencies are aware of these risks. Australia’s director-general of security, Mike Burgess, warned in his 2024 annual threat assessment that ‘the most immediate, low cost and potentially high-impact vector for sabotage [by foreign adversaries] is cyber’. This was reinforced in his 2025 assessment when he declared that ‘foreign regimes are expected to become more determined to, and more capable of, pre-positioning cyber access vectors they can exploit in the future.’ He warned that we’re getting closer to the threshold for ‘high-impact sabotage’.
The Australian Signals Directorate has been improving preparedness and resilience. It has helped Australian organisations to defend themselves and mitigate prepositioning and living-off-the-land techniques. ASD has also been building offensive capabilities needed to impose costs on attackers.
We must avoid the traps China sets as it seeks global information dominance. First, we can’t be complacent. It’s unsafe to assume that the US and its allies will remain decisively better than China, and that we can counter whatever Beijing can do. Second, we must reject the viewpoint that ‘everyone spies so it would be hypocritical to condemn China’, as it is a false moral equivalence. Third, we must avoid arguing that there isn’t present threat just because Beijing doesn’t have the intent to go to war today. This wishful thinking is a dangerous mistake. If we fall into these traps, we present Beijing with more time and render ourselves incapable of advancing our interests.
Chinese capabilities are strong and growing, and the way they are being used by the CCP demonstrates clear malign intent. This should be pushing elected governments to take the protective action and prepare for future cyber operations.
The reluctance to see the threats in the information domain as equal to traditional threats is a decades-old mistake that must be corrected. We need to minimise our dependence on China for technology.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.png00markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2025-03-04 19:00:422025-03-17 14:14:30In case we forgot, Typhoon attacks remind us of China’s cyber capability—and intent
In this episode of Stop the World, ASPI’s Executive Director Justin Bassi speaks with Australia’s National Cyber Security Coordinator Lieutenant General Michelle McGuinness CSC to discuss her role and how it helps protect Australians online.
LTGEN McGuinness explores the dual role that the National Office of Cyber Security plays in preparing for and responding to increasing cyber incidents, the importance of building resilience to respond efficiently and effectively to them, and how preventative measures such as using multi-factor authentication can mitigate over 80 percent of cyber risks.
Justin and LTGEN McGuinness also discuss the role that attribution plays in deterring malicious cyber activity and how attribution can improve mitigation strategies, drive norms and establish that Australia does not tolerate unacceptable behaviour in cyberspace.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/10/29231723/Stop-the-World-Banner.png4271280markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2024-12-16 16:20:242025-02-27 17:31:55Stop the World: Building cyber resilience with Lieutenant General Michelle McGuinness
The reality of the world we live in today is one in which cyber operations are now the norm. Battlefields no longer exist solely as physical theatres of operation, but now also as virtual ones. Soldiers today can be armed not just with weapons, but also with keyboards. That in the modern world we have woven digital technology so intricately into our businesses, our infrastructure and our lives makes it possible for a nation-state to launch a cyberattack against another and cause immense damage — without ever firing a shot.
Even though it may use the same tools and techniques, cyber espionage, by contrast, is explicitly designed to gather intelligence without having an effect—ideally without detection. The Global Commission on the Stability of Cyberspace has commissioned ASPI’s International Cyber Policy Centre to do further work on defining offensive cyber capabilities.
