Recently, I was struck by a front cover to the magazine, Newsweek, which declared that we are (again) facing the potential for a ‘Cyber Pearl Harbor’. For many within both the practitioner and academic ‘cyber’ community, this is manifest of a long shadow of the hyperbole that characterised the popular recognition of the insecurities of computation throughout the late 1990s and early 2000s. Today, if not a nuisance to those working in the area, such analogies and metaphors are still dominant in how they seep into popular debates around contemporary offensive cyber operations. In my research, I seek to understand how malware – and other computational materials, such as algorithms – transform cybersecurity politics and decision-making, and here I will outline what I think the implications for democracy are when governments do not appropriately engage in public debate.
Ransomware, ‘advanced persistent threats’, cyberwar, and most recently “cyber-sabotage” – the term used by the UK Foreign Secretary Dominic Raab (2021) to describe the espionage operations of the People’s Republic of China in the hack of Microsoft Exchange Server email software (see Krebs 2021) – are part of an ever-expanding corpora of terms to explain the condition of cyber that challenges even the most informed. Some have attempted to resolve and clarify the terms and analogies used for offensive cyber and elsewhere, with various successes and warnings (Taddeo 2016; Lawson and Middleton 2019). Although conceptual clarity is required for effective communication, we are unfortunately very far from that possibility. Indeed, I think the conceptual murkiness that surrounds offensive cyber is not the problem per se, but rather a symptom of the current lack of public discussion of capabilities and doctrinal development that hinders legislative scrutiny amid the promise of security provided by states as we enter a post-Covid world. By this, due to the secretive nature of operations and capabilities, a vast potential variety of descriptors and analogies are possible in an attempt to communicate with the public in times where the state seems increasing unable to attend to the insecurities their citizens feel from cyber-attacks.
Within academic literature, much has been made, for quite some time, over whether such a thing as ‘cyberwar’ could ever take place (Rid 2013), with contemporary debate settling on discussions on the organisational capacity for cyber operations to take place (Smeets and Work 2020). Such a change in perspective, however, is still broadly confined to a small and well-informed community who either have direct access to such activities (particularly in contexts where there is extensive military-academic collaboration, e.g., the United States) or within specialised academic and journalistic contexts that speak at select events and have typically developed extensive relationships with the former (and are likely the extent of this blog post’s readership). This community has undoubtedly led to a greater sophistication in thinking about cyber operations, as much as ‘cyberwar’ may have been dampened as a catastrophic event, to a sustained acceptance of the perpetual continuation cyber conflict as evidenced in US thinking on ‘persistent engagement’ (Healey, 2019).
Such an acceptance of perpetual, and incessant, war-like activities is part of a broader move in military thinking on grey/gray-zone and hybrid warfare and what its limits and contours should be. Yet such hybridity causes a severe communication problem for democratic governments; regardless of whether you agree with such moves. This is because the public perception of contemporary conflict remains focused on open kinetic conflict, driven in part by governments’ increasing investment in conventional military capabilities.
Offensive cyber is but a microcosm of the preference to keep secret contemporary capabilities that do not afford such visuality. This is a necessary act to prevent adversaries attaining knowledge of such capabilities. Yet, by not articulating the use of offensive cyber, including future potential doctrine, it could lead to a disruptive and long-term erosion of trust as it becomes clear states cannot always protect their citizens from adversaries in the ways that publics have come to expect (at least in the imagination of certain communities in the Global North). Although attempts have been made to protect publics through improved cyber security, it is clear that defence is different in a computational world. Offensive cyber operations are highly likely to be successful and governments must be honest about this, and their capability to respond.
For many people outside of ‘cyber’, the more spectacular effects of malware, such as WannaCry and NotPetya, dominate imaginations of destruction that have semblances to ‘cyberwar’ – and even to ‘Cyber Pearl Harbor’ – discourse. However, much malware is banal and stealthy, and primarily for espionage, even if it could in theory be used for pre-positioning for other offensive operations (see Microsoft Exchange, SolarWinds, etc.). Whereas cyberwar is seen as something that could inevitably affect critical national infrastructures and beyond, the same imaginary does not apply to ‘everyday’ systems which are assumed to be insecure due to poor governance and maintenance. However, it is in this latter space that offensive cyber action often takes place and inversely the greatest impact.
As former head of the UK National Cyber Security Centre, Ciaran Martin, has recently argued, the UK should not simply invoke secrecy to avoid discussing offensive cyber doctrine with regards to China. By keeping offensive cyber secret, it mythologises the potential of such action, offering a seeming alternative to the ‘dirty’ work of sending personnel to ‘far away’ places.
This is because it sets up an expectation that should not, and cannot, be held in perpetuity. Offensive cyber operations have limited functions and will not ‘win’ a war. It is unlikely that there will be a direct ‘kinetic’ confrontation between China and the United States and its allies in the near future. In the meantime, offensive cyber is likely to dominate – or in language of the USA ‘persistent engagement’ – to degrade specific adversary operations. But it is not going to stop China, Russia or other states completely.
So, there will likely be ‘limited’ attacks against military and associated targets by the US and its allies. Thus, to emphasise the use of offensive cyber to respond to China by the UK Government as a solution is disingenuous to the public. There is a possibility to be doctrinally honest without revealing operational details that articulate the true complexities of our contemporary computational insecurities.
Thus, the ‘Cyber Pearl Harbor’ imaginary matters for offensive cyber operations – not because it necessarily affects decision-makers direct judgements, but for developing expectations and the demise of democratic trust. If a state continually conducts offensive operations against the UK, for example, then how long is it sustainable for its government to promise that counter-offensive cyber operations are an effective solution? ‘Cyber Pearl Harbor’ holds such sway as it promises the spectacular ‘event’ of war that is still celebrated in contemporary popular imaginations but is anathema to military thinking. Yet, as readers of this blog are likely to agree, such ‘event’-based war with offensive cyber operations is exceptionally unlikely to occur. Responses will be full of attrition, will require extensive work, and will not be widespread (unless, for instance, a poor worming architecture is used).
For democratic governments to (over) promise without outlining doctrinal possibilities is dangerous. Offensive cyber can be justified across a suite of responses and governments can be open about the costs in terms of capital and capability. As I and others reflected in a recent piece on the UK National Cyber Force “offensive cyber operations should not be regarded as a technological “fix” to problems that are resistant to resolution by these capabilities” (Devanny et al. 2021, 8).
Of course, there is reticence to suddenly open up discussions on offensive cyber, as it may raise difficult issues and questions, and perhaps debate will go counter to what is already on the move. Yet, offensive cyber operations and capabilities work for the publics they serve, and thus must be held accountable, and fundamentally appropriate, to them. It is only a matter of time before offensive cyber will lose its shine, so let the conversation be had now, in advance of any demise in the trust of such a capability. Governments have a tough balance to strike as computation challenges their conventional role in security of their citizens as it is outsourced to private corporations, and their arsenal of response is limited. So, let’s have the debate, and it might settle to something that is amenable for all, and ultimately, for democracy.
Dr Andrew Dwyer is an Addison Wheeler Research Fellow at Durham University in the UK. His research focuses on how differing computational materials, such as malware and machine learning algorithms, transform decision-making.
Healey, Jason. 2019. “The Implications of Persistent (and Permanent) Engagement in Cyberspace.” Journal of Cybersecurity 5 (1): 1–15. doi:https://doi.org/10.1093/cybsec/tyz008.
Devanny, Joe, Andrew Dwyer, Amy Ertan, and Tim Stevens. 2021. “The National Cyber Force That Britain Needs?” London: King’s College London. https://www.kcl.ac.uk/policy-institute/assets/the-national-cyber-force-that-britain-needs.pdf.
Krebs, Brian. 2021. “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software – Krebs on Security.” Krebs on Security. March 5. http://web.archive.org/web/20210722091915/https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/.
Lawson, Sean, and Michael K. Middleton. 2019. “Cyber Pearl Harbor: Analogy, Fear, and the Framing of Cyber Security Threats in the United States, 1991-2016.” First Monday 24 (3). doi:10.5210/fm.v24i3.9623.
Raab, Dominic. 2021. “UK and Allies Hold Chinese State Responsible for a Pervasive Pattern of Hacking.” GOV.UK. July 19. http://web.archive.org/web/20210720161540/https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking.
Rid, Thomas. 2013. Cyber War Will Not Take Place. London: C. Hurst & Co.
Smeets, Max, and JD Work. 2020. “Operational Decision-Making for Cyber Operations: In Search of a Model.” The Cyber Defense Review 5 (1): 95–112.
Taddeo, Mariarosaria. 2016. “On the Risks of Relying on Analogies to Understand Cyber Conflicts.” Minds and Machines 26 (4): 317–21. doi:
 I have much to say about the signifier of ‘cyber’ and how its broadening and condensation away from ‘cyber security’ is an interesting development in how it aligns to a more militaristic imbrication than information security, but I will not develop this here.
 I use ‘post’ here very lightly, as it is more like a continuation of the pandemic, as we ‘live’ with the virus in various ways.