Why ‘Cyber Pearl Harbor’ matters for democracy

Dr Andrew Dwyer

Recently, I was struck by a front cover to the magazine, Newsweek, which declared that we are (again) facing the potential for a ‘Cyber Pearl Harbor’. For many within both the practitioner and academic ‘cyber’[1] community, this is manifest of a long shadow of the hyperbole that characterised the popular recognition of the insecurities of computation throughout the late 1990s and early 2000s. Today, if not a nuisance to those working in the area, such analogies and metaphors are still dominant in how they seep into popular debates around contemporary offensive cyber operations. In my research, I seek to understand how malware – and other computational materials, such as algorithms – transform cybersecurity politics and decision-making, and here I will outline what I think the implications for democracy are when governments do not appropriately engage in public debate.

Ransomware, ‘advanced persistent threats’, cyberwar, and most recently “cyber-sabotage” – the term used by the UK Foreign Secretary Dominic Raab (2021) to describe the espionage operations of the People’s Republic of China in the hack of Microsoft Exchange Server email software (see Krebs 2021) – are part of an ever-expanding corpora of terms to explain the condition of cyber that challenges even the most informed. Some have attempted to resolve and clarify the terms and analogies used for offensive cyber and elsewhere, with various successes and warnings (Taddeo 2016; Lawson and Middleton 2019). Although conceptual clarity is required for effective communication, we are unfortunately very far from that possibility. Indeed, I think the conceptual murkiness that surrounds offensive cyber is not the problem per se, but rather a symptom of the current lack of public discussion of capabilities and doctrinal development that hinders legislative scrutiny amid the promise of security provided by states as we enter a post-Covid[2] world. By this, due to the secretive nature of operations and capabilities, a vast potential variety of descriptors and analogies are possible in an attempt to communicate with the public in times where the state seems increasing unable to attend to the insecurities their citizens feel from cyber-attacks.

Within academic literature, much has been made, for quite some time, over whether such a thing as ‘cyberwar’ could ever take place (Rid 2013), with contemporary debate settling on discussions on the organisational capacity for cyber operations to take place (Smeets and Work 2020). Such a change in perspective, however, is still broadly confined to a small and well-informed community who either have direct access to such activities (particularly in contexts where there is extensive military-academic collaboration, e.g., the United States) or within specialised academic and journalistic contexts that speak at select events and have typically developed extensive relationships with the former (and are likely the extent of this blog post’s readership). This community has undoubtedly led to a greater sophistication in thinking about cyber operations, as much as ‘cyberwar’ may have been dampened as a catastrophic event, to a sustained acceptance of the perpetual continuation cyber conflict as evidenced in US thinking on ‘persistent engagement’ (Healey, 2019).

Such an acceptance of perpetual, and incessant, war-like activities is part of a broader move in military thinking on grey/gray-zone and hybrid warfare and what its limits and contours should be. Yet such hybridity causes a severe communication problem for democratic governments; regardless of whether you agree with such moves. This is because the public perception of contemporary conflict remains focused on open kinetic conflict, driven in part by governments’ increasing investment in conventional military capabilities.

Offensive cyber is but a microcosm of the preference to keep secret contemporary capabilities that do not afford such visuality. This is a necessary act to prevent adversaries attaining knowledge of such capabilities. Yet, by not articulating the use of offensive cyber, including future potential doctrine, it could lead to a disruptive and long-term erosion of trust as it becomes clear states cannot always protect their citizens from adversaries in the ways that publics have come to expect (at least in the imagination of certain communities in the Global North). Although attempts have been made to protect publics through improved cyber security, it is clear that defence is different in a computational world. Offensive cyber operations are highly likely to be successful and governments must be honest about this, and their capability to respond.

For many people outside of ‘cyber’, the more spectacular effects of malware, such as WannaCry and NotPetya, dominate imaginations of destruction that have semblances to ‘cyberwar’ – and even to ‘Cyber Pearl Harbor’ – discourse. However, much malware is banal and stealthy, and primarily for espionage, even if it could in theory be used for pre-positioning for other offensive operations (see Microsoft Exchange, SolarWinds, etc.). Whereas cyberwar is seen as something that could inevitably affect critical national infrastructures and beyond, the same imaginary does not apply to ‘everyday’ systems which are assumed to be insecure due to poor governance and maintenance. However, it is in this latter space that offensive cyber action often takes place and inversely the greatest impact.

As former head of the UK National Cyber Security Centre, Ciaran Martin, has recently argued, the UK should not simply invoke secrecy to avoid discussing offensive cyber doctrine with regards to China. By keeping offensive cyber secret, it mythologises the potential of such action, offering a seeming alternative to the ‘dirty’ work of sending personnel to ‘far away’ places.

This is because it sets up an expectation that should not, and cannot, be held in perpetuity. Offensive cyber operations have limited functions and will not ‘win’ a war. It is unlikely that there will be a direct ‘kinetic’ confrontation between China and the United States and its allies in the near future. In the meantime, offensive cyber is likely to dominate – or in language of the USA ‘persistent engagement’ – to degrade specific adversary operations. But it is not going to stop China, Russia or other states completely.

So, there will likely be ‘limited’ attacks against military and associated targets by the US and its allies. Thus, to emphasise the use of offensive cyber to respond to China by the UK Government as a solution is disingenuous to the public. There is a possibility to be doctrinally honest without revealing operational details that articulate the true complexities of our contemporary computational insecurities.

Thus, the ‘Cyber Pearl Harbor’ imaginary matters for offensive cyber operations – not because it necessarily affects decision-makers direct judgements, but for developing expectations and the demise of democratic trust. If a state continually conducts offensive operations against the UK, for example, then how long is it sustainable for its government to promise that counter-offensive cyber operations are an effective solution? ‘Cyber Pearl Harbor’ holds such sway as it promises the spectacular ‘event’ of war that is still celebrated in contemporary popular imaginations but is anathema to military thinking. Yet, as readers of this blog are likely to agree, such ‘event’-based war with offensive cyber operations is exceptionally unlikely to occur. Responses will be full of attrition, will require extensive work, and will not be widespread (unless, for instance, a poor worming architecture is used).

For democratic governments to (over) promise without outlining doctrinal possibilities is dangerous. Offensive cyber can be justified across a suite of responses and governments can be open about the costs in terms of capital and capability. As I and others reflected in a recent piece on the UK National Cyber Force “offensive cyber operations should not be regarded as a technological “fix” to problems that are resistant to resolution by these capabilities” (Devanny et al. 2021, 8).

Of course, there is reticence to suddenly open up discussions on offensive cyber, as it may raise difficult issues and questions, and perhaps debate will go counter to what is already on the move. Yet, offensive cyber operations and capabilities work for the publics they serve, and thus must be held accountable, and fundamentally appropriate, to them. It is only a matter of time before offensive cyber will lose its shine, so let the conversation be had now, in advance of any demise in the trust of such a capability. Governments have a tough balance to strike as computation challenges their conventional role in security of their citizens as it is outsourced to private corporations, and their arsenal of response is limited. So, let’s have the debate, and it might settle to something that is amenable for all, and ultimately, for democracy.  

Dr Andrew Dwyer is an Addison Wheeler Research Fellow at Durham University in the UK. His research focuses on how differing computational materials, such as malware and machine learning algorithms, transform decision-making.

References

Healey, Jason. 2019. “The Implications of Persistent (and Permanent) Engagement in Cyberspace.” Journal of Cybersecurity 5 (1): 1–15. doi:https://doi.org/10.1093/cybsec/tyz008.

Devanny, Joe, Andrew Dwyer, Amy Ertan, and Tim Stevens. 2021. “The National Cyber Force That Britain Needs?” London: King’s College London. https://www.kcl.ac.uk/policy-institute/assets/the-national-cyber-force-that-britain-needs.pdf.

Krebs, Brian. 2021. “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software – Krebs on Security.” Krebs on Security. March 5. http://web.archive.org/web/20210722091915/https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/.

Lawson, Sean, and Michael K. Middleton. 2019. “Cyber Pearl Harbor: Analogy, Fear, and the Framing of Cyber Security Threats in the United States, 1991-2016.” First Monday 24 (3). doi:10.5210/fm.v24i3.9623.

Raab, Dominic. 2021. “UK and Allies Hold Chinese State Responsible for a Pervasive Pattern of Hacking.” GOV.UK. July 19. http://web.archive.org/web/20210720161540/https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking.

Rid, Thomas. 2013. Cyber War Will Not Take Place. London: C. Hurst & Co.

Smeets, Max, and JD Work. 2020. “Operational Decision-Making for Cyber Operations: In Search of a Model.” The Cyber Defense Review 5 (1): 95–112.

Taddeo, Mariarosaria. 2016. “On the Risks of Relying on Analogies to Understand Cyber Conflicts.” Minds and Machines 26 (4): 317–21. doi:


[1] I have much to say about the signifier of ‘cyber’ and how its broadening and condensation away from ‘cyber security’ is an interesting development in how it aligns to a more militaristic imbrication than information security, but I will not develop this here.

[2] I use ‘post’ here very lightly, as it is more like a continuation of the pandemic, as we ‘live’ with the virus in various ways.

Offensive cyber in the age of ransomware

Ciaran Martin 

When the United States launched Cyber Command twelve years ago, the word ‘ransomware’ was not in widespread use. Nor did countering the threat from computer-based racketeering feature in the lengthy deliberations leading up to the formation in the UK of the National Cyber Force, announced in November last year.  

But in the course of a few short late spring weeks in 2021, ransomware has gone from a minority obsession of parts of the information security committee to a significant paragraph in a G7 communique and the headline item in the first summit between Presidents Biden and Putin. The US has categorised ransomware as a national security threat, thanks to the disruption of oil and meat supplies owing to attacks on Colonial Pipeline and the food producer JBS. Lest Europeans think this is solely an American problem, the wholesale (and horrific) disruption of Irish healthcare, repeated attacks on British educational institutions, and a range of incidents in France and Germany reminded us otherwise.  

The ransomware model 

Ransomware has exploded into a global problem because three different factors combine to favour the criminal against the defender, and criminals have begun to realise this. First, the Russian state (and some others, mostly bordering Russia) provide a safe haven from which the gangs can operate. Second, endemic weaknesses in Western cyber security are too easily exploited. Third, the business model works spectacularly well for the criminals: victims too often pay in desperation and cryptocurrencies provide an easy way to launder the loot. The British firm Elliptic has calculated that Darkside, the group responsible for the Colonial Pipelines hack, generated at least $90 million of revenue in just nine months. Moreover, the limitations on law enforcement activity cannot be overstated. Policing and intelligence capabilities against cyber criminals are good and improving, but unless a foolish cyber criminal takes a holiday to the West, he or she is out of reach.  

Disrupting this racket means breaking at least part of this vicious, pro-criminal circle. But it is proving hard. Joe Biden has become the first Western leader to pressurise the Russians on the safe haven problem, and early signs are that Moscow is at least pretending to take it seriously. But progress here cannot be guaranteed (for example, there is little prospect of Russia overturning its constitutional prohibitions on extraditing Russian). Getting consensus on tackling the flow of money – either through banning the payment of ransoms or regulating cryptocurrencies more effectively – has proved fiendishly hard. And improving defences remains a long, hard slog. Some or all of these efforts may yield fruit over time, but for now, serious problems remain even in terms of containing the threat, never mind reducing it.  

A role for offensive cyber? 

Does this mean there is a role for offensive cyber? This much misunderstood set of nascent capabilities has, to date, struggled to prove its utility as a tool for protecting our cybersecurity. Indeed, despite the rhetoric, offensive cyber has mostly been pointed in other directions. The UK’s flagship, publicly disclosed offensive cyber operation targeted so-called Islamic State, degrading the group’s propaganda and operational capabilities ahead of the Mosul offensive in 2016. Other intended targets have included serious online child sex offenders, according to the Government.  

What has been conspicuously absent is a contribution that protects UK cyberspace itself. Indeed, offensive cyber has proved singularly ineffective in contesting the threat from hostile nation-state capabilities. As I argued in a lecture at King’s College, London, last November, this is for various reasons. Disabling Russian or Chinese state-backed offensive cyber operational capabilities is much, much harder than disrupting the computer networks of an international terrorist group, a paedophile ring, or the Russian troll farm known as the Internet Research Agency, which Cyber Command is believed to have hit in 2018. It is likely to be as difficult as hitting the covert infrastructure of US Cyber Command.  

Moreover, ‘hacking back’ will not ‘deter’ cyber espionage, which is generally accepted under international norms. And on the relatively rare occasions when those norms are crossed, the sorts of capabilities offensive cyber affords are generally not appropriate ones for pushback. We are not going to disrupt the lives of innocent citizens in Vladivostok because Russia has disrupted the opening ceremony of the Winter Olympics or leaked the medical details of athletes after hacking the World Anti-Doping Agency. And all the while, suspicion abounds that by stockpiling cyber weapons for offensive use, the West is not serious about the security of cyberspace.  

Network disruption 

The ransomware problem offers those developing offensive cyber capabilities an opportunity to show that such tools can make a useful contribution to a safer cyberspace. With few if any other interventions working, and with normal law enforcement mechanisms effectively nullified, disrupting the networks of the criminals, and the digital infrastructure they use, via offensive operations, could at least be of some significant tactical benefit in containing the problem.  

Over the years, the FBI have led a number of operations to this effect. The Europol-led takedown of the so-called Emotet botnet, one of the most malignant pieces of digital infrastructure ever seen, in March of this year, provided further evidence of the utility of this type of operation. And technically, the sort of disruption involved lends itself to surgical interventions that reduce the risk of collateral disruption and other unintended consequences that worry sceptics of offensive cyber.  

After what the American cybersecurity expert Alex Stamos has called “the craziest eight months in the history of infosec”, there is now a welcome realisation at the political level that securing our interests in cyberspace is a complex and nuanced problem that isn’t solved by belligerent rhetoric about ‘hitting back’ in an invisible digital contest with other states. If Governments are serious about demonstrating that their increasing focus on offensive capabilities will help our cyber security, disrupting ransomware operations would be the right place to focus.   

Ciaran Martin is Professor of Practice at the Blavatnik School of Government, University of Oxford. From 2014 to 2020 he set up and then led the UK’s National Cyber Security Centre, part of GCHQ. 

Upcoming workshop – An Offensive Future?

The Offensive Cyber Working Group is issuing a call for abstracts ahead of a workshop on the role of offensive cyber today and in the future.

Contributions are invited from across the range of academic disciplines and from outside academia. The deadline for abstracts is 16 July, and the workshop will be held on 22 September.

The output of the workshop will be published as an edited book collection, hosted here on The Alert.

For more details, you can find the call for abstracts here

Introducing The Alert

We are excited to launch The Alert, the blog of the Offensive Cyber Working Group (OCWG).  

The Offensive Cyber Working Group (OCWG) is an academia-led initiative to bring together experts from across academia, policy and the private sector to examine the conceptual, policy and practical implications of offensive cyber activity in the current UK landscape. 

The objective of the OCWG’s blog, The Alert, is to encourage public debate on offensive cyber. The blog will operate as a space for an open and critical reflection about the different ways in which offensive cyber is taking shape in the UK and around the world. 

Why the name?  

We think offensive cyber is something that people need to be talking about. Like an alert on social media, we want this blog to draw attention to something important. We’ll also use this blog to draw attention to upcoming events and to highlight news stories related to offensive cyber. We hope that The Alert will be a useful resource for people working in this area.  

The analogy to social media makes sense in another way – we want this platform to be a place for debate and discussion (although, unlike on social media, we hope that debate will always be informed and constructive). Political, strategic, legal, and ethical frameworks for offensive cyber are rapidly evolving around the world. The language and the theoretical frameworks that shape our understanding of offensive cyber are similarly dynamic and contested. These issues need to be actively debated, or we will end up talking past each other. The Alert provides another forum for these debates.  

The name The Alert also has deeper historical resonance. The Alert was the name of the ship that severed submarine telecommunication cables in the Channel following the British declaration of war on Germany in 1914. Was this an early example of offensive cyber? Or is there something fundamentally different about competition and conflict in the digital age? Regardless of your view on those questions, we think that it is valuable to view offensive cyber in a broader historical context, the better to understand both the continuities and discontinuities that make this such an important topic.  

Looking ahead 

It is an exciting time to be working on offensive cyber. We will use this blog to share information about the work of the OCWG, as well as details of upcoming seminars and workshops. The first of those announcements will come out later this week – keep an eye on this blog and follow the OCWG on Twitter.     

We want to hear from you. If you have questions or comments, feel free to get in touch with us at alert@offensivecyber.org. We welcome contributions to this blog from scholars, practitioners, and other experts on a range of topics related to offensive cyber.   

This could include: 

  • Policy implications of offensive cyber  
  • New theoretical approaches  
  • National approaches to offensive cyber (UK and all other countries are welcome) 
  • Multi-stakeholder perspectives on offensive cyber

Contributions could take the form of short-form articles (600-1,000 words), longer debates between two contributing authors, or shorter commentary on emerging stories. If it touches on offensive cyber, we want to hear about it. 

New Report – The National Cyber Force that Britain Needs?

Read the Report here

Members of the Offensive Cyber Working Group, with King’s College London, have today released a new report which argues that the success of the new UK National Cyber Force (NCF) will be determined by the quality of the leadership, strategy, structures and processes that shape its growth and operational use.

As part of the OCWG’s commitment to advancing debate on offensive cyber in the UK and beyond, this report is one step in understanding how offensive cyber will be organised within the UK through the NCF. This builds upon other activity by the OCWG, including its November 2020 Scoping Workshop Report and its new ‘Global Challenges in Offensive Cyber’ Seminar Series.

Key Findings:

  • Ambitions for the NCF should be realistic. Offensive cyber is but one of several components of cyber strategy. The starting point for a responsible, “democratic cyber power” should include improved cyber security and resilience.
  • The NCF has a wide variety of possible missions, from countering state threats, terrorism to serious and organised crime. It cannot pursue all these missions equally well. A balance of counter-cyber operations and support to military operations is arguably the best (and least controversial) use of the NCF.
  • More active coordination and leadership of cyber strategy from the centre of government is required. The future of UK offensive cyber should be decided holistically by ministers, not by competition between the NCF’s constituent departments.
  • The NCF will collaborate closely with allies such as US Cyber Command and the UK Government has repeatedly emphasised its commitment to contribute cyber capabilities within the NATO alliance. There remains a balance to be struck between what can be done with allies and what will require sovereign capabilities.

About the authors

Dr Joe Devanny is a Lecturer in National Security Studies and deputy director of the Centre for Defence Studies in the Department of War Studies (King’s College London).

Dr Andrew Dwyer is an Addison Wheeler Research Fellow in the Department of Geography (Durham University) and co-director of the UK Offensive Cyber Working Group.

Amy Ertan is a doctoral candidate in the Information Security Group (Royal Hollway), non-resident Visiting Scholar (NATO Cooperative Cyber Security Centre of Excellence), Cybersecurity Fellow (Belfer Center for Science and International Affairs), and co-director of the UK Offensive Cyber Working Group.

Dr Tim Stevens in a Senior Lecturer in Global Security in the Department of War Studies (King’s College London) and head of the KCL Cyber Security Research Group. 

Forthcoming event

A panel discussion and audience Q&A to launch this report will be held live online on Tuesday 4 May between 3pm and 4.30pm. It will be chaired by Professor Lady Moira Andrews (KCL), with a panel including the report’s authors and invited guests, including Marcus Willett CB OBE (Senior Cyber Adviser at the International Institute for Security Studies, GCHQ’s first Director Cyber and former deputy head).

Sign up for the event here.