The issue of whether a country should openly sanction offensive use of “cyber attack” by their military is one of touchier issues in the world of cyber warfare. Interestingly, US Cyber Command has openly expressed an interest in developing offensive cyber capabilities. Specifically, they refer to offensive operations to prevent cyber attacks on the US. Offense for the sake of defense.
Some tactics have the potential to be both offensive and defensive – like setting up “active defenses” to infiltrate attacking computers and disable them. (Think – before the Yom Kippur War started in 1973 the only difference between offensive/defensive tanks on the Egyptian side was whether or not they were rolling forward.)
Actively infiltrating enemy systems to prevent future attack leads to a shady area; one that will eventually require international consensus on acceptable behavior. The US defines offensive information operations as ones that disrupt, degrade or deny enemy systems. Do some of these activities qualify as an attack in themselves?
In 2007, a team of researchers demonstrated that a cyber attack could blow up a power generator. This was a hopeful take on the issue. If offensive cyber attacks were like Star Trek, then every time one took place a control console would explode and an ensign would go flying across the room. Quick. Fire torpedoes.
This fits nicely in to existing international frameworks. Both Article 51 of the UN Charter and Article 5 of the NATO Treaty refer to “armed attack” when authorizing self-defense. But “offensive” cyber capabilities wouldn’t necessarily blow something up or cause direct collateral damage. (What about, for example, planting trojans in an enemy command and control system so that one could cripple them during a future conflict?)
In 1998 the Russians proposed a UN resolution to ban the development and use of cyber weapons. The resolution was largely tabled due to a total inability to define the term ‘cyber weapon’ and the fact that no one had a clue how to enforce such a resolution. Why would anyone comply if compliance was impossible to monitor?
It will be interesting to see how the international community chooses to negotiate the use of offensive cyber capabilities. In the meanwhile, it’s good that CYBERCOM is willing to bring the discussion into the open. (And there’s the ever burning question – why don’t they have circuit breakers in the future?)