While there is no evidence at present that the persistent engagement strategy has contributed to significant instability in cyberspace, ‘defend forward’ and persistent engagement have not been without criticism. In cyberspace there is no such thing as no man’s land. Analogies with patrolling in no man’s land therefore do not transfer across well to cyberspace in terms of justifying offensive cyber activity beyond one’s own networks. Persistent engagement has been criticized as a ‘very high-risk approach’ which ‘ignores the potential for unwanted effects that could prove to be highly destabilizing in an already volatile international security environment’. The commander of the French Cyber Defence Command (Comcyber) also recently warned of concerns over ‘relatively aggressive’ US cyber operations on European networks to counter Russian intrusions. Goldsmith and Loomis argue that ‘defend forward’ could provoke bilateral escalation, leaving the US worse off given its high digital dependencies, or even global escalation, as it uses methods which mirror the very same operations it seeks to counter.
Persistent engagement has been criticized as a ‘very high-risk approach’ which ‘ignores the potential for unwanted effects that could prove to be highly destabilizing in an already volatile international security environment’.
Yet those who advocate for persistent engagement hope that cyber operations will become a normal and agreed part of state competition, as ‘a doctrine of active mitigation may be less escalatory than one of restraint’. As Schneider explains, defend forward is based on the assumption that the ‘constant use of cyber operations inures states to cyber incidents and, therefore, decreases emotional or strategic incentives to respond to cyber operations with escalation’. In an interview in 2021, the then commander of UK STRATCOM presented persistent engagement as legitimate activity which can contribute to stability in cyberspace, as long as it is moderated and modulated effectively and a continuing internal dialogue as to its effectiveness or otherwise is maintained.
It is also important to note that many experts do not share the view that cyberspace presents an environment that is inherently escalatory. Escalation dynamics in cyberspace remain contested, and some maintain that in fact offensive cyber operations may have de-escalatory functions, for a variety of reasons. For example, the covert nature of offensive cyber operations is said to provide ‘escalatory off-ramps’. Cyber operations can also be used to act as a pressure-release valve – unlike overt kinetic operations, which result in destruction to one degree or another – and can also be reversible (unlike the physical effects of a kinetic strike) by restoring denied access to a system or network, or by removing malicious code, making them less likely to cause escalation. In mid-2019, for example, after Iranian forces shot down a US Navy Global Hawk surveillance drone, the Trump administration chose to respond using offensive cyber capabilities rather than airstrikes. Cyber activity is also said to be more akin to attrition as opposed to being escalatory.
As for states themselves, however, it is not always clear to what extent they consider or assess these risks. To that end, this paper considers two key indicators to explore whether and how states not only perceive risk but seek to manage it.
A measure of last resort?
One method of analysing how states observe risk of use of offensive cyber may be perceived in the way in which some states have indicated that offensive cyber activity may only be used as a measure of last resort, although this is not always communicated officially. The Netherlands sees use of offensive cyber capabilities as the exception, rather than the rule. An interview with a representative of the Dutch Defence Cyber Command revealed how a key consideration is based on political risk, which may be much harder to determine than physical or collateral risk in the style of conventional military planning. Belgium’s offensive cyber aspirations are still in their relative infancy, with the government having only announced its intention to integrate offensive cyber capabilities into its military in 2020, but its 2021 Cybersecurity Strategy states that the Belgian military will deploy offensive cyber capabilities during ‘national crises’ to ‘neutralize’ attacks, suggesting a specifically defence-oriented approach, in which such tools are only used in extremis – for example in an armed conflict, or for counter-attack purposes outside an armed conflict.
Similarly, Canada’s legislation contains a notable provision that foreign cyber operations will only be used where the ‘objective of the cyber operation could not reasonably be achieved by other means’, indicating that foreign cyber operations are seen as a strategic capability to achieve outcomes that other tools could not achieve in a sufficiently timely or effective manner, for example against cybercriminals or terrorist groups that are beyond the jurisdiction or reach of Canadian law enforcement agencies. Lastly, the Czech Republic’s Act No. 150/2021 on Military Intelligence states that the Czech Military Intelligence Service can carry out ‘active intervention in cyberspace’ if there is a ‘threat to important interests of the state to a large extent’ and the cyberattack or threat is ‘imminent’ and ‘cannot be averted in cooperation with the armed forces […] and [is] the only possible way to avert them’. These approaches suggest that some states remain cautious as to the conditions under which offensive cyber may be used.
Authorization mechanisms
Examining several states’ authorization mechanisms for use of offensive cyber – where these have been made public – can also be instructive in illustrating the extent to which states consider offensive cyber operations to carry political and/or operational risk, both in peacetime and in armed conflict.
Table 1 indicates that the nine NATO states investigated for this paper maintain authorization for offensive cyber operations at the highest levels. This may reflect an anticipation of risk from conducting offensive cyber activity, as these states appear to retain a close hold over their offensive cyber capabilities. Specific articulated recognition of risks in cyber strategies is lacking, but Table 1 suggests it remains.