Countries are developing and exercising offensive cyber capabilities, for purposes including combating potential terrorist threats. Australia’s cyber offensive capabilities were recently outlined in a brief by the International Cyber Policy Centre. Other countries that have cyber offensive capabilities include the United States, United Kingdom, the Netherlands, Denmark, Sweden, Greece, North Korea, Russia and Iran.
The Australian Strategic Policy Institute recently released a paper in which they propose some definitions around offensive cyber operations.
What are offensive cyber operations?
The Australian Strategic Policy Institute paper defines offensive cyber operations as:
Operations to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.
What are offensive cyber capabilities?
In general, capabilities can be employed in operations to achieve an objective. Offensive cyber operations use offensive cyber capabilities to achieve objectives in or through cyberspace.
What is the difference between cyber operations and cyber-enabled espionage?
In cyber-enabled espionage, the goal is to gather information without being detected, to allow longer term intelligence gathering.
What are cyber weapons?
The Australian Strategic Policy institute posits both a narrow and broad definition of cyber weapons:
Narrow definition
Software and information technology (IT) systems that, through ICT networks, cause destructive effects and have no other possible uses.
The IT system aspect of this definition requires some level of integration and automation in a weapon: code that wipes a computer hard disk is not a weapon by itself—by itself it cannot achieve destructive effects through cyberspace—but could form part of a weapon that wipes hard drives across an entire organisation.
This narrow definition is problematic for a number of reasons:
- It is not entirely compatible with definitions of offensive cyber activities – actions that manipulate, disrupt, deny and degrade would likely not be captured and so much offensive cyber activity will not be considered to involve cyber weapons.
- Even the most destructive offensive cyber operations could be executed without ever using a cyber weapon. For example, a cyber operation that triggered the launch of a nuclear weapon would not require a cyber weapon.
- This definition could easily be gamed by adding non-destructive functionality to otherwise malicious code.
Broad definition
Software and IT systems that, through ICT networks, manipulate, deny, disrupt, degrade or destroy targeted information systems or networks.
This definition has the advantage that it would capture the entirety of tools that could be used for offensive cyber operations.
It would however also include legitimate tools that state authorities and the cybersecurity community use for law enforcement, cyber defence, or both.
Why is it difficult to agree on a universal definition of cyber weapons?
While the narrow definition may be more readily agreed to by states, it excludes so much potential offensive cyber activity that efforts to limit cyber weapons based on that definition seem futile.
The broader definition would capture tools used for so many legitimate purposes that agreement on their status as weapons is unlikely, and limitations could well harm network defenders more than attackers.