On Wednesday 3rd March, Strife Interviewer Ed Stacey sat down with Dr Tim Stevens to discuss the state of play in offensive cyber in the 2020s. As part one of Strife’s Offensive Cyber Series, Dr Stevens introduces the topic and offers his thoughts on a range of topical debates, from the utility of offensive cyber capabilities to questions around international law and ethics and the UK’s recently avowed National Cyber Force.
Ed Stacey: Tim, as you know, this interview series is all about offensive cyber. This is quite a slippery term, so could you perhaps kick us off with a working definition?
Tim Stevens: You will be unsurprised to hear that there is no working definition, or at least no consensus on definition, about what offensive cyber is. Obviously, it is a term that attempts to draw some kind of analogy from other capabilities that can be used for offensive purposes – one of which is obviously weapons, another would be munition. But actually, offensive cyber is a lot more difficult to pin down because it is not kinetic in any conventional sense: it is not something that you can throw, shoot or drop on someone to cause damage.
But what offensive cyber tries to get at is the idea that through computer code, so little packets of software that can be sent through computer networks, you are going to attempt to deny, degrade, disrupt or even destroy something that your enemy holds to be of value. This principally could be data itself or it could be the computer systems and computer networks that data is held on.
Now offensive cyber is also being used not just in a military context but an intelligence context too, so it has some relationships with espionage or at least the covert activities of intelligence agencies. It could conceivably be used not in the kind of military break things sense but in the more inflected activities of intelligence, like subversion or sabotage, that occupy a slightly weird space and do not look like acts of war, for example.
ES: Terms such as cyber war, cyber attack and cyber weapons are used quite loosely in public discourse. Do you think we need to be more precise with our language when we are talking about offensive cyber?
TS: I think it would help if we had in common discourse some understanding that perhaps we are overhyping some of the phenomena that were describing, and using heavily militarised language like cyber war really does not help. Cyber attacks are usually nothing of the sort and cyber weapons usually cannot be classed as weapons, for example.
To take the cyber war example. When we think about cyber war, these days it usually means some kind of state of hostilities operating between two states, in which they are battering each other with cyber weapons of some description or another. Now apart from the fact that we have not seen this, it is also unlikely that we will see it. I think if two states are to be in a declared or actual state of cyber hostilities, there will be other issues – other types of operations in other domains – that are going to be just as relevant. So this idea of a standalone cyber war is not helpful.
Cyber warfare, on the other hand, is helpful because that is what militaries and intelligence agencies arguably are involved in at present – they are fighting, conflicting and contesting cyberspace as an operational domain. And they are doing that through offensive cyber, in part, but also through other activities that they can bring to bear on that domain. So cyber warfare has some utility; it is a form of warfighting or conflict through cyber means.
Cyber attacks, well that is just used to denote anything that you do not like. Whether it is an attack in any kind of conventional or attenuated sense is really irrelevant. If your adversary – whether they are a criminal, terrorist, state or proxy – has done something to your networks that you do not like, you call it a cyber attack, even though it might be nothing of the sort. It might be one of billions of automated pings or bots that confront your networks everyday as a matter of course. Or it could be a cunning, socially-engineered and sophisticated cyber operation against something that you hold of value. The two are clearly not the same, but they are all being called cyber attacks in popular discourse, and the media are just as guilty of this as politicians and occasionally academics and civil society too. So I do think it is important to make these distinctions.
The issue with cyber weapons is whether these types of capabilities can actually be described as weapons, and again there is no consensus. Conventionally weapons have to have the capacity to hurt by virtue of, say, ballistics. If you think about discussions around chemical and biological weapons, people are sometimes unconformable calling them weapons in any conventional sense too. And the thing about cyber weapons is that, as of yet, no direct physical harm has been caused by any of those capabilities. Instead, what happens is that there is attenuated secondary harm that would be caused when, for example, you change the 1s and 0s in an incubator in an intensive care unit and as a result of that someone dies, but it does not directly harm that person. So that is the kind of debate that is being had about whether these capabilities are weapons or not.
ES: Thinking about the utility of offensive cyber, why are states developing these types of capabilities and what do they offer that other capabilities do not?
TC: To think about the broader utility or the framing of these capabilities is, I think, to return to the [revolution in military affairs] of the late 1980s and early 1990s, then going on in subsequent decades in western military affairs. So the suggestion that we are shifting towards informationalised, precision strike, stand-off warfare that prioritises our own force protection and the ability to cause effects hundreds, if not thousands, of miles away.
Clearly, if you are sitting at a computer in one part of the world and you wish to attack another computer on the other side of the world, it is much easier to do that through computer networks than it is through conventional means: the mode of operation, the platform and the technology is much easier to get hold of. And if you can create the same effects remotely than if you were standing a hundred yards or half a mile away, then why would you not? You do not have to put your troops, or indeed your intelligence agents, in harm’s way. If you do not have to put a human asset into a foreign country to achieve an effect, why would you? These are the kind of attractions that states are finding in these sorts of capabilities.
Another one, of course, is that it is relatively cheap. It is much easier to hire people to develop these kinds of capabilities than it is to develop a new weapon system. Essentially, if the weapon system you need is, if not quite an off the shelf computer system but something existing that can be adapted, it is much cheaper than trying to develop a new line of fighter jet, precision guided munition, helicopter or battleship of any description. So that is attraction there.
Another thing is this idea of effects. As I mentioned previously, if you can create some kind of effect that generates, mainly operational or strategic but also tactical, advantage over your adversary through the use of computer networks, that has to be attractive. If it is cheaper, if it does not put your troops in harm’s way and, importantly, does not immediately escalate to something that looks like a conventional shooting war. Because if people are not being directly harmed, but yet you are causing your adversary to change their mind or behaviour in some fashion, that is incredibly seductive for a commander or state that is looking to improve, enhance or extend their operational and strategic toolbox. So that is the general idea behind why these capabilities are attractive.
ES: Looking at the other side of things, what are the limits of offensive cyber?
TC: That is a good question and an open one too. These kinds of capabilities may be attractive to countries and their militaries and intelligence agencies, but the jury is out on how effective they actually are. Because it turns out, for various reasons, that it is actually quite difficult to get your adversary to do what you want through cyber means. Partly this is because they are not as easy to control as we might think, and partly it is because, as I mentioned earlier, causing kinetic effects to actually change someone’s mind in a visceral sense is very difficult.
It is also difficult because you cannot keep doing it with the same capabilities. Once you have developed an advanced offensive cyber capability, essentially you can only use it once because then your enemy will see the code, understand the vulnerability that has been exploited, patch their systems and then that vulnerability disappears. So you cannot keep holding your enemy’s assets at risk, which means that even if something happens once – and given that no computer system is demonstrably secure, it is going to happen at some point – you know that it is a one-off attack. Because you know, or at least you hope, that your adversary has not got the capability to keep punishing you in that way. So that means that if you can roll with the punches if you get attacked or exploited, you are not expecting a follow-up that is really going to double down and force you to change your mind or your behaviour.
So for all the attraction of these capabilities, there are limits. Now that is not to say that there are limits to the imagination of people who wish to develop and deploy these things, and I am not saying for a second that, with this realisation that there are limits to their utility, states are going to stop developing them, because they are not. In fact, what I think is going to happen is what you are seeing at the moment, which is that states and other actors are going to continue to experiment with them until they find some way of generating the higher-level effects that they wish.
To bring that round to a conclusion: tactically, they can be very useful; operationally, they can generate some really interesting effects; strategically, it looks very difficult to generate the effects that you want.
Part II of this interview will be published tomorrow on Friday 4th June 2021.