What If the Best Defense Is a Good Defense (Instead of Offense Rebranded as Active Defense)?

Josephine Wolff

In cybersecurity, the difference between offense and defense is at once extremely straightforward and incredibly difficult to pin down. It is straightforward because defending your own networks and data and attacking someone else’s look completely different: the former involves implementing security controls and detection systems within the confines of your own computer systems, while the latter involves exploiting vulnerabilities in someone else’s systems. So it really should not be difficult to designate any particular activity in cyberspace by an individual country as offense or defense—except that, increasingly, countries seem to view the best cyber defense as, well, offense.

In 2018, the United States Cyber Command announced a new cyberspace strategy grounded in the ideas of persistent engagement with adversaries and defending forward so that defensive interventions occurred “as close as possible to the origin of adversary activity.” The crux of the strategy was essentially to broaden the boundaries of defense so that it would include cyber activities that occurred outside the borders of the networks being defended to encompass activities targeting adversary networks. In other words, offensive cyber activity was rebranded as “forward defense.”

I wrote at the time about my skepticism around relying on offensive cyber capabilities as a defensive strategy, but there were certainly points to recommend this strategy, especially the sense that a defensive strategy focused on hardening networks and computer systems against attacks simply was not working very well. Three years later, though, it is a little hard to tell whether ramping up offensive cyber activity has contributed to a stronger cybersecurity posture for the United States—or, indeed, even how much that offensive cyber activity has been ramped up under the new strategy.

Part of what makes it difficult to assess the effectiveness of offensive cyber activity as a means of defense is that many of these offensive operations may be carried out in secret. So in addition to a few specific operations reported in the media—including a 2019 attack on the Russian Internet Research Agency and two other attacks, also in 2019, directed at Iran—it is possible that there are many examples of persistent engagement in cyberspace that the public simply isn’t privy to. For example, when the Russian REvil ransomware gang went offline earlier this year, following several high-profile ransomware attacks on U.S. targets including Colonial Pipeline and JBS, it was very unclear whether that was the work of the United States government or not.

I don’t think that taking the servers used to perpetrate ransomware attacks offline is necessarily a bad idea. If that is what happened in this case (and again, no one seems to be sure), it does seem like there would be a benefit to making clear that is why the servers went down in order to send a clear signal to other cybercriminals. But just because it may be warranted and useful, it does not mean that this type of offensive cyber activity is defense, in the sense that it makes computer systems any safer. Taking out the computer that has attacked you is not defense its retribution, and that’s an important distinction to keep clear if only because it highlights the need to do a very different kind of work to actually defend infrastructure from ransomware.

More generally, I am wary of blurring the lines between offense and defense—and particularly the language we use to describe each. That’s partly because I think there are significant differences between interfering with your own networks and messing around in someone else’s, but mainly because I worry that relying on offense as a country’s main source of defense can lead to countries neglecting the less exciting but equally (if not more) important work of trying to build out more secure infrastructure and computer networks.

It is possible to point to a series of severe cyberattacks in the United States over the course of the past few years (SolarWinds, Colonial Pipeline, JBS, to name just a few) and argue that their severity suggests persistent engagement has not worked and offensive cyber activity is not an effective defensive strategy in cyberspace. It is equally possible to invoke the relative security of the 2020 election and other unknown, secret offensive cyber operations as evidence that this strategy has been a great success for the United States. Given how little is known publicly about the extent of these operations and how little it is possible to know about what the landscape of threats and cyberattacks would have looked like under a different strategy, I’m not convinced it is possible to draw any very strong conclusions one way or the other.

What does seem clear from the past few years is that offensive cyber activities do not—and will not—suffice to defend computer networks absent the more traditional, inner-looking work of defense. There may well be value in both offensive and defensive cybersecurity efforts, but there is also value in keeping them distinct in order to clarify that the rules, standards, and norms for each are quite different and, most importantly, that offense cannot and should not be viewed as a substitute for a strong defense.

Josephine Wolff is an Associate Professor of Cybersecurity Policy, The Fletcher School at Tufts University.

CS Alert – Offensive Cyber in 1914

Image: An undated photograph of CS Alert. Source: Wikipedia.

By Neil Ashdown

On 5 August 1914 – the day after Great Britain declared war on Germany – CS Alert, a British cable ship, severed the submarine telegraph cables connecting Germany to the United States. The first post on The Alert, the blog of the Offensive Cyber Working Group (OCWG), asked whether this action was an early example of offensive cyber. In this post, I will argue that this historical case can help inform our understanding of offensive cyber operations today, more than a century later.

The relationship between secrecy and offensive cyber

CS Alert’s mission depended on tactical surprise – keeping the timing and nature of the ship’s departure secret increased its likelihood of success.[1] However, the severing of the cables would not have come as a strategic surprise to Germany or other world powers; a Peruvian vessel severed a submarine cable during the 1879-84 War of the Pacific and the US cut cables – including a British-owned cable – during the 1898 Spanish-American War.[2] Germany and other states had actively been promoting the use of wireless telegraphy (radio) precisely because it offered an alternative to dependence on British-owned cables.

This dynamic is relevant to the current secrecy around offensive cyber. Today, states are extremely reticent to provide any details about their offensive cyber capabilities. Some of this is about the preservation of capabilities that would be rendered ineffective by exposure, much as the details of Alert’s mission had to be kept secret. However, there is considerable over-classification,[3] likely stemming from the historical origin of state cyber capabilities within the instinctively secretive intelligence community.[4] In addition, as Ciaran Martin, former head of the UK National Cyber Security Centre, recently argued, such secrecy also allows policymakers an ‘easy option’ for threatening reprisals against hostile state activity, without having to go into details.[5]

Even though Alert’s mission depended on secrecy for its effectiveness, the goal of that mission and its impact were largely predictable based on information available in open sources at the time. At the risk of being proved dramatically wrong by some future revelation(s), something similar could be said about modern state cyber capabilities. Advanced cyber powers may have capabilities that could prompt surprise and outcry if revealed, but cyber capabilities are not ‘magical’. Indeed, like real-world magic tricks, once the secret is revealed, many cyber operations are less sophisticated than we tend to think.[6]

This does not mean that there will be no surprises for observers of offensive cyber. Similarly, public understanding of Britain’s campaign against Germany’s communications evolved over time. While it was immediately clear that the cables had been severed, the details of the operation were initially secret, leading to some incorrect claims. Fulwider notes that “[i]n much of the existing literature, the ship responsible for cutting the cable was reported as the Telconia.”[7]  This underlines that public understanding of offensive cyber operations will need to be corrected in the future as more information becomes declassified. 

Campaigns and context in offensive cyber

Alert’s mission was also part of a wider campaign to disrupt Germany’s communications. According to Winkler, “Historians have been aware of the severing of Germany’s cables in the Channel, but the larger scope of these operations has been obscured, as has the fact that Britain’s activities continued through to the final months of the war.”[8] Modern observers of offensive cyber would recognise this as a coherent campaign comprising many operations aimed at achieving strategic advantage.[9]

This campaign was not limited to technical measures. Winkler describes activities that would today fall under the rubric of human intelligence or covert action. These included a British intelligence agent sabotaging a German radio station in Mexico City, conducting counter-proliferation operations targeting key components[10], and using disinformation to eliminate the competition.[11] Similarly, far from being limited to computer network operations, it is likely that modern offensive cyber capabilities will often involve a combination of different approaches. Among other examples, this can be seen in public disclosures about Russian close access operations[12] and in the participation of the UK Secret Intelligence Service (MI6) in the UK’s National Cyber Force.[13]

The context of Alert’s mission is also important. The severing of the cables occurred at a time when the UK and Germany were in a state of armed conflict, London’s ultimatum to Germany having expired at 2300 on 4 August. In contrast, public understanding of what offensive cyber means, and what it is capable of, arises from a partial view of a subset of activities conducted outside of a state of armed conflict. Attempts to read across from ‘peacetime’ activities to the activities that states might conduct during a time of war need to bear this context in mind.[14]

Offensive cyber is an enabler of other activities, but it can also have unintended or undesirable consequences

Alert’s mission involved physically breaking equipment, but this was not its primary goal. Moreover, the operation was not intended to sever Germany’s communications with the outside world. Rather it was intended to force Berlin to use a more vulnerable channel – radio.[15] Highlighting the continuity between this operation and modern cyber operations, the Tallinn Manual 2.0[16] would describe this as ‘herding’.[17]

The campaign against German communications proved to be a force multiplier for other parts of the British war effort – monitoring of radio traffic increased the effectiveness of British efforts to interdict shipping intended for Germany. As Winkler observes, “[t]he resulting information blockade […] enabled Great Britain to reinforce the maritime blockade.”[18] The severing of the cable was also key component of a broader (dis)information operation conducted by Great Britain to shape perceptions among the US public and policymakers, peaking with the release of the disclosure of the Zimmerman telegram in 1917. The potential for such operations was recognised in the US immediately after Alert’s operation; according to Fulwider, “The New York Times reported the incident on 6 August, accurately pointing out that without direct cable connections, any word of events in Germany would have to pass through hostile channels.”[19]

Similarly, it is likely that modern offensive cyber operations will achieve effect not just through disrupting adversary systems (for example, wiping data or rendering devices inoperable), but through second-order effects. Herding and enabling information operations are two examples, as are large-scale degradation efforts targeting adversary counterintelligence capabilities.[20]

Not all the effects of offensive cyber operations will be intended or desirable. Winkler argues that “[t]he voyage of the Alert and its implications caused officials in the United States eventually to realize the strategic necessity of having an independent cable and radio network linking the nation to its overseas interests.”[21] US activities to reduce this vulnerability eroded the UK’s advantages in this area. Similarly, offensive cyber operations have the potential to draw an adversary’s attention to their vulnerabilities and spur them to develop capabilities of their own to respond.[22]

Efforts to promote norms around offensive cyber are not new

In a wider discussion of its policy on submarine telegraph cables, Kennedy notes that Britain initially attempted to promote international norms against cutting cables.[23] He cites an 1886 paper from the British government’s Colonial Defence Committee (CDC), recording “their strong opinion that no opportunity should be lost in defining the position of cables of neutrals, and in taking any steps likely to lead to the eventual neutralization of all cables by promoting an international sentiment in favour of them … […] Any degree of immunity, however small, which could be secured by Treaty, or by international sentiment, would therefore be a definite gain to the Empire.”

This claim resonates with concerns about the greater vulnerability of advanced digital economies in the event of cyber conflict. In language that almost exactly parallels modern statements about the United States’ vulnerability in this area, Kennedy notes that the CDC’s concern was driven by the recognition that “unrestricted cable-cutting would be on balance ‘a severe loss to the Empire, which would suffer mostly from this type of attack’”.[24] It is hardly surprising that states promote norms that are in their interests, as much around offensive cyber as around the ‘neutralization’ of submarine cables.[25] In the latter case, Britain’s effort to promote such norms quickly stalled, not least because “it was soon realized that it would be impossible to persuade other powers, particularly France and Russia, to accede to an international neutralization agreement.”[26]

As a result, Kennedy notes that Great Britain expanded and hardened its telegraph network.[27] This included the use of physical defences as well as deception to protect submarine cables.[28] This latter activity prefigures the use of deception for defence in cybersecurity.[29] Over time, the increased resilience of the network led to a shift in attitudes, and Great Britain downplayed efforts to promote norms around the neutralization of cables. By the time of the First World War, 28 years after the paper calling for neutralization, the British government had longstanding plans for disrupting the communications of potential adversaries. Efforts to promote norms gave way to an emphasis on resilience and offensive action by Britain to seize the initiative – paralleling in some respects the current debate over the US doctrine of persistent engagement.[30] 

Offensive cyber is an outgrowth of other capabilities and resources

As Kennedy notes, this change in attitude reflected Britain’s awareness by 1911 that it “had so many advantages in this field that her own weaknesses were outweighed.” Britain controlled 60% of the world’s cables and key nodes in the global telegraph network were located on its territory. Moreover, Britain “possessed a virtual monopoly of the vital gutta-percha, which was used to insulate the wires [in undersea cables].”[31] It also had other – less tangible – advantages; its ownership of most of the world’s cables meant that Britain “knew more than anyone else about cable-laying or cable-cutting”.

There are parallels between Kennedy’s assessment of Britain’s power over telegraph cables in the 1900s and modern assessments of state cyber power. In general, states with more advanced technology sectors are more likely to have advanced cyber capabilities. As the International Institute of Strategic Studies (IISS) argued in its 2021 net assessment of state cyber capabilities, “strength in the core industries that underpin the future development of cyberspace is the decisive category [in determining a state’s cyber capability]”.[32] Similarly, the concentration of communication nodes on a state’s territory provides as much of an advantage today as it did with submarine telegraph cables, as does control over key resources ­– gutta-percha can be seen as the semiconductor chip of its day.[33]

The less tangible aspects remain important. Much as Britain’s know-how about cable laying contributed to its dominant position in this area, technical expertise also plays a role in cyber power. The IISS report describes “core cyber-intelligence capability” as lying “[a]t the heart of any nation’s cyber capability.”[34] Some of this capability will derive from technology and geographical position, as noted above, but perhaps even more decisive are the skills and expertise that a state’s intelligence apparatus can bring to bear.


CS Alert has been described as a central motif for the information society: “This one cableship represents strategies, technologies, ideas, and actions that still ripple though today’s technological, political, economic, and media landscape.”[35] The idea that Alert’s mission was an example of information warfare is uncontroversial. Gordon Corera describes it as “one of the first strategic acts of information warfare in the modern world […] leading to the birth of modern communications intelligence”.[36] Winkler asserts that “Information warfare in the electrical age is not a new phenomenon but dates from the late nineteenth century.”[37]

More debateable is whether it is analytically useful to view this operation as an early example of offensive cyber. As several members of the OCWG noted in a recent report, “The ‘prehistory’ of UK offensive cyber operations remains untold, although inevitably pre-dates their avowal by the UK in September 2013, the first country to do so.”[38] Is it helpful to extend this prehistory as far back as 1914, and indeed further? Or does grouping together a modern offensive cyber operation and Alert’s mission obscure the fundamental difference between a telegraph network, however highly developed, and networks of computational devices? If there really is a fundamental difference between 20th century signals intelligence and information warfare, on the one hand, and offensive cyber on the other, then examination of historical cases would be a way to identify this difference. In doing so, it could provide empirical evidence to advance theoretical debates about the nature of cyber conflict and intelligence.[39]

Moreover, highlighting elements of continuity between modern operations and historical operations that are now in the public record – such as Alert’s mission – could provide governments with a framework to talk more about offensive cyber, without revealing operational specifics. As IISS noted in its report, “On offensive cyber, it has so far proved difficult even to find the language for a more informed national and international public debate, but such an effort remains essential if the risks are to be properly managed.”[40] Exploring the similarities and differences between historical examples and modern offensive cyber would help support the development of that language. ‘Cyber’ can sometimes feel very abstract. Providing examples – such as Alert’s cable cutting early in the morning of 5 August 1914 – makes it more tangible.

Neil Ashdown is a PhD researcher in the Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway University of London. He was formerly the deputy editor of Jane’s Intelligence Review.

[1] Gordon Corera, ‘How Britain Pioneered Cable-Cutting in World War One’, BBC News, 15 December 2017, sec. Europe, https://www.bbc.com/news/world-europe-42367551.

[2] Jonathan Reed Winkler, ‘Information Warfare in World War I’, The Journal of Military History 73, no. 3 (2009): 845–67, https://doi.org/10.1353/jmh.0.0324.

[3] Jason Healey and Robert Jervis, ‘Overclassification and Its Impact on Cyber Conflict and Democracy’, Modern War Institute, 22 March 2021, https://mwi.usma.edu/overclassification-and-its-impact-on-cyber-conflict-and-democracy/.

[4] Michael Warner, ‘Intelligence in Cyber—and Cyber in Intelligence – Understanding Cyber Conflict: 14 Analogies’, Carnegie Endowment for International Peace, 2017, https://carnegieendowment.org/2017/10/16/intelligence-in-cyber-and-cyber-in-intelligence-pub-73393.

[5] Ciaran Martin, ‘Ciaran Martin on Twitter: “It Is Pure Cyberbabble. The Gov’t Is in a Horrible Position Following Completely Unacceptable Iranian Behaviour. But Briefing Nonsense like This Doesn’t Help Anyone. Saying ‘Secret Cyber Strike’ Is Not a Policy Response & Shouldn’t Be a Pretext for Avoiding Hard Decisions 2/2” / Twitter’, accessed 3 August 2021, https://twitter.com/ciaranmartinoxf/status/1422435444470468608.

[6] Ben Buchanan, The Legend of Sophistication in Cyber Operations (Harvard Kennedy School, Belfer Center for Science and International Affairs, 2017).

[7] Chad R Fulwider, German Propaganda and US Neutrality in World War I (University of Missouri Press, 2017).

[8] Winkler, ‘Information Warfare in World War I’.

[9] Richard J. Harknett and Max Smeets, ‘Cyber Campaigns and Strategic Outcomes’, Journal of Strategic Studies 0, no. 0 (4 March 2020): 1–34, https://doi.org/10.1080/01402390.2020.1732354.

[10] Winkler, ‘Information Warfare in World War I’. “Mason then systematically acquired all of the eleven spare vacuum tubes in Mexico.”

[11] Winkler. “Mason would also go on to eliminate a German team headed to the coast with a smaller radio set by spreading the word that they carried diamonds (actually the crystal detectors used for receiving the signals). The team members were never heard from again.”

[12] Mark Odell, ‘How Dutch Security Service Caught Alleged Russian Spies | Financial Times’, Financial Times, 4 October 2018, https://www.ft.com/content/b1fb5240-c7db-11e8-ba8f-ee390057b8c9.

[13] ‘National Cyber Force Transforms Country’s Cyber Capabilities to Protect the UK’, accessed 12 May 2021, https://www.gchq.gov.uk/news/national-cyber-force.

[14] ‘Ciaran Martin: “Cyber Weapons Are Called Viruses for a Reason: Statecraft, Security and Safety in the Digital Age.”’, The Strand Group, accessed 23 July 2021, https://thestrandgroup.kcl.ac.uk/event/ciaran-martin-cyber-weapons-are-called-viruses-for-a-reason-statecraft-security-and-safety-in-the-digital-age/.

[15] Gordon Corera, Intercept: The Secret History of Computers and Spies (Hachette UK, 2015).

[16] Michael N Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press, 2017).

[17] Tallinn Manual 2.0, Rule 32, Comment 12: “As an example, a tactic of signals intelligence is to force adversaries to use forms of communication that are less secure so information can be collected. This driving, or ‘herding’, of enemy communications from a platform not susceptible to exploitation to a less secure one from which intelligence can be collected might be accomplished by physical damage to the former.”

[18] Winkler, ‘Information Warfare in World War I’.

[19] Fulwider, German Propaganda and US Neutrality in World War I.

[20] Horkos, ‘A Last Clever Knot?’, Medium, 24 November 2020, https://horkos.medium.com/a-last-clever-knot-26fd26765e8d.

[21] Jonathan Reed Winkler, Nexus (Harvard University Press, 2009).

[22] Andrea Shalal-Esa, ‘Iran Strengthened Cyber Capabilities after Stuxnet: U.S. General’, Reuters, 18 January 2013, sec. Technology News, https://www.reuters.com/article/us-iran-usa-cyber-idUSBRE90G1C420130118.

[23] P. M. Kennedy, ‘Imperial Cable Communications and Strategy, 1870-1914’, The English Historical Review 86, no. 341 (1971): 728–52.

[24] Kennedy.

[25] Perri Adams et al., ‘Responsible Cyber Offense – Lawfare’, accessed 3 August 2021, https://www.lawfareblog.com/responsible-cyber-offense.

[26] Kennedy, ‘Imperial Cable Communications and Strategy, 1870-1914’.

[27] Kennedy.

[28] Kennedy. “Another cunning measure at Esquimault was the laying of numerous dummy cables for a few miles out to sea to baffle an attempt at in-shore cutting.”

[29] See, for example, the work of the UK National Cyber Deception Laboratory (NCDL), as described in Neil Ashdown, ‘Mind Games: Deception Offers Role in Cyber Defence’, Jane’s Intelligence Review, 7 May 2020.

[30] Richard J Harknett, ‘SolarWinds: The Need for Persistent Engagement’, Lawfare, 23 December 2020, https://www.lawfareblog.com/solarwinds-need-persistent-engagement.

[31] Kennedy, ‘Imperial Cable Communications and Strategy, 1870-1914’.

[32] ‘Cyber Capabilities and National Power: A Net Assessment’, IISS, accessed 5 July 2021, https://www.iiss.org/blogs/research-paper/2021/06/cyber-capabilities-national-power.

[33] Kathrin Hille, ‘TSMC: How a Taiwanese Chipmaker Became a Linchpin of the Global Economy’, Financial Times, 24 March 2021, https://www.ft.com/content/05206915-fd73-4a3a-92a5-6760ce965bd9.

[34] ‘Cyber Capabilities and National Power’.

[35] R David Lankes, Forged in War: How a Century of War Created Today’s Information Society (Rowman & Littlefield Publishers, 2021).

[36] Corera, Intercept: The Secret History of Computers and Spies.

[37] Winkler, ‘Information Warfare in World War I’.

[38] Joe Devanny et al., ‘The National Cyber Force That Britain Needs?’, 2021.

[39] Robert Chesney and Max Smeets, ‘Policy Roundtable: Cyber Conflict as an Intelligence Contest’, Texas National Security Review, 17 September 2020, http://tnsr.org/roundtable/policy-roundtable-cyber-conflict-as-an-intelligence-contest/.

[40] ‘Cyber Capabilities and National Power’.

Why ‘Cyber Pearl Harbor’ matters for democracy

Dr Andrew Dwyer

Recently, I was struck by a front cover to the magazine, Newsweek, which declared that we are (again) facing the potential for a ‘Cyber Pearl Harbor’. For many within both the practitioner and academic ‘cyber’[1] community, this is manifest of a long shadow of the hyperbole that characterised the popular recognition of the insecurities of computation throughout the late 1990s and early 2000s. Today, if not a nuisance to those working in the area, such analogies and metaphors are still dominant in how they seep into popular debates around contemporary offensive cyber operations. In my research, I seek to understand how malware – and other computational materials, such as algorithms – transform cybersecurity politics and decision-making, and here I will outline what I think the implications for democracy are when governments do not appropriately engage in public debate.

Ransomware, ‘advanced persistent threats’, cyberwar, and most recently “cyber-sabotage” – the term used by the UK Foreign Secretary Dominic Raab (2021) to describe the espionage operations of the People’s Republic of China in the hack of Microsoft Exchange Server email software (see Krebs 2021) – are part of an ever-expanding corpora of terms to explain the condition of cyber that challenges even the most informed. Some have attempted to resolve and clarify the terms and analogies used for offensive cyber and elsewhere, with various successes and warnings (Taddeo 2016; Lawson and Middleton 2019). Although conceptual clarity is required for effective communication, we are unfortunately very far from that possibility. Indeed, I think the conceptual murkiness that surrounds offensive cyber is not the problem per se, but rather a symptom of the current lack of public discussion of capabilities and doctrinal development that hinders legislative scrutiny amid the promise of security provided by states as we enter a post-Covid[2] world. By this, due to the secretive nature of operations and capabilities, a vast potential variety of descriptors and analogies are possible in an attempt to communicate with the public in times where the state seems increasing unable to attend to the insecurities their citizens feel from cyber-attacks.

Within academic literature, much has been made, for quite some time, over whether such a thing as ‘cyberwar’ could ever take place (Rid 2013), with contemporary debate settling on discussions on the organisational capacity for cyber operations to take place (Smeets and Work 2020). Such a change in perspective, however, is still broadly confined to a small and well-informed community who either have direct access to such activities (particularly in contexts where there is extensive military-academic collaboration, e.g., the United States) or within specialised academic and journalistic contexts that speak at select events and have typically developed extensive relationships with the former (and are likely the extent of this blog post’s readership). This community has undoubtedly led to a greater sophistication in thinking about cyber operations, as much as ‘cyberwar’ may have been dampened as a catastrophic event, to a sustained acceptance of the perpetual continuation cyber conflict as evidenced in US thinking on ‘persistent engagement’ (Healey, 2019).

Such an acceptance of perpetual, and incessant, war-like activities is part of a broader move in military thinking on grey/gray-zone and hybrid warfare and what its limits and contours should be. Yet such hybridity causes a severe communication problem for democratic governments; regardless of whether you agree with such moves. This is because the public perception of contemporary conflict remains focused on open kinetic conflict, driven in part by governments’ increasing investment in conventional military capabilities.

Offensive cyber is but a microcosm of the preference to keep secret contemporary capabilities that do not afford such visuality. This is a necessary act to prevent adversaries attaining knowledge of such capabilities. Yet, by not articulating the use of offensive cyber, including future potential doctrine, it could lead to a disruptive and long-term erosion of trust as it becomes clear states cannot always protect their citizens from adversaries in the ways that publics have come to expect (at least in the imagination of certain communities in the Global North). Although attempts have been made to protect publics through improved cyber security, it is clear that defence is different in a computational world. Offensive cyber operations are highly likely to be successful and governments must be honest about this, and their capability to respond.

For many people outside of ‘cyber’, the more spectacular effects of malware, such as WannaCry and NotPetya, dominate imaginations of destruction that have semblances to ‘cyberwar’ – and even to ‘Cyber Pearl Harbor’ – discourse. However, much malware is banal and stealthy, and primarily for espionage, even if it could in theory be used for pre-positioning for other offensive operations (see Microsoft Exchange, SolarWinds, etc.). Whereas cyberwar is seen as something that could inevitably affect critical national infrastructures and beyond, the same imaginary does not apply to ‘everyday’ systems which are assumed to be insecure due to poor governance and maintenance. However, it is in this latter space that offensive cyber action often takes place and inversely the greatest impact.

As former head of the UK National Cyber Security Centre, Ciaran Martin, has recently argued, the UK should not simply invoke secrecy to avoid discussing offensive cyber doctrine with regards to China. By keeping offensive cyber secret, it mythologises the potential of such action, offering a seeming alternative to the ‘dirty’ work of sending personnel to ‘far away’ places.

This is because it sets up an expectation that should not, and cannot, be held in perpetuity. Offensive cyber operations have limited functions and will not ‘win’ a war. It is unlikely that there will be a direct ‘kinetic’ confrontation between China and the United States and its allies in the near future. In the meantime, offensive cyber is likely to dominate – or in language of the USA ‘persistent engagement’ – to degrade specific adversary operations. But it is not going to stop China, Russia or other states completely.

So, there will likely be ‘limited’ attacks against military and associated targets by the US and its allies. Thus, to emphasise the use of offensive cyber to respond to China by the UK Government as a solution is disingenuous to the public. There is a possibility to be doctrinally honest without revealing operational details that articulate the true complexities of our contemporary computational insecurities.

Thus, the ‘Cyber Pearl Harbor’ imaginary matters for offensive cyber operations – not because it necessarily affects decision-makers direct judgements, but for developing expectations and the demise of democratic trust. If a state continually conducts offensive operations against the UK, for example, then how long is it sustainable for its government to promise that counter-offensive cyber operations are an effective solution? ‘Cyber Pearl Harbor’ holds such sway as it promises the spectacular ‘event’ of war that is still celebrated in contemporary popular imaginations but is anathema to military thinking. Yet, as readers of this blog are likely to agree, such ‘event’-based war with offensive cyber operations is exceptionally unlikely to occur. Responses will be full of attrition, will require extensive work, and will not be widespread (unless, for instance, a poor worming architecture is used).

For democratic governments to (over) promise without outlining doctrinal possibilities is dangerous. Offensive cyber can be justified across a suite of responses and governments can be open about the costs in terms of capital and capability. As I and others reflected in a recent piece on the UK National Cyber Force “offensive cyber operations should not be regarded as a technological “fix” to problems that are resistant to resolution by these capabilities” (Devanny et al. 2021, 8).

Of course, there is reticence to suddenly open up discussions on offensive cyber, as it may raise difficult issues and questions, and perhaps debate will go counter to what is already on the move. Yet, offensive cyber operations and capabilities work for the publics they serve, and thus must be held accountable, and fundamentally appropriate, to them. It is only a matter of time before offensive cyber will lose its shine, so let the conversation be had now, in advance of any demise in the trust of such a capability. Governments have a tough balance to strike as computation challenges their conventional role in security of their citizens as it is outsourced to private corporations, and their arsenal of response is limited. So, let’s have the debate, and it might settle to something that is amenable for all, and ultimately, for democracy.  

Dr Andrew Dwyer is an Addison Wheeler Research Fellow at Durham University in the UK. His research focuses on how differing computational materials, such as malware and machine learning algorithms, transform decision-making.


Healey, Jason. 2019. “The Implications of Persistent (and Permanent) Engagement in Cyberspace.” Journal of Cybersecurity 5 (1): 1–15. doi:https://doi.org/10.1093/cybsec/tyz008.

Devanny, Joe, Andrew Dwyer, Amy Ertan, and Tim Stevens. 2021. “The National Cyber Force That Britain Needs?” London: King’s College London. https://www.kcl.ac.uk/policy-institute/assets/the-national-cyber-force-that-britain-needs.pdf.

Krebs, Brian. 2021. “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software – Krebs on Security.” Krebs on Security. March 5. http://web.archive.org/web/20210722091915/https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/.

Lawson, Sean, and Michael K. Middleton. 2019. “Cyber Pearl Harbor: Analogy, Fear, and the Framing of Cyber Security Threats in the United States, 1991-2016.” First Monday 24 (3). doi:10.5210/fm.v24i3.9623.

Raab, Dominic. 2021. “UK and Allies Hold Chinese State Responsible for a Pervasive Pattern of Hacking.” GOV.UK. July 19. http://web.archive.org/web/20210720161540/https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking.

Rid, Thomas. 2013. Cyber War Will Not Take Place. London: C. Hurst & Co.

Smeets, Max, and JD Work. 2020. “Operational Decision-Making for Cyber Operations: In Search of a Model.” The Cyber Defense Review 5 (1): 95–112.

Taddeo, Mariarosaria. 2016. “On the Risks of Relying on Analogies to Understand Cyber Conflicts.” Minds and Machines 26 (4): 317–21. doi:

[1] I have much to say about the signifier of ‘cyber’ and how its broadening and condensation away from ‘cyber security’ is an interesting development in how it aligns to a more militaristic imbrication than information security, but I will not develop this here.

[2] I use ‘post’ here very lightly, as it is more like a continuation of the pandemic, as we ‘live’ with the virus in various ways.

Offensive cyber in the age of ransomware

Ciaran Martin 

When the United States launched Cyber Command twelve years ago, the word ‘ransomware’ was not in widespread use. Nor did countering the threat from computer-based racketeering feature in the lengthy deliberations leading up to the formation in the UK of the National Cyber Force, announced in November last year.  

But in the course of a few short late spring weeks in 2021, ransomware has gone from a minority obsession of parts of the information security committee to a significant paragraph in a G7 communique and the headline item in the first summit between Presidents Biden and Putin. The US has categorised ransomware as a national security threat, thanks to the disruption of oil and meat supplies owing to attacks on Colonial Pipeline and the food producer JBS. Lest Europeans think this is solely an American problem, the wholesale (and horrific) disruption of Irish healthcare, repeated attacks on British educational institutions, and a range of incidents in France and Germany reminded us otherwise.  

The ransomware model 

Ransomware has exploded into a global problem because three different factors combine to favour the criminal against the defender, and criminals have begun to realise this. First, the Russian state (and some others, mostly bordering Russia) provide a safe haven from which the gangs can operate. Second, endemic weaknesses in Western cyber security are too easily exploited. Third, the business model works spectacularly well for the criminals: victims too often pay in desperation and cryptocurrencies provide an easy way to launder the loot. The British firm Elliptic has calculated that Darkside, the group responsible for the Colonial Pipelines hack, generated at least $90 million of revenue in just nine months. Moreover, the limitations on law enforcement activity cannot be overstated. Policing and intelligence capabilities against cyber criminals are good and improving, but unless a foolish cyber criminal takes a holiday to the West, he or she is out of reach.  

Disrupting this racket means breaking at least part of this vicious, pro-criminal circle. But it is proving hard. Joe Biden has become the first Western leader to pressurise the Russians on the safe haven problem, and early signs are that Moscow is at least pretending to take it seriously. But progress here cannot be guaranteed (for example, there is little prospect of Russia overturning its constitutional prohibitions on extraditing Russian). Getting consensus on tackling the flow of money – either through banning the payment of ransoms or regulating cryptocurrencies more effectively – has proved fiendishly hard. And improving defences remains a long, hard slog. Some or all of these efforts may yield fruit over time, but for now, serious problems remain even in terms of containing the threat, never mind reducing it.  

A role for offensive cyber? 

Does this mean there is a role for offensive cyber? This much misunderstood set of nascent capabilities has, to date, struggled to prove its utility as a tool for protecting our cybersecurity. Indeed, despite the rhetoric, offensive cyber has mostly been pointed in other directions. The UK’s flagship, publicly disclosed offensive cyber operation targeted so-called Islamic State, degrading the group’s propaganda and operational capabilities ahead of the Mosul offensive in 2016. Other intended targets have included serious online child sex offenders, according to the Government.  

What has been conspicuously absent is a contribution that protects UK cyberspace itself. Indeed, offensive cyber has proved singularly ineffective in contesting the threat from hostile nation-state capabilities. As I argued in a lecture at King’s College, London, last November, this is for various reasons. Disabling Russian or Chinese state-backed offensive cyber operational capabilities is much, much harder than disrupting the computer networks of an international terrorist group, a paedophile ring, or the Russian troll farm known as the Internet Research Agency, which Cyber Command is believed to have hit in 2018. It is likely to be as difficult as hitting the covert infrastructure of US Cyber Command.  

Moreover, ‘hacking back’ will not ‘deter’ cyber espionage, which is generally accepted under international norms. And on the relatively rare occasions when those norms are crossed, the sorts of capabilities offensive cyber affords are generally not appropriate ones for pushback. We are not going to disrupt the lives of innocent citizens in Vladivostok because Russia has disrupted the opening ceremony of the Winter Olympics or leaked the medical details of athletes after hacking the World Anti-Doping Agency. And all the while, suspicion abounds that by stockpiling cyber weapons for offensive use, the West is not serious about the security of cyberspace.  

Network disruption 

The ransomware problem offers those developing offensive cyber capabilities an opportunity to show that such tools can make a useful contribution to a safer cyberspace. With few if any other interventions working, and with normal law enforcement mechanisms effectively nullified, disrupting the networks of the criminals, and the digital infrastructure they use, via offensive operations, could at least be of some significant tactical benefit in containing the problem.  

Over the years, the FBI have led a number of operations to this effect. The Europol-led takedown of the so-called Emotet botnet, one of the most malignant pieces of digital infrastructure ever seen, in March of this year, provided further evidence of the utility of this type of operation. And technically, the sort of disruption involved lends itself to surgical interventions that reduce the risk of collateral disruption and other unintended consequences that worry sceptics of offensive cyber.  

After what the American cybersecurity expert Alex Stamos has called “the craziest eight months in the history of infosec”, there is now a welcome realisation at the political level that securing our interests in cyberspace is a complex and nuanced problem that isn’t solved by belligerent rhetoric about ‘hitting back’ in an invisible digital contest with other states. If Governments are serious about demonstrating that their increasing focus on offensive capabilities will help our cyber security, disrupting ransomware operations would be the right place to focus.   

Ciaran Martin is Professor of Practice at the Blavatnik School of Government, University of Oxford. From 2014 to 2020 he set up and then led the UK’s National Cyber Security Centre, part of GCHQ. 

Upcoming workshop – An Offensive Future?

The Offensive Cyber Working Group is issuing a call for abstracts ahead of a workshop on the role of offensive cyber today and in the future.

Contributions are invited from across the range of academic disciplines and from outside academia. The deadline for abstracts is 16 July, and the workshop will be held on 22 September.

The output of the workshop will be published as an edited book collection, hosted here on The Alert.

For more details, you can find the call for abstracts here