Offensive Cyber-Capabilities: How and When Should They Be Used?

Written by

In recent history, numerous books and movies have touched upon the destructive potential of overarching technology on human lives. As the world grows increasingly reliant on the internet to manage day-to-day life, including critical services, these concerns are more relevant than ever. Sam Curry, CSO at Cybereason, notes: “To tell where the physical world ends and the cyber-world begins is impossible as the transition between the two has become so blurred as to be meaningless. The world of the 2020s is very different in that regard from previous decades.”

This has provided nefarious actors, ranging from criminal groups to state-sponsored actors and terrorists, with opportunities to inflict significant damage via digital channels. This can have major implications for civilian populations; for example, an attack on Ukraine’s power grid in 2015 linked to the Russian state left around 230,000 people without electricity for several hours.

As incidents of this nature continue to rise, many nation states are beginning to adopt the maxim ‘attack is the best form of defense’ by developing the ability to conduct offensive cyber-strikes of their own against adversaries. For instance, Israel is believed to have been behind a number of offensive strikes in recent years including the Stuxnet attack on an Iranian nuclear facility, while the UK launched a major offensive cyber-campaign against the terrorist group ISIS back in 2018.

In October 2020, the UK government put an offensive cyber-approach on a more formal footing by announcing the creation of a national cyber-force, which the UK’s defense minister said will provide the option “to launch offensive cyber-weapons against our adversaries, or against other areas that currently pose a threat.”

An offensive strategy is also something firmly on the radar of the US government. The high profile hacks against vendors FireEye and Solarwinds at the end of 2020, allegedly conducted by Russian-backed cyber-criminals, elicited the following response from the then incoming US President Joe Biden: “A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber-attacks in the first place.”

An important question therefore needs to be asked: is having offensive capabilities a necessary means of combatting the threat posed by malicious actors, or can it do more harm than good?

The Argument for Offensive Capabilities

In the view of Robert Hannigan, chairman of BlueVoyant and former director of UK intelligence agency GCHQ, it is essential that nation states such as the UK and US have their own offensive cyber-capabilities to adequately deal with the current threat landscape. “For criminal groups, we need offensive capabilities that cut them off from the money they hope to make, disrupt their activities and help law enforcement to trace them where possible,” he says. “Against nation states and terrorists, we need capabilities that disrupt their operations, deny them space and, where appropriate, expose their activities. Showing the world what they are doing is a key part of any strategy to raise the cost for them.”

Peter Yapp, partner at Schillings and former deputy director at the National Cyber Security Center (NCSC) broadly welcomes the UK’s recent announcement regarding a national cyber-force, noting it is “a good thing to bring this all together in one place to have all the right players drawn from the appropriate agencies and military all under one command.” According to Yapp, if used well, this approach can alter the behavior of rogue states without resorting to overt military means when diplomacy does not have the desired effect, thereby de-escalating tensions. He outlines: “You can launch an offensive cyber-campaign and the only people who know about it are those being attacked, and it might be in the receiving state’s interest to keep really quiet about it. It might just send a message that hasn’t got through via diplomatic means or through sanctions.”

“You can launch an offensive cyber-campaign and the only people who know about it are those being attacked"

Certainly, it is the case that many diplomatic attempts to reduce cyber-attacks emanating from nation state actors have been unable to achieve their objectives, suggesting that stronger action is required. For example, in 2018, the UK identified that the threat group APT10 acted on behalf of the Chinese government to carry out a malicious cyber-campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the US. This was in breach of both recent G20 commitments and a previous bilateral agreement between the UK and China regarding the IT enabled theft of intellectual property.

While offensive strikes would need to be highly targeted, the enhanced knowledge and tools that government agencies in countries like the US and UK now possess mean that this is something that is eminently achievable. “You can go on the offensive, with a high confidence in who you’re going after; you can stop potential threats, or turn potential adversaries into a neutral target just like you would any weapon,” comments Morey Haber, CTO and CISO of BeyondTrust.

Reasons for Caution

Nevertheless, there are a number of reasons to have concern when it comes to conducting offensive cyber-strikes. The first is the potential for collateral damage to arise when tools are used to target an adversary, even if it is highly targeted. This was demonstrated during the WannaCry attack of 2017, which went significantly above and beyond its aims, including impacting health services in the UK. Haber highlights: “When something goes wrong it becomes obviously uncontrolled and attacks whatever it can. Those are typically associated with worms or bots using a vulnerability exploit combination.”

Yapp adds: “The chances of collateral damage are always high and that’s got to be a consideration when the state takes on this kind of role.”

There is also the potential for offensive actions to escalate tensions between countries, possibly even causing military conflict to break out. “Escalation is a real risk. It is most likely to happen by accident, for example a state-linked ransomware attack that gets out of control and ends up harming people. That would put pressure on the victim country to retaliate,” notes Hannigan.

While the development of such capabilities may be done with the best of intentions, such as to de-escalate tensions and deter malicious actors, there may be the temptation for governments to use it as a means of pursuing their own geo-political goals rather than for purely defensive purposes, which could serve to ratchet up tensions. Curry says: “We need to make sure that we do not engage in cyber-adventurism in ways that we would not or should not in a classic military sense.”

“We need to make sure that we do not engage in cyber-adventurism in ways that we would not or should not in a classic military sense”

A further consideration is the possibility that the wrong target could be attacked, particularly when strikes are made in retaliation for a cyber-attack. In many situations, it is difficult to accurately identify perpetrators of such incidents. The sanctions introduced by the EU against Russia last year for attacks on the German parliament going back to 2015 emphasize this problem. Yapp says: “I can’t see a military force waiting that long, but they’re going to have to be very sure about it if they are attacking someone in retaliation for something, that they’ve got it right and that it isn’t a false flag.”

Another major concern is that sophisticated offensive weapons developed by nation states may be leaked and end up in the hands of malicious actors, whether by accident or design. Brian Honan, CEO, BH Consulting, highlights the WannaCry attacks, allegedly brought about after the theft of NSA tools that were exploiting vulnerabilities in Windows at the time.

“Weapons developed in cyberspace can be leaked, have been leaked and no doubt, in the future, will be leaked. In turn, they will be exploited by those with less scruples or with a criminal intent,” Honan outlines.

Mitigating the Risks

Despite these concerns, there is now a degree of inevitability about the development of offensive cyber-capabilities by nation states. Worryingly however, there is little in the way of international rules and consensus governing how and when such weapons should be used. Curry states: “The complexity arises as we determine new norms for how to engage. Most nations have defensive and offensive capabilities in the military realm, but there is also detente and accountability on use. We have, in other words, established how and when violence is used for the most part. The same is not true for cyber.”

It is very important therefore that responsible nation states work on developing a set of international norms for cyber-conflict, similarly to how conventional war is governed by the Geneva Convention in order to mitigate the risks. The term ‘Digital Geneva Convention’ has been coined by Microsoft, and Yapp would like to see such an agreement in place to protect civilian populations. “There should be some kind of international process for dealing with cyber-attacks that are aimed at civilian populations, and some mechanism that can be brought to bear,” he says.

Honan adds: “Cyber-warfare and cyber-offensive capabilities are not just a computer security issue, this is about our society, our future and therefore we need to have clear and open debate at national and international levels as to what the norms are in this area and then build it to the parameters.”

Yapp acknowledges, however, that getting “outlier” countries, such as Iran, North Korea, China and Russia, to accept such norms, will be difficult.

As well as the establishment of international norms, responsible governments should put in place their own procedures to ensure cyber-strikes are conducted in a responsible manner; in particular, that they are highly targeted and have minimal impact on the civilian population. Yapp believes that before an attack is made, a “theoretical test” should be undertaken to appreciate how it may affect the general populace. “We’ve moved on a long way from what was done in World War II, where in order to destroy the morale of a country, you would bomb out the cities and kill loads of civilians,” he explains. “We’re not in that place anymore, so I think the question that has to be asked is: does this affect the civilian population?”

Additionally, when strikes are conducted, safeguards should be put in place to ensure governments remain in full control of the situation. In the view of Haber, this includes strikes being conducted from a “safe” environment. “You will stand it up in a location in the cloud or somewhere else that’s isolated because you don’t want it to backfire on you.” He adds: “You should also have your own type of kill switch, your own type of backdoors to stop it.”

The plans by the UK government to develop a national cyber-force with offensive capabilities highlight a trend that looks to be set in stone over the coming years. Inevitably, as malicious actors increasingly launch cyber-attacks on major targets, governments around the world will look to develop their own cyber-attack mechanisms to strike back as well as disrupt general operations of groups and states that threaten them.

There are clearly a number of dangers associated with this, not least the potential for huge damage to civilian populations and escalation of tensions. It is therefore critical that safeguards are put in place to minimize such risks, both at international and national levels, to set out the circumstances in which strikes are made and how they are conducted.

Ultimately, however, while such capabilities may have benefits in certain scenarios, such as disrupting the activities of terror and other threat groups, and could be an alternative to military conflict when tensions reach a particularly high level, defense over attack should remain a priority; in particular, securing vulnerabilities across vital national networks and services. Honan concludes: “These capabilities should very much be a last resort. We would be much better investing time, money and resources in ensuring that our critical network infrastructure is as secure as it can be in the first place.”

What’s hot on Infosecurity Magazine?