Should We Unleash Private Companies for Cyber Offence?

The year is 2030. Australia’s Cyber Security Strategy has delivered on its promise. Six cyber shields protect the nation. ASD’s offensive capability, tripled by a $9.9 billion investment, hunts threats before they reach our networks. Cyber Command operates as a mature warfighting domain. Ransomware groups have learned that targeting Australian businesses means their infrastructure gets dismantled, their payments get traced, and their operators get sanctioned. Cybercriminals still exist, but they have learned to look elsewhere. Australia is not worth the cost.

That is the vision the Strategy set out to achieve. The question is whether government cyber offence, as currently scoped, can get us there.

---

The reality today is sobering. According to ASD’s latest Annual Cyber Threat Report, Australia received over 84,700 cybercrime reports last year, one every six minutes. ASD responded to more than 1,200 cyber incidents, an 11 percent increase on the year before. The average cost of cybercrime for large businesses surged 219 percent in a single year, reaching $202,700 per incident. Across the economy, cybercrime costs Australia an estimated $30 billion annually.

To be clear, our government agencies are producing results. The AFP and ASD, operating jointly under Operation Aquila, helped disrupt LockBit in Operation Cronos. LockBit was responsible for roughly a quarter of all global ransomware attacks. After the disruption, its ransom payments collapsed 79 percent in the second half of 2024. Australia imposed its first ever cyber sanctions against the Medibank attacker. It dismantled the LabHost phishing platform that had victimised 94,000 Australians. These are genuine operational achievements.

But the current model assigns business a purely defensive role. The Strategy’s six shields focus on resilience, not disruption. Under Australian law, offensive cyber operations remain the exclusive domain of government. ASD responded to 1,200 incidents out of 84,700 reports. The gap between government capacity and threat volume is not a failure of effort. It is a challenge of scale.

---

We have already seen what becomes possible when a cybersecurity company goes beyond intelligence sharing. Sophos’s “Pacific Rim” operation was a five-year counter-offensive against state-linked threat actors. Rather than simply reporting attacks, Sophos took over attacker command-and-control infrastructure. It deployed monitoring on adversary research devices. It watched threat actors write exploit code in real time, burning years of capability before it could be weaponised. It worked because Sophos coordinated with law enforcement throughout and operated within existing legal boundaries.

“To raise the adversary’s cost, burn the adversary’s capability.” Sophos CISO Ross McKerchar

---

Pacific Rim is a proof of concept. It shows that private sector organisations can conduct meaningful offensive disruption when given the operational space to do so. The question Australia has not yet answered is whether we are willing to build a framework that enables that kind of action more broadly. Not just when a vendor is defending its own products, but as a coordinated national capability directed at the ransomware gangs and criminal networks targeting Australian businesses every six minutes. The intelligence already flows from industry to government. What is missing is a pathway for the private sector to do more than inform. A regulated, transparent framework to actively participate in disruption alongside government. Clear legal authority. Defined boundaries. Proper oversight.

Does the government need to provide clarity on permissible and non-permissible Active Cyber Defence in the Australian context?

The government has already opened this conversation. The July 2025 “Charting New Horizons” discussion paper explicitly asks whether Canberra needs to clarify the boundaries of permissible active cyber defence. ASD Director-General Abigail Bradshaw has credited “the maturation of our offensive cyber capabilities” for recent operational successes. The logical next step is extending that maturation beyond government. Build a framework where private sector capability can be brought to bear on criminal threats, under the same kind of coordination and oversight that made Pacific Rim effective.

---

This is not a call for unregulated hack-back or cyber vigilantism. It is a call for Australia to build the legal and operational architecture that turns private sector intelligence into private sector action. The 2030 Strategy envisions Australia as a world leader in cyber security. Achieving that means bringing the private sector from the shield wall into the fight.

All opinions my own, and not those of any employer.