The development and use of offensive cyber capabilities requires a sophisticated and appropriately tailored strategy, with consideration for how both effect and risk are measured and mitigated, and clear links to legal authorities. States must also do more to assess where the true utility of offensive cyber operations lies.
A historical lack of transparency, combined with ongoing ‘cyber hyperbole’ relating both to the utility and risks of use of offensive cyber operations, has clouded a more informed understanding of such operations. Many states have at last started to take steps to alleviate concerns over the invisibility of cyberspace by publishing details of why they seek to develop these capabilities, and in what circumstances they may have been used thus far. National laws can also reveal how their use is authorized and governed, helping to shed light on their circumstances for use and states’ perceptions of risk in this area. Given the broader concerns and divide in the discourse over risks of inadvertent harm and escalation, these details are important.
How responsible actors set the scene going forward will not just set precedents for adversaries. In addition, smaller states whose current focus may be restricted to cyber counter-attacks and defensive capabilities are likely to observe and learn from the actions of bigger cyber powers when developing their own offensive cyber capabilities. Even if one concludes that offensive cyber capabilities are not inherently escalatory, cyberspace is nonetheless fundamentally different to other so-called ‘domains’. As explored in this paper, offensive action in cyberspace carries a very different nature and scale of risk, and may have consequences that reach much further, such that the development and use of offensive cyber capabilities require a sophisticated and appropriately tailored strategy. How both effect and risk are measured and mitigated constitutes a critical element of a well-defined, meaningful cyber strategy, together with clear links to legal authorities for cyber activity.
Given the residual ambiguity on the true utility of using offensive cyber capabilities, set against a significant divide in the discourse as to risks of escalation, offensive cyber tools may be better understood and portrayed as one lever of state power among others, rather than a magical solution to a whole range of challenges. In some situations they may be the least risky or the least damaging option, but in others they may be highly destabilizing or escalatory, depending on the context and the nature of the target. Further, offensive cyber operations in peacetime may have utility as a versatile means of projecting both hard and soft power, and may sometimes demonstrate clear advantages over other methods, but too few states have yet publicly articulated this in sufficient detail. There is a risk that the ‘silver bullet’ of offensive cyber is touted as a possible solution to a wide variety of challenges, and its versatility asserted to be sufficient justification for use, while downplaying the reality – that successful cyber operations are the work of long-term, tailor-made operations with only a brief window for success and with considerable associated risks. While offensive cyber operations may become more routine or ‘normalized’, states should also be wary of using them as a tool of choice, or the default option. An overzealous acceptance of the supposed benefits of offensive cyber as a ’silver bullet’ solution does not account for the fact that different contexts require very different responses and/or alternative tools.
States must therefore do more to assess where the true utility of offensive cyber operations lies, so as to justify their use when it matters, moving away from overly broad generalizations in relation to versatility and employability. At the same time, complacency as to the power and effect of the chosen operations should be avoided. This is particularly important, as offensive cyber gradually becomes ‘normalized’ as more states establish military cyber commands or units, or publicly avow their offensive cyber capabilities. Reliance on offensive cyber capabilities must also not be at the expense of other means of soft power including restraint and influence, which may prove more effective depending on context. Consideration of other tools or methods is all the more important in light of the lack of clarity in whether and how states measure the short- and long-term effects of offensive cyber operations.
Possession of offensive cyber capabilities, in and of itself, does not appear to have effective deterrent value in cyberspace below the level of a use of force – the arena in which the majority of today’s cyber activity takes place. Assumptions about the deterrence value of offensive capabilities in cyberspace must therefore not be at the expense of ensuring effective cyber defence and resilience. Cyber strategies must provide meaningful assessment of the value of offensive cyber capabilities, avoiding default references to poorly understood ‘deterrence’.
This study has shown that many democratic states continue to keep a firm hold over their use of offensive cyber, and require authorization at high levels, suggesting that how and when these capabilities are used are likely to be only in extremis. This may be due to several reasons, not least a reluctance to reveal the nature or extent of states’ offensive cyber capabilities, but it nonetheless appears that concerns over risks of use remain. Clear authorization mechanisms at the highest levels are important to project a clear commitment to control over and responsible use of these capabilities. Clarity remains critical in respect of authorities, including how, and under what circumstances, they may be delegated – if at all.
States can, and should still, do more to give meaningful detail as to how they manage and measure risks of use, to inform the broader discourse on responsible state behaviour in cyberspace. Specifically addressing the risks of use publicly in this way can boost the credibility of those states whose stated intentions are to adhere to international law and norms of responsible state behaviour in cyberspace. This would also enable a better understanding of the meaning of ‘responsible use’ of cyber capabilities.
While cyber strategies rightly focus on cyber threats stemming from adversaries, internal measures of effect stemming from states’ own use of offensive cyber are equally important. The extent to which states have clear methods to measure the effectiveness of cyber activity in pursuing strategic aims is therefore important. States could add transparency in this regard by making clear the importance of adopting measures of effect, even if their content is not made public. This is particularly important for those states who routinely (or seek to routinely) use offensive cyber capabilities in peacetime, particularly in the long term. For those states which may seek to adopt a persistent engagement posture in cyberspace, for example, it may be more challenging to establish metrics for success beyond achieving short-term ‘win’. Some have suggested that there may be no way of assessing whether more engagement will reduce the likelihood of conflict, and have highlighted the dangers of ‘positive feedback’ in this regard. States should therefore establish internal metrics that measure both short- and long-term effect, taking into account a wide range of factors and indicators.
Above all, cyber strategies must meaningfully articulate how the development and use of offensive cyber capabilities aligns with a commitment to a secure cyberspace for all.
Policy recommendations
The following recommendations are designed to assist states in establishing or developing their approaches to use of offensive cyber by outlining key priority areas. As states differ in their offensive cyber capacity and policy objectives, these are intended to be broad achievable guidelines for all democratic states.
- States must continue to move away from the historic secrecy that has clouded an informed understanding of offensive cyber activity. This will require more – and continuing – transparent communication on an ongoing basis as to the basis for use and management of offensive cyber capabilities, which can be achieved without compromising operational security.
- A more nuanced understanding of the utility and value of offensive cyber capabilities should be fostered across government at the national level. Use of offensive cyber is neither a ‘silver bullet’ solution nor a matter of ‘one size fits all’, as whether and how an offensive cyber operation should be used will depend on context. Offensive cyber activity must not become the default or ‘go-to’ offensive method of choice; nor must it be used to pursue lesser national interests that have little strategic importance in peacetime.
- States should prioritize where and how offensive cyber can serve deterrence postures in cyberspace, rather than relying on overly broad assumptions about this means of deterrence, which may be unrealistic in practice and may come at the expense of cyber resilience. States should determine whether deterrence through cyberspace should instead focus on specific threats in specific circumstances.
- All planning must include steps to mitigate the risk of inadvertent harm and escalation when using offensive cyber capabilities. This should include an assessment of how the intended effect will contribute to strategic goals rather than limited short-term tactical objectives, and the risk of broader effects, unintended effects or collateral damage, in cyberspace and in other domains. States should consider different methods of communicating intent appropriately to an adversary, so as to minimize misinterpretation. Policymakers must also be assisted in understanding technical risk in cyberspace.
- Clear authorization mechanisms at the highest levels should be maintained for offensive cyber operations, to demonstrate a measurable commitment to control over the use of such capabilities. Decisions as to use of offensive cyber operations should also involve broader cross-government or inter-agency input. The invisibility of cyber activity is all the more reason for robust independent oversight of these activities, with consideration being given to whether certain types of offensive cyber activity require prior notification to oversight bodies and an ongoing assessment as to whether the oversight mechanisms are fit for purpose as capabilities and strategic priorities evolve. At the same time, oversight committees must have sufficient understanding of the mechanics of offensive cyber operations.
- Clear, ongoing methods to measure both short- and long-term effects, including but not limited to strategic, political and physical effects, should be established, particularly for states which may in due course seek to engage more routinely in cyberspace, in ways akin to persistent engagement. States must also make clear that such methods exist, even if the details remain closed. Specifically addressing the risks of use more publicly can also boost the credibility of those states whose stated intentions are to adhere to international law and norms of responsible state behaviour in cyberspace. All offensive cyber activity should include an assessment of how the intended operation may support norms of responsible state behaviour in cyberspace more broadly and what precedent – good or bad – it may set for both allies and adversaries.
- Cyber strategies must include specific recognition of the need to secure a balance between an open and secure cyberspace for all, on the one hand, and the need to use offensive cyber capabilities, on the other. Maintaining a trusted and secure internet should be prioritized above using offensive cyber capabilities. Both objectives are achievable if offensive cyber capabilities are used responsibly, and if the meaning of ‘responsible use’ is properly articulated, defined and communicated.