Offensive Cyber Capabilities Research Articles

Review: 2017 Strategic Trends in the Global Cyber Conflict

The present paper reviews the main strategic trends in cyber policy and security for 2017, pointing out the emergence of a new Cyber Escalation Cycle: while states are investing significant resources to improve their offensive cyber capabilities, these capabilities are subsequently being stolen, publicized and used by hostile countries to launch devastating cyber-attacks. This has led governments to pursue legislation that controls incoming technology and changes the technological relations between countries. Given the development of enhanced capabilities and the effectiveness of the attacks, we believe that leakage followed by immediate use of the leaked offensive cyber weapons against rival countries will only increase, making this issue even more contentious.

Cyber Proxies and Their Implications for Liberal Democracies

Over 30 countries are pursuing offensive cyber capabilities, Director of U.S. Intelligence James Clapper testified in 2016.1 That’s a fivefold increase compared to only six years earlier when the U...

Challenges and opportunities in cyber weapon norm construction

Over the past two decades, cyber weapons have become a topic of increasing scholarly attention. The spread of offensive cyber capabilities among state and non-state actors has given rise to calls for more formal procedures concerning their acquisition, use and transfer. Despite Stuxnet being the only cyber weapon to date demonstrating destructive capability in theatre, there has been widespread unease among public and private actors. The spread of offensive cyber capabilities among state and non-state actors has given rise to calls for more formal procedures concerning their acquisition, use and transfer. However, even against the background of potentially far-reaching effects on civilian and economic infrastructures, consensus on how to regulate cyber weapons appears hard to come by. Jacqueline Eggenschwiler and Jantje Silomon of the University of Oxford explore the opportunities related to cyber weapons norm construction, examining the academic literature and policy documents and detailing the challenges.

Warring from the Virtual to the Real: Assessing the Public's Threshold for War on Cyber Security

Are military strikes ever a justifiable response to a cyber security attack? Does the certainty of attribution matter? Or the nature of the attack itself a better determinants of attitudes about retaliation? We answer these questions with an original survey experiment that uncovers the public's response to varying intensities and degrees of attribution regarding a range of cyber attacks. In a democratic setting, how the public responds to different types of cyber attacks has important implications, as it shapes the incentives for whether and how leaders to respond with the use of force. It therefore has significant implications for a world with increasing offensive cyber capabilities and only nascent international norms in a governing them.

Combating Complexity: Offensive Cyber Capabilities and Integrated Warfighting

Despite recent work challenging offense dominance in cyberspace, scholars and policymakers still view offensive operations as dominating defense. Why do these sides come to very different conclusions about the nature and utility of offensive cyber capabilities? Disagreements are due to a poor specification of the logic of offense dominance and scope conditions. Offensive advantage is taken as axiomatic, generalizable to every instance of conflict. Advantage is then assumed to directly translate into battlefield effectiveness. Operations should instead be viewed as an interaction between offense and defense. Defensive actors have agency and the role of countermeasures in imposing cost and delay on attackers is under-theorized. Design and deployment processes are complex, costly, and vulnerable. Attacks against high-value targets require significant time, skill, and information. Operational complexity is even greater when cyber operations are properly understood in integrated war-fighting.

INTERNATIONAL SECURITY COMMUNITY AT THE CROSSROADS

INTERNATIONAL SECURITY COMMUNITY AT THE CROSSROADS

The Short Life and Quick Death of Cyber Deterrence (How I Learned to Stop Worrying and Love Cyber)

In 2015, the United States took three significant steps to developing a cyber deterrence policy. In April, the Department of Defense released the DoD Cyber Strategy. At the same time, President Obama issued an Executive Order authorizing sanctions against cyber actors. And in December, the White House released its long-anticipated cyber deterrence policy. Specifically, the White House policy is built on a two-element strategy of deterrence by denial; and deterrence through cost imposition. Unfortunately, the White House policy does little to address or answer the thorny questions raised by the reality of today's cybersecurity environment. First, the policy relies on traditional notions of deterrence that may have been effective in prior nuclear and non-nuclear contexts, but it ill-suited to cybersecurity. Second, the policy focuses primarily on defensive strategies and does not confront the reality and likelihood of offensive counter-operations. Third, insomuch as deterrence is a public relations communications strategy and psychological game backed by capability and credibility, the United States has a poor track record of deterring cyber-attacks.To understand this problem, my research begins with a brief historical review of the development of deterrence theory, in particular as it relates to conventional war and the Cold War. Next, I turn to the development of cyber deterrence as a strategy of the American government, and in particular, recent efforts by the United States to define a cyber deterrence policy. In that light, I examine the White House cyber deterrence policy from a historical and critical perspective, and especially given the distinct characteristics that distinguish cyber deterrence from traditional deterrence. Finally, this paper will discuss whether deterrence is even a reasonable strategy in the cyber environment.Ultimately, this paper concludes that the current synthesis of cyber deterrence is unworkable and ought to be scrapped. As a result, cyber deterrence as an overall public relations strategy should be de-emphasized as part of an aggressive cyberspace strategy that acknowledges both defensive and offensive capabilities. To be sure, sub-components of the current policy, like strengthening networks to reducing the incentive to conduct cyber-attacks, are laudable goals that the United States should continue to pursue. However, relying on deterrence by denial as a publicly communicated strategy to discourage attacks has failed, and continues to fail with each new attack. Instead, American efforts should focus on improving attribution, not as a deterrent measure, but to allow policy makers the ability to respond to attacks with offensive cyber capabilities.

International Convention for the Peaceful Use of Cyberspace

Cyber weapons now are an extension of state power. In hopes of gaining a strategic advantage, many countries including the United States, Russia and China are developing offensive cyber capabilities to disrupt political, economic, and social institutions in competitor nations. These activities have led to a cyber arms race that is spiraling out of control. This imminent global threat challenges the international community to be proactive. The purpose of this article is to propose an international convention to throttle the development, proliferation and use of cyber weapons before they cause electronic Armageddon. We begin by examining three successful efforts in arms control and use the lessons learned to draft a convention that can serve as a starting point for formal multilateral negotiations.

Sex and Death in the Rational World of Defense Intellectuals

Sex and Death in the Rational World of Defense Intellectuals