13 July 2018

Defining offensive cyber capabilities


States are developing and exercising offensive cyber capabilities. The United States, the United Kingdom and Australia have declared that they have used offensive cyber operations against Islamic State,1 but some smaller nations, such as the Netherlands, Denmark, Sweden and Greece, are also relatively transparent about the fact that they have offensive cyber capabilities.2 North Korea, Russia and Iran have also launched destructive offensive cyber operations, some of which have caused widespread damage.3 The US intelligence community reported that as of late 2016 more than 30 states were developing offensive cyber capabilities.4

There is considerable concern about state-sponsored offensive cyber operations, which this paper defines as operations to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.

It is assumed that common definitions of offensive cyber capabilities and cyber weapons would be helpful in norm formation and discussions on responsible use.

This paper proposes a definition of offensive cyber operations that is grounded in research into published state doctrine, is compatible with definitions of non-kinetic dual-use weapons from various weapons conventions and matches observed state behaviour.

In this memo, we clearly differentiate offensive cyber operations from cyber espionage. We address espionage only in so far as it relates to and illuminates offensive operations. Only offensive cyber operations below the threshold of armed attack are considered, as no cyber operation thus far has been classified as an armed attack, and it appears that states are deliberately operating below the threshold of armed conflict to gain advantage.5

This paper examines the usefulness of defining cyber weapons for discussions of responsible use of offensive cyber capabilities. Two potential definitions of cyber weapons are explored—one very narrow and one relatively broad—before we conclude that both definitions are problematic and that a focus on effects is more fruitful.

Finally, the paper proposes normative courses of action that will promote greater strategic stability and reduce the risk of offensive cyber operations causing extensive collateral damage.

No comments: