Cyberspace has emerged as a major new domain of national and international security. Some states are now communicating more openly on their approaches to offensive cyber.
The number of public avowals by states of their intent to develop and, where necessary, use offensive cyber capabilities is on the rise. A 2022 study reported that 37 states have established cyber units or commands, albeit each with different mandates and composition. There may of course be more that are yet to publicly acknowledge these capabilities. ‘Cyber’ is also now a warfighting domain for several states, as well as for NATO. States clearly recognize the importance of cyberspace as an arena of state competition, and the potential it holds for strategic gain. In 2015, for example, China’s State Council stated in a white paper that ‘cyberspace has become […] a new domain of national security’, and in 2018 the commander of United States Cyber Command (USCYBERCOM) remarked that ‘the locus of the struggle for power has shifted towards cyberspace’. In the United Kingdom, the 2021 Integrated Review referred to the UK concept of ‘cyber power’.
Hyperbole and militaristic rhetoric continues to hinder a better understanding of the utility and risks of offensive cyber activity.
Yet, as Kello has found, ‘there is perhaps no other domain of security in which researchers know so little about so much activity’, as ‘much relevant cyber activity occurs beyond the ability of researchers to [analyse] or even observe’. At the same time, hyperbole and militaristic rhetoric, not only on the part of the media and government officials but also within academic circles, continues to hinder a better understanding of the utility and risks of offensive cyber activity. For example, the high end of the spectrum in terms of the damage and destruction that may be caused is regularly in focus, even where there is evidence that such operations are rare. This focus may also serve to overemphasize the risks of escalation and conflict (which some have argued can become a self-fulfilling prophecy) due to its simplistic nature and the ease with which it is accepted. Much has been written about the ‘militarization of cyberspace’, but less has been said about the militarization of the conversation itself. Continuing references to offensive cyber capabilities as a deterrent also persist, notwithstanding repeated challenges to the application of deterrence theory as an inappropriate and ineffective paradigm through which to inform cyber policy. At the same time, the risks to international security posed by use of offensive cyber remain contested in the wider cyber discourse, with a stark divide between those who argue for cyber restraint and those who advocate for cyber persistence.
Recently, however, some states have sought to shed more light on their approaches in this area, marking an important step in lifting the veil on offensive cyber. A more in-depth exploration of how some democratic states currently assess the utility and risks of their own use of offensive cyber is therefore now possible. In the author’s view, these two elements of the debate are pivotal, given the divide in the discourse over escalation risks in cyberspace, and the regular – and largely untested – platitudes employed to describe the utility of offensive cyber. At the same time, the perceived utility of using or maintaining offensive cyber capabilities can inform risk appetite, so the two issues go hand in hand.
This paper therefore seeks to explore these two core issues through a series of interviews with cyber experts from nine NATO states, alongside an analysis of the existing cyber literature and of national cyber strategies which have been made public. In particular, this study will also assess an important but as yet under-studied indicator: how and at what level states authorize the use of offensive cyber operations. This can help to shed light on how states perceive the risks of use.
It is hoped that this paper can serve as a resting place in which we can take stock of what we now know of these key matters at this stage in offensive cyber history, and how some states seek to manage offensive cyber activity. A study of more states also helps to broaden the debate beyond the US-centric context of much of the cyber discourse. At the same time, it is hoped that states will continue to shed more light on these matters themselves, moving away from the historic secrecy that has clouded a more informed understanding of offensive cyber activity. As has been revealed in the parallel processes at the United Nations’ Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG), taking stock, at a given point in time, of where there are similarities in states’ approaches can be instructive in revealing whether and how states have matured in identifying and addressing certain issues, and where there may be a reluctance to adapt over time. An assessment of this nature can also contribute to strengthening efforts to shape responsible state behaviour in cyberspace.
More detail on the interview process and the core question set for the interviews is included in Annexes 1 and 2. As is often the case with research papers, the interview process was at times as revealing as the answers provided. Some of the interviewees remarked how the question set had ‘stretched them to their limit’ in terms of considering and framing their responses, while others reported that the questions had been distributed to others in their respective departments in an effort to engender more informed discussion and consideration of the issues.
Terminology
The author defines ‘offensive cyber operations’ as any cyber activity which can have an effect on a computer system or network, or the information held on it. For example, this effect could be realized by manipulating data, or by denying access to, disrupting, degrading or destroying the computer system or its data. It is acknowledged that the branding of such activity as ‘offensive’ may not reflect the true intent or nature of such operations, since, as others have pointed out, there is a vast difference between offensive cyber activity to thwart an ongoing or impending harm and offensive cyber activity which is used to initiate hostilities or harm. For simplicity’s sake, however, the author adopts the overarching term of ‘offensive cyber activity’ in which the above range of activity is included, whether above or below the threshold of armed conflict.
This paper is not concerned with cyber-enabled espionage or computer network exploitation (CNE), both of which are passive operations that seek to observe or obtain information without having an ‘effect’ per se. Indeed, misunderstandings and misplaced rhetoric about ‘cyberattacks’ in relation to espionage operations often obstruct a properly informed understanding of this area. That is not to say that cyber-enabled espionage cannot have a significant effect, for example if used for intellectual property theft, or for the release of information which may undermine the institutions of rival states or economic security. However, that is beyond the scope of this paper.