Offensive cybersecurity is a complex and rapidly evolving field critical for protecting organizations and governments from cyber threats. However, due to its sensitive nature and potential ethical concerns, it is often shrouded in secrecy and controversy. This chapter comprehensively explains offensive cybersecurity, including its definition, capabilities, limitations, and legal and ethical implications. The chapter discusses the various offensive cyber operations that militaries and governments may use to defend themselves and deter potential attackers and the legal framework that governs such activities. It also explores the ethical considerations of offensive cybersecurity and the need for responsible use to avoid unintended consequences. Ultimately, the chapter seeks to promote a balanced understanding of offensive cybersecurity that acknowledges its potential benefits and risks and highlights the importance of using it judiciously and within legal and ethical boundaries.
TopIntroduction
Increasing reliance on digitalization is a ubiquitous practice by most organizations. As organizations work to leverage digital capabilities, lurking cybersecurity threat makes these institutions vulnerable to offensive cybersecurity operations projected by nation-states, cybercriminals, hacktivists, and other illicit groups and individuals. A former senior government official stated that nearly 100 nations possess offensive cyber-attack capabilities (Smeets, 2018). Offensive cybersecurity capabilities are a force enabler and multiplier to conventional military resources and a stand-alone capability (Smeets, 2018). While most institutions focus predominantly on cybersecurity defense, offensive cybersecurity is a growing area of interest, given the increasing number of cybersecurity incidents.
A 2021 Wall Street Journal article cited that corporations should not strike back after a cyber-attack because the risk is too high, and the counter activity could go wrong (Rundle, 2021). The cybersecurity expert cited in the article argued that offensive cybersecurity should be the government’s responsibility, which is equipped and trained to handle such tasks. It is understandable why senior officials in the Department of Defense (DoD) dispute the notion of corporations hacking back (Rundle, 2021); however, most oppositionists are not offering any new initiatives to protect private businesses.
Cybersecurity threats challenge private and public organizations whose strategic advantage belongs to malicious cyber actors or adversarial nation-states (Corcoran, 2020; Nobles et al., in press). Businesses are losing billions of dollars annually and enduring financial and reputational damages as targets of opportunities by nefarious actors (Housen-Couriel, 2021; Lindsay, 2021). The mounting losses by corporations illustrate malicious actors capitalizing on entities that lack offensive support from authorized institutions or organic offensive strategies and the authorization to strike back beyond their digital perimeters.
In the U.S., military offensive cybersecurity operations are executed under Title 10 authorization via the U.S. Cyber Command. The U.S. Cyber Command attained full operational capability in September 2018 (Pernik, 2018). An objective of U.S. Cyber Command is to defend or assist civilian authorities with major cyber-attacks against critical infrastructure, including offensive cybersecurity (Pernik, 2018). The establishment of the U.S. Cyber Command brought about three significant changes and the reorientation of strategic shifts as indicated by the following: (a) the DoD has the authorization to operate in space beyond U.S. infrastructure conducting offensive cybersecurity, (b) consent to conduct cyber operations outside of the U.S. perimeter without Congressional authorization, and (c) operations executed are not necessarily covert in nature as defined by domestic laws (Smeets, 2020). Scholars recognized the abovementioned changes as authorization for the U.S. Cyber Command to act more rapidly through abbreviated approval processes and authorizations (Smeets, 2020). The ascendancy of the U.S. Cyber Command signals to the greater international community that the U.S. has a comprehensive cyber capability (defensive and offensive capacities) to pursue national security objectives.