In both UK and US military doctrine, offensive operations are a distinct subset of cyberspace operations that also include defensive actions intelligence surveillance and reconnaissance and operational preparation of the environment-non-intelligence enabling activities conducted to plan and prepare for potential follow-on military operations. Such action can support deterrence by communicating intent or threats.’ 7 UK doctrine further notes that ‘cyber effects will primarily be in the virtual or physical domain, although some may also be in the cognitive domain, as we seek to deny, disrupt, degrade or destroy.’ They can be used to inflict temporary or permanent effects, thus reducing an adversary’s confidence in networks or capabilities. UK military doctrine defines offensive cyber operations as ‘activities that project power to achieve military objectives in, or through, cyberspace. One category of offensive cyber operations that US doctrine defines is ‘cyberspace attack’-actions that manipulate, degrade, disrupt or destroy targets. US military joint doctrine defines offensive cyber operations as ‘operations intended to project power by the application of force in and through cyberspace’. Offensive cyber operations use offensive cyber capabilities to achieve objectives in or through cyberspace. In general, capabilities are the building blocks that can be employed in operations to achieve some desired objective. What are capabilities? In the context of cyber operations, having a capability means possessing the resources, skills, knowledge, operational concepts and procedures to be able to have an effect in cyberspace. We first define operations and capabilities to clarify the language used in this report.
This section examines definitions of offensive cyber capabilities and operations in published military doctrine and proposes a definition consistent with state practice and behaviour. Two potential definitions of cyber weapons are explored-one very narrow and one relatively broad-before we conclude that both definitions are problematic and that a focus on effects is more fruitful.įinally, the paper proposes normative courses of action that will promote greater strategic stability and reduce the risk of offensive cyber operations causing extensive collateral damage. This paper examines the usefulness of defining cyber weapons for discussions of responsible use of offensive cyber capabilities. Only offensive cyber operations below the threshold of armed attack are considered, as no cyber operation thus far has been classified as an armed attack, and it appears that states are deliberately operating below the threshold of armed conflict to gain advantage. We address espionage only in so far as it relates to and illuminates offensive operations. In this memo, we clearly differentiate offensive cyber operations from cyber espionage. This paper proposes a definition of offensive cyber operations that is grounded in research into published state doctrine, is compatible with definitions of non-kinetic dual-use weapons from various weapons conventions and matches observed state behaviour. It is assumed that common definitions of offensive cyber capabilities and cyber weapons would be helpful in norm formation and discussions on responsible use. There is considerable concern about state-sponsored offensive cyber operations, which this paper defines as operations to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks. 3 The US intelligence community reported that as of late 2016 more than 30 states were developing offensive cyber capabilities. 2 North Korea, Russia and Iran have also launched destructive offensive cyber operations, some of which have caused widespread damage. The United States, the United Kingdom and Australia have declared that they have used offensive cyber operations against Islamic State, 1 but some smaller nations, such as the Netherlands, Denmark, Sweden and Greece, are also relatively transparent about the fact that they have offensive cyber capabilities. States are developing and exercising offensive cyber capabilities.