Offensive cyber operations

States’ perceptions of their utility and risks

Research paper

Published 19 September 2023

Updated 20 September 2023

ISBN: 978 1 78413 585 0

A large screen with outline map of the world depicting a simulated cyberattack

Juliet Skingsley

Former Army Chief of the General Staff Research Fellow, International Security Programme

Cyberspace is now established as an important domain of national and international security. Until recently, informed and open discussion on the responsible use of offensive cyber capabilities has been constrained by high levels of secrecy around national strategies for their use.

Insights as to how individual states view the utility of offensive cyber, and how they perceive and manage associated risks of escalation and conflict, have been hard to access. A lack of open debate around the limitations of cyber operations has also led to inaccurate portrayals of cyber capabilities as versatile ‘silver bullet’ solutions which can address a widening variety of security challenges.

This paper offers an in-depth exploration of new or revised national cyber strategies, authorization mechanisms and legislation in nine NATO states, and draws on interviews with national cyber experts. As well as aiming to promote more informed debate on the key issues, it presents important policy recommendations to support the responsible use of offensive cyber and to contribute to the achievement of a secure cyberspace for all.

DOI: 10.55317/9781784135850

02 Perceptions of utility

The rapid development of cyber capabilities for a range of purposes, including for offensive cyber operations, risks leaving behind considerations of how they can be effectively managed.

How states perceive the utility or value of developing and maintaining offensive cyber capabilities is critical, as this informs not only how states may seek to use them, but also how they may manage or mitigate any associated risks of use. For example, where the utility of a capability is very high, the user may take a more risk-acceptant attitude to using it. And in many instances, cyber capabilities have been rapidly developed before policy or doctrine can catch up.23 This is a concern, as enthusiasm for the perceived operational versatility of offensive cyber ‘tools’ may serve to dominate the demand for capability development, while methods for ensuring effective management of their use are deprioritized.24

Versatility

Some states highlight the utility of offensive cyber primarily for military purposes: to preserve the ability to counter-attack or retaliate in cyberspace.25 Norway, for example, emphasizes its use in supporting tactical operations, including contributing to NATO operations or coalitions with allies.26 Other states explicitly highlight the utility of offensive cyber for a broad range of purposes, including following, attributing, warning about and actively counteracting digital threats before incidents occur, in situations of peace, crisis and armed conflict.

In addition, cyber capabilities were cited as an ‘enabler’ for information operations. Aside from military use, in the case of two states in particular that were considered in the research for this paper, offensive cyber is also used to counter criminal activity. In the UK, the National Cyber Force (NCF) states, for example, that it may engage in offensive cyber activity in order to interfere with a terrorist’s mobile phone, or to help prevent cyberspace from being used for serious crime such as fraud and child sexual abuse, while also keeping UK military aircraft safe from being targeted.27 In the US, USCYBERCOM can also use offensive cyber operations against foreign ransomware actors.28

Foreign cyber operations are depicted as having considerable utility, both as a focused and a supporting activity for a wide range of threats.

The range of potential targets and activities is particularly clear in Canada’s legislation. Canada’s Communications Security Establishment (CSE) is mandated to conduct foreign cyber operations, both ‘active’ and defensive.29 The CSE Act reveals that the CSE has the power to conduct ‘active cyber operations’, ‘to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security [interests]’.30 Canadian active cyber operations can be used ‘to disrupt the capabilities of foreign threats to Canada, such as: foreign terrorist groups, foreign cyber criminals, hostile intelligence agencies [or] state-sponsored hackers’.31 Defensive cyber operations can be used to defend Government of Canada systems, as well as systems of importance to the Government of Canada, against foreign cyber threats by taking online action.32 Such foreign cyber operations may include ‘any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity’.33 Foreign cyber operations are depicted as having considerable utility, both as a focused and a supporting activity for a wide range of threats.

Another key theme in the responses to the interviews conducted for this paper was that cyber operations are often viewed as a substitute for the use of force in peacetime, in that they can be used to affect national sources of power without conducting an armed attack or triggering conflict. This is in keeping with much of the literature on the subject.34 The ability this affords many states to pursue foreign policy objectives is perceived as one of the key reasons why offensive cyber has real value for some states. An interview with a representative from USCYBERCOM confirmed this view, for example: the utility of offensive cyber capabilities lies in enabling strategic effect without entitling the adversary to use force in self-defence, coupled with a unique ability to modulate the level of impact in a way that is not possible with kinetic operations.35 Similarly, an interview with the then commander of UK Strategic Command (UK STRATCOM), offensive cyber was explained as a means by which a message can be sent, so as to manage strategic rivalries.36 Sally Walker, former cyber director at the UK’s Government Communications Headquarters (GCHQ), reported in a Sky News podcast that the UK sees cyber operations as being ‘about what you can do from a distance at relatively low risk […] you can have impact in the real world and you can do it at scale’.37 Offensive cyber activity is thus often viewed both as a strategic alternative to war and as having value on the battlefield.

Further, the UK has recently given more public detail on how the NCF seeks to deliver a ‘doctrine of cognitive effect’ through cyber operations which seeks to affect adversaries’ abilities in three main ways. First, to affect their ‘ability to acquire, analyse and exploit the information they need to advance their objectives’, second, to ‘limit their ability to communicate and coordinate with others’, and third, to ‘affect their confidence in their digital technology and the information it is providing them’.38 The UK is clear that offensive cyber activity can also achieve effects in more subtle ways, below the level of the use of force.

Cyber limits

While states rightly highlight the value of offensive cyber in the ways set out above, less attention is publicly paid to its limitations – or, to put it another way, what offensive cyber is not. It is important that any perception of the versatility of offensive cyber capabilities as ‘silver bullets’ does not diminish awareness of their limitations. While offensive cyber operations may have utility in armed conflict, and in peacetime, as a means of projecting both hard and soft power, understanding their limitations is important so as to avoid an over-reliance on offensive cyber capabilities at the expense of other levers of power.

For example, as Smeets has highlighted, while many more states now publicly avow their offensive cyber capabilities, very few are actively using them to any significant effect, suggesting that in fact their utility may be more limited than previously assumed.39 The requirement for highly tailored, target-specific capabilities, dependent on reliable and often painstaking intelligence, also makes effective offensive cyber capabilities a challenge, particularly in wartime.40 The few publicly known examples of offensive cyber operations used in conjunction with conventional kinetic activity on the battlefield are difficult to assess in terms of how decisive they have been in determining the outcome of an operation.41 For example, according to Maschmeyer, four out of the five cyber operations conducted by Russia in Ukraine between 2014 and 2022 produced no measurable strategic value, and Russia’s resort to kinetic, conventional war in 2022 was in part precisely because its ongoing cyber activity against Ukraine was failing to achieve strategic goals.42 There are also a number of other views which seek to highlight the limits to the military potential of offensive cyber.43 As the UK chief of the General Staff noted, for example, in 2022, ‘you can’t cyber your way across a river’.44

Offensive cyber capabilities are also not a ‘one size fits all’ capability, and can take considerable time, effort and intelligence to construct and employ effectively. For example, offensive cyber capabilities used by the UK are reported to have been ‘highly tailored and system specific’.45 Successful cyber operations appear in reality to be the work of painstaking, highly tailored operations with only a brief opportunity for success. Their military utility therefore remains an open question. And below the level of armed conflict, other studies have argued that ‘empirical evidence for this cyber revolution remains scarce’ as cyber operations are hampered by a so-called ‘operational trilemma’ that restricts their value, making them ‘too slow, too low in intensity, or too unreliable to provide significant utility’.46

Deterrence

Several states have published cyber strategies which mention the deterrent value of offensive cyber capabilities. The Netherlands, for example, bases its Defence Cyber Strategy on deterrence, as ‘the operational capabilities of the Defence Cyber Command contribute to the arsenal of deterrence means available to the government’.47 Belgium and Denmark also cite deterrence as a key justification for developing offensive cyber capability,48 while the Norwegian Defence Commission reported in 2021 that both ‘defensive and offensive cyber operations can act as a deterrent and affect an adversary’s perception of vulnerability and opportunity for retaliation’.49 Yet most states give little detail as to how or why offensive cyber capabilities may serve as a deterrent in or through cyberspace. While public statements to this effect may be scarce for a variety of reasons, a more nuanced internal understanding of this area is important, as assumptions about the deterrent value of offensive cyber may serve, for example, to downplay the importance of cyber resilience.

There has also been rigorous academic challenge to the application of deterrence theory to cyberspace. For example, Harknett’s conclusions that ‘using a legacy construct of deterrence, whose measure of effectiveness is the absence of action, to explain an environment of constant action will not prevent adverse actions in cyberspace’ are now well rehearsed among cyber experts.50 It is clear that conventional deterrence theory does not sit well in cyberspace and there is significant evidence and scholarship that offensive cyber operations do not, on their own, necessarily deter, particularly below the threshold where most day-to-day cyber competition takes place.

It is also challenging to establish metrics as to whether deterrence is working. States may refrain from conducting more destructive offensive cyber operations due to a combination of fears which may include other concerns, such as risks of collateral damage and/or strategic blowback. The inherent uncertainties of cyber operations in terms of second- and third-order effects is also likely to constrain activity.51 Examples may include the US reluctance to retaliate against Iran in response to the 2013 distributed denial-of-service (DDoS) attacks on US banks52 and the US decision not to conduct offensive cyber operations against Libya in 2011 given fears of the precedent this would set.53 According to Kaminska, the muted responses of the UK to the WannaCry attacks of early 2017 also show how states seek to minimize risk in their responses.54

It is likely that, in what has been termed the ‘deterrence gap’,55 states may increasingly realize that deterrence in cyberspace works, but only above a certain threshold of harm. In other words, deterrence works to prevent widespread destructive cyberattacks by nation-states, but day-to-day low-level harmful cyber activity below this level continues undeterred, as most offensive cyber activity takes place below the threshold of armed conflict and ‘[falls] well short of threats to infrastructure’.56 While there have been some known cases of malicious state-sponsored cyber activity on critical infrastructure, for example during the Iran–Israel so-called ‘tit-for-tat’ cyberattacks in 2020 (which included cyberattacks on water management facilities57 and port facilities58), on the whole targets are of minor value and/or the disruption or harm is only temporary.59 Offensive cyber operations that amount to a use of force under international law remain scarce.60

Deterrence works to prevent widespread destructive cyberattacks by nation-states, but day-to-day low-level harmful cyber activity below this level continues undeterred.

A more rigorous analysis of the deterrent value of offensive cyber capabilities is therefore important. The UK’s National Cyber Strategy 2022 acknowledges that ‘our approach to cyber deterrence does not yet seem to have fundamentally altered the risk calculus for attackers’.61 The US ‘defend forward’ strategy, set out in a case study below, is also premised on the notion that deterrence does not work in cyberspace below the threshold of armed conflict.62 The US 2022 National Defense Strategy speaks of ‘integrated deterrence’, focusing on using diplomatic, economic and military tools in combination rather than as standalone mechanisms, hinting at a shift in how some states are perceiving the deterrent value of cyber capabilities on their own.63 The UK has also outlined a more detailed position recently on the relationship between cyber activity and deterrence, stating that its NCF ‘may also potentially contribute to deterrence’,64 but highlighting that it is important to distinguish ‘between deterring cyber activity, or using cyber effects to deter other activities’ and that ‘[while] evidence is limited for cyber operations being a primary contributor to deterrence, they can form a secondary or supporting element in an integrated approach’.65 There is a need for a more nuanced approach, which addresses what it is that states seek to deter and by whom, and which incorporates other levers of power and influence outside cyberspace. The US 2018 Department of Defense Cyber Strategy, for example, specifically refers for example to deterring ‘malicious cyber activities that constitute a use of force against the United States’ (emphasis added).66

In conclusion, a better understanding of the utility of offensive cyber capabilities should be fostered within states. Despite all the rhetoric as to versatility and possible range of effect, we are essentially none the wiser as to where offensive cyber activity may have best effect or may be best utilized. Overly blunt interpretations of the advantages of offensive cyber may increase the likelihood that such activity becomes a default or ‘go-to’ offensive method of choice, particularly in the context where these capabilities become ‘normalized’ as more states adopt them.67 A more complex balancing act may be required to assess the trade-offs or benefits the cyber operation may bring, set against the risks of use,68 as explored in the following chapter. This would not only help to avoid any complacency as to their power and utility, but also can help, for example, to reinforce the need to consider other ‘tools in the toolbox’, as different strategic contexts will demand different capabilities and responses. Offensive cyber may not always be the best answer to a given problem. In this way, states can also ensure they consider how offensive cyber can be used in line with a commitment to responsible state behaviour in cyberspace.

Finally, national cyber strategies should also account for the limitations surrounding the application of deterrence theory in cyberspace, rather than making broad generalizations as to the value of offensive cyber as a deterrent in its own right. Whatever conclusions one may reach as to the efficacy of deterrence in or through cyberspace, it is also important that they do not come at the expense of other critical aspects of cyber strategy such as enhanced cyber resilience and/or cyber defence. An over-reliance on the deterrent value of offensive cyber capabilities may bring a false sense of security, or perpetuate the so-called ‘cybersecurity dilemma’.69

Kello (2017), The Virtual Weapon and International Order, p. 16.

The Belfer Center has analysed the range of national objectives pursued by states using cyber means, which include surveillance, controlling or manipulating the information environment, intelligence collection for national security purposes, destroying or disabling an adversary’s infrastructure and capabilities, and commercial gain. See Voo, J., Hemani, I. and Cassidy, D. (2022), National Cyber Power Index 2022, report, Cambridge, MA: Belfer Center for Science and International Affairs, Harvard Kennedy School, https://www.belfercenter.org/publication/national-cyber-power-index-2022.

Author interviews with representatives from Dutch Defence Cyber Command, 21 June 2021, and Belgian Cyber Defence Directorate, 2 August 2021.

Government of Norway, Ministry of Defence (2019), Proposition to the Storting for a parliamentary resolution: Investments in the Armed Forces and other matters, Prop. 60 S (2018– 2019), section 5.3, https://www.regjeringen.no/ no/dokumenter/prop.-60-s-20182019/id2638198; and author correspondence with senior scientist at Forsvarets forskningsinstitutt (FFI) [Norwegian Defence Research Establishment], July 2023.

HM Government (2021), Global Britain in a Competitive Age, p. 42.

US Cyber Command Public Affairs (2021), ‘2021: A Year in Review’, news release, 29 December 2021,  http://www.cybercom.mil/Media/News/Article/2885401/2021-a-year-in-review.

Government of Canada, Communications Security Establishment (2023), ‘Cyber operations’,  https://www.cse-cst.gc.ca/en/mission/cyber-operations.

Parliament of Canada, House of Commons (2019), ‘Statutes of Canada Chapter 13, Part 3’, Communications Security Establishment Act, section 19.

Government of Canada, Communications Security Establishment (2023), ‘Cyber operations’.

Ibid.

Parliament of Canada, House of Commons (2019), ‘Statutes of Canada Chapter 13, Part 3’, section 31(d).

See Harknett, R. J. and Smeets, M. (2020), ‘Cyber campaigns and strategic outcomes’, Journal of Strategic Studies, 45(4): pp. 534–67, https://doi.org/10.1080/01402390.2020.1732354; and Smeets (2022), No Shortcuts.

Author interview with Lt Col. Kurt Sanger, then Deputy General Counsel of US Cyber Command, 23 June 2021.

Interview with commander of UK Strategic Command, 11 August 2021.

Walker, S., interviewed in Haynes, D. (2021), ‘Into the Grey Zone’, Sky News podcast, episode 5, 10 February 2021, https://news.sky.com/story/into-the-grey-zone-podcast-episode-five-cyber-power-part-ii-12212228.

National Cyber Force (2023), Responsible Cyber Power in Practice, https://www.gov.uk/government/publications/responsible-cyber-power-in-practice, p. 15.

Smeets (2022), No Shortcuts.

Rovner, J. (2021), ‘Warfighting in Cyberspace’, War on the Rocks, 17 March 2021, https://www.warontherocks.com/ 2021/03/warfighting-in-cyberspace.

See, for example, Valeriano and Maness (2015), Cyber War versus Cyber Realities, and Melikishvili, A. (2008), ‘The Cyber Dimension of Russia’s Attack on Georgia’, Eurasia Daily Monitor, 5(175), https://jamestown.org/program/the-cyber-dimension-of-russias-attack-on-georgia on cyberattacks in Georgia in 2008. See also an evaluation of the US cyber operations against Islamic State (ISIS) in 2016 at Temple-Raston, D. (2019), ‘How the U.S. Hacked ISIS’, NPR News, 26 September 2019, https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis. Finally, see assessments of Russia’s cyber activity in Ukraine in 2022–23 at Willett, M. (2022), ‘The Cyber Dimension of the Russia–Ukraine War’, Survival, 64(5), https://doi.org/10.1080/00396338.2022.2126193; and Kaminska, M., Shires, J. and Smeets, M. (2022), Cyber Operations during the 2022 Russian invasion of Ukraine: Lessons Learned (so far), Tallinn Workshop Report, European Cyber Conflict Research Initiative, https://eccri.eu/wp-content/uploads/2022/07/ECCRI_WorkshopReport_Version-Online.pdf.

Maschmeyer, L. (2021), ‘The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations’, International Security, 46(2): pp. 51–90, https://doi.org/10.1162/isec_a_00418.

Bronk, J. and Watling, J. (2021), Necessary Heresies: Challenging the Narratives Distorting Contemporary UK Defence, research paper, London: Royal United Services Institute, https://rusi.org/explore-our-research/publications/ whitehall-papers/necessary-heresies-challenging-narratives-distorting-contemporary-uk-defence.

British Army (2022), ‘General Sir Patrick Sanders, Chief of the General Staff, Opens the RUSI Land Warfare Conference with his speech’, 28 June 2022, https://www.army.mod.uk/news-and-events/news/2022/06/rusi-land-warfare-conference-cgs-speech.

HM Government (2017), Intelligence and Security Committee of Parliament: Annual Report 2016–17,  https://www.gov.uk/government/publications/intelligence-and-security-committee-annual-report-2016-2017, p. 43.

Maschmeyer (2021), ‘The Subversive Trilemma’.

Author interview with Peter Pijpers, Associate Professor Cyber Operations, Netherlands Defence Academy, 17 June 2021. See also Government of the Netherlands, Ministry of Defence (2018), Defensie Cyber Strategie 2018: Investeren in digitale slagkracht voor Nederland [Defence Cyber Strategy 2018: Investing in cyber striking power for the Netherlands], https://english.defensie.nl/binaries/defence/documenten/publications/2018/11/12/defence-cyber-strategy-2018/NLD+MoD+cyber+strategy+2018_web.pdf, p. 8.

The Danish Government (2021), ‘The Danish National Strategy for Cyber and Information Security’, Copenhagen: Danish Ministry of Finance, https://www.cfcs.dk/globalassets/cfcs/dokumenter/2022/ncis_2022-2024_en.pdf, p. 50. For Belgium, author’s interview with Director, Belgian Cyber Defence, 2 August 2021.

Government of Norway (2023), Forsvarskommisjonen av 2021: Forsvar for fred og frihet [The Defence Commission of 2021: Defence for peace and freedom], https://www.regjeringen.no/contentassets/8b8a7fc642f44ef5b27a1465 301492ff/no/pdfs/nou202320230014000dddpdfs.pdf, p. 142 (original Norwegian text: ‘Evne til defensive og offensive cyberoperasjoner kan være avskrekkende og påvirke en motstanders oppfatning av sårbarhet og mulighet for gjengjeldelse’.)

Harknett, R. J. and Nye, J. S. (2017), ‘Is Deterrence Possible in Cyberspace?’, International Security, 42(2): pp. 196–9, https://doi.org/10.1162/ISEC_c_00290.

Kello (2017), The Virtual Weapon and International Order, p. 6. Entanglement – the idea that networks and systems are extensively interlinked and interdependent – also reflects this difficulty, as an operation by one state may inadvertently end up causing harm to that state. See Nye (2010), Cyber Power, pp. 16–17.

Waterman, S. (2017), ‘Clapper: U.S. shelved “hack backs” due to counterattack fears’, Cyberscoop, 2 October 2017, https://www.cyberscoop.com/hack-back-james-clapper-iran-north-korea.

Schmitt, E. and Shanker, T. (2011), ‘U.S. Debated Cyberwarfare in Attack Plan on Libya’, New York Times,  17 October 2011, https://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was- debated-by-us.html.

Kaminska, M. (2021), ‘Restraint under conditions of uncertainty: Why the United States tolerates cyberattacks’, Journal of Cybersecurity, 7(1): pp. 1–15 at p. 8, https://doi.org/10.1093/cybsec/tyab008.

Daniel, M. (2021), Closing the Gap: Expanding Cyber Deterrence, Cyberstability Paper Series, The Hague: The Hague Centre for Strategic Studies and the Global Commission on the Stability of Cyberspace,  https://hcss.nl/report/closing-the-gap-expanding-cyber-deterrence.

Rovner, J. (2020), ‘The Intelligence Contest in Cyberspace’, Lawfare, 26 March 2020, https://www.lawfareblog.com/intelligence-contest-cyberspace.

Times of Israel (2020), ‘Cyber attacks again hit Israel’s water system, shutting agricultural pumps’, 17 July 2020, https://www.timesofisrael.com/cyber-attacks-again-hit-israels-water-system-shutting-agricultural-pumps.

Warrick, J. and Nakashima, E. (2020), ‘Officials: Israel linked to a disruptive cyberattack on Iranian port facility’,  Washington Post, 18 May 2020, https://www.washingtonpost.com/national-security/officials-israel-linked-to-a- disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html.

Lindsay, J. R. (2015), ‘Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack’, Journal of Cybersecurity, 1(1), pp. 53–67 at p. 62, https://doi.org/10.1093/cybsec/tyv003.

Stuxnet being an exception to this according to some international lawyers: see Buchan, R. (2012), ‘Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?’, Journal of Conflict & Security Law, 17(2), pp. 211–27,  https://doi.org/10.1093/jcsl/krs014.

HM Government (2021), National Cyber Strategy 2022, London: Cabinet Office, https://www.gov.uk/government/publications/national-cyber-strategy-2022, p. 25.

Fischerkeller, M. P. and Harknett, R. J. (2017), ‘Deterrence is Not a Credible Strategy for Cyberspace’, Orbis, 61(3), pp. 381–93, https://doi.org/10.1016/j.orbis.2017.05.003.

United States Department of Defense (2022), 2022 National Defense Strategy of the United States of America: Including the 2022 Nuclear Posture Review and the 2022 Missile Defense Review, Washington, DC: US Department of Defense, https://media.defense.gov/2022/Oct/27/2003103845/-1/-1/1/2022-NATIONAL-DEFENSE- STRATEGY-NPR-MDR.PDF.

National Cyber Force (2023), Responsible Cyber Power in Practice, p. 5.

Ibid., p. 10.

United States Department of Defense (2018), Summary: 2018 Department of Defense Cyber Strategy,  https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.pdf, p. 2.

For more on the false perception that offensive cyber has advantage over defence, see Lindsay, J. R. (2013), ‘Stuxnet and the Limits of Cyber Warfare’, Security Studies, 22(3), pp. 365–404, https://doi.org/10.1080/09636412.2013.816122; and Slayton, R. (2017), ‘What Is the Cyber Offense–Defense Balance? Conceptions, Causes, and Assessment’, International Security, 41(3), pp. 72–109, https://doi.org/10.1162/ISEC_a_00267.

Maschmeyer (2021), ‘The Subversive Trilemma’.

Buchanan, B. (2017), The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations, London: Hurst.

Previous chapter Next chapter

Topic themes

Defence and security

Economics and trade

Environment

Health

Institutions

Major powers

Politics and law

Society

Technology

Regions

Africa

Americas

Asia-Pacific

Europe

Middle East and North Africa

Russia and Eurasia

Foreign policy and international affairs events

Publications

Become a member

The Queen Elizabeth II Academy for Leadership and the Next Generation

About us