Following the revelation by UK defense secretary Philip Hammond that he was developing offensive cyber capabilities, Dr. Jarno Limnell, director of cyber security for Stonesoft, a McAfee Group Company argues the need for more transparency.
Cyberspace, the fifth dimension of warfare, has become an important arena for armed forces and world politics, especially since we are living in a time in which the lines between war and peace have blurred. In this context, it should have come as no surprise to anyone when defense secretary Philip Hammond declared that the UK is developing offensive cyber capabilities.
The announcement will hopefully also encourage others to become more transparent in their capabilities to carry out offensive cyber-attacks. However, governments and militaries globally remain very silent even though a lot of activities are likely to be happening behind the scenes.
Earlier this year, the US has announced it is forming 13 offensive cyber units capable of attacking other states. As General Keith Alexander said, "I would like to be clear that this team, this defend-the-nation team, is not a defensive team." Australia, Turkey, Israel, France and India, just to name few, have also unofficially emphasized the importance of possessing offensive cyber capabilities. It would be naïve to think other countries are not doing the same.
Even if the ongoing cyber arms race is not good for world peace, it is understandable.
Offensive cyber weaponary
Cyberspace has now grown to become a domain where strategic advantage - national, industrial or military - can be lost or won. In most countries it is not popular, or even desirable, to publicly talk about offensive cyber weaponry. However, it has now become necessary to explain the logic of offensive cyber capabilities to the general public.
There are four main reasons behind the need for developing offensive weapons:
- Firstly, if you want be a credible player today both on the military battlefield and in world politics, you must have offensive capabilities, just as you must have defensive capabilities and the ability to be resilient. You simply cannot have a credible cyber defense without offensive abilities.
- Secondly, in order to achieve and raise your deterrence, you must possess offensive capabilities. The ability to act offensively includes a strong preventive message to others, provided they understand it and believe it. Offensive capabilities represent the key components of deterrence.
- Thirdly, offensive thinking and weaponry are vital in creating a stronger and credible defense. With only "defensive thinking" you will not succeed. Without the ability to act as an attacker, no country can build an effective and credible cyber defense.
- Finally, agility and the concept of operations for smart defense is a vital component of modern warfare. Just by being defensive, you will never achieve your objectives, regardless of how comprehensive your grand defensive doctrine is. In some cases, as it has been in the past, attack is the best defense.
Even if we understand and accept offensive cyber capabilities as part of today´s reality, there are looming developments which also have to be taken seriously. At the moment there is a lot of suspicion in the global playing field, founded in the fact that countries do not know the power of each other's cyber capabilities. In contrast, it is totally different ballgame compared to the physical world where others' capabilities are usually well documented. The result is a significant drive in the acceleration of the cyber arms race.
As cyber capabilities develop to form part of a nation´s overall deterrence, merely talking about offensive cyber weapons in general terms, without revealing or even demonstrating your capabilities, will not advance deterrence.
Just as with kinetic weapons, your adversaries must know the weaponry you possess. It seems that in the next couple of years, nation-states will expose their offensive cyber capabilities more openly in order to enhance their deterrent effect. Nation-states will demonstrate their capabilities by organising exercises and simulations which will be openly reported, and the effects of some offensive capabilities will be disclosed. However, in all likelihood this will not be enough.
And that is worrisome.
Although we're at the earliest stages of understanding all the aspects of cyber reality, we already know that countries have to be not only more open about their cyber capabilities, but the world needs to come to an agreement on their use. The main question is not how to get rid of offensive cyber capabilities, but how to live with them.
Dr. Jarno Limnell is a renowned expert in the field of nation state cyber capabilities and is director of cyber security at Stonesoft, a McAfee Group Company.