The most consequential line in Washington’s new Cyber Strategy isn’t about defence. Released in early March 2026, the document makes clear that the United States intends to use offensive cyber operations as a routine instrument of statecraft, not a last resort reserved for crisis.
But this is an evolution rather than a rupture. Washington has been moving in this direction for some time. Since the 2018 Department of Defense Cyber Strategy, the US Cyber Command has operated on the logic of ‘persistent engagement’, treating cyberspace as a domain of continuous competition. This continued under the Biden administration’s 2023 National Cybersecurity Strategy. So, this isn’t just a change under President Donald Trump. The reality is that behaviour has seemingly outpaced doctrine.
What is new is the candour. Offensive cyber operations are now being placed explicitly in the foreground as a shaping tool in day-to-day statecraft, rather than being tucked behind a predominantly defensive frame. What the new strategy does is align policy language with established practice and lower the rhetorical threshold for future use. The key operational line in the strategy is its commitment to ‘deploy the full suite of US government defensive and offensive cyber operations’ to ‘detect, confront, and defeat cyber adversaries before they breach [US] networks and systems.’ That is pre-emptive disruption, not simply reactive defence.
It sits alongside a broader push in Washington to treat cyber insecurity as both a national-security and an economic-stability problem. It aligns with the 2026 National Defense Strategy and the focus on deterring and defeating cyber threats. It’s also complemented by a 6 March executive order targeting cybercrime, fraud and transnational scam networks.
But the document’s significance goes beyond government operations. Its language about ‘unleashing the private sector’ to identify and disrupt adversary networks points towards a more permissive environment for private-sector disruption. Many will read that as edging towards hack-back tactics, where a target of a cyberattack counterattacks the attacker’s systems. That is the most legally fraught part of the strategy. In the US, such activity remains heavily constrained beyond a company’s own networks, yet the strategy’s tone potentially points towards a more aggressive public–private cyber posture.
For allies such as Australia, that matters. Australian firms operating in US markets or US firms operating critical infrastructure in Australia could find themselves exposed to expectations or practices that sit uneasily with Australian law, regulatory settings and escalation thresholds. But any call to strengthen the domestic legal underpinnings of offensive cyber may be less relevant when focussing on private firms.
The alternative approach is to encourage private institutions to work with government when their own infrastructure is being exploited for malicious purposes, and to deploy their existing terms of service to neutralise the ability of threat actors to operate on their platforms and networks.
Washington is not alone in shifting towards more proactive cyber postures. Japan’s adoption of ‘active cyber defence’ legislations in 2025 has enabled authorities to identify and disturb hostile infrastructure pre-emptively in some circumstances, reflecting a broader trend moving from passive network defence.
Australia is not behind. The Australian Signals Directorate has publicly acknowledged offensive cyber capabilities, and its A$9.9 billion investment under its Redspice capability blueprint demonstrates political commitment to expanding them. ASD doctrine makes clear that such operations are government-authorised and governed by principles of necessity, proportionality and specificity, orienting across a spectrum from disruption to denial.
These capabilities were demonstrated through Operation Aquila, an ASD-AFP joint operation that uses offensive cyber capabilities to identify and disrupt Australia’s highest-priority cybercriminal threats. In February 2025, it delivered coordinated cyber action against Zservers, a Russian bulletproof hosting provider that hosted the data stolen in the 2022 Medibank Private breach and provided infrastructure to LockBit ransomware. The offensive action enabled sanctions by Australia, the US and Britain, while Dutch authorities seized Zservers-owned infrastructure in Amsterdam. The operation illustrates how law-enforcement and coordinated partner action can be sequenced into major disruption campaigns.
For Canberra, then, the question isn’t simply whether to follow Washington’s lead. Australia’s legislative framework does not provide the same public clarity around offensive cyber authority as its partners are now pursuing. Its operations are also deeply intertwined with Five Eyes relationships. Publicly articulating doctrine does not necessarily strengthen deterrence if it risks exposing potential legal uncertainty, narrowing allied operational flexibility or revealing too little to influence adversaries while inviting domestic scrutiny.
The near-term priority for Australia could instead be to strengthen coordination frameworks with allies, focusing on areas where cooperation is already lawful, strategically useful and capable of serving as a practical test bed. Countering transnational cybercrime is the clearest opportunity. The Aquila model offers a replicable template for regional partners and, where possible, expanding cooperation with private-sector platforms. Such action allows Australia to expand its disruption toolkit, strengthen partnerships and demonstrate effects, while more complex questions about authority, oversight and escalation may take longer to resolve.
Click Here For The Original Source.
