Only offensive cyber operations below the threshold of armed attack are considered, as no cyber operation thus far has been classified as an armed attack, and it appears that states are deliberately operating below the threshold of armed conflict to gain advantage. We address espionage only in so far as it relates to and illuminates offensive operations.
In this memo, we clearly differentiate offensive cyber operations from cyber espionage. This paper proposes a definition of offensive cyber operations that is grounded in research into published state doctrine, is compatible with definitions of non-kinetic dual-use weapons from various weapons conventions and matches observed state behaviour. It is assumed that common definitions of offensive cyber capabilities and cyber weapons would be helpful in norm formation and discussions on responsible use. There is considerable concern about state-sponsored offensive cyber operations, which this paper defines as operations to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks. 3 The US intelligence community reported that as of late 2016 more than 30 states were developing offensive cyber capabilities. 2 North Korea, Russia and Iran have also launched destructive offensive cyber operations, some of which have caused widespread damage. The United States, the United Kingdom and Australia have declared that they have used offensive cyber operations against Islamic State, 1 but some smaller nations, such as the Netherlands, Denmark, Sweden and Greece, are also relatively transparent about the fact that they have offensive cyber capabilities.
States are developing and exercising offensive cyber capabilities.