Most cyber-capable states conduct ‘offensive cyber operations’ – meaning those operations that are principally intended to deliver an effect via cyberspace rather than those principally intended to gather intelligence or provide ‘goal-line’ protection of networks. In both peacetime and wartime, offensive cyber operations most often entail influencing, misleading or otherwise cognitively affecting a competitor or adversary by, for example, planting false information. But they can also be used for disablement. This might range from, at a low level, temporarily disrupting a government website or removing a criminal group’s connection to the internet to, at a high level, sabotaging a part of a state’s critical infrastructure. This could include damaging a nation’s power grid, as has been attempted extensively by Russia before and during its current war with Ukraine. In wartime, offensive cyber operations could also be used to disrupt an adversary’s command and control, weapons systems and situational awareness.

Thank you for reading this post, don't forget to subscribe!

But the development and use of offensive cyber capabilities entail several strategic risks. For instance, the capabilities might undermine the safe and secure functioning of the internet, dangerously proliferate or act as an escalatory trigger, especially given uncertainty over the extent to which acknowledged thresholds in international law concerning ‘the real world’ apply to cyberspace. Likewise, there is the risk that their extensive and dangerous day-to-day use by cyber criminals might proceed unchecked. Any responsible state that develops offensive cyber capabilities must address these risks.

Since 2018, various states, including the United Kingdom, have promoted the idea of ‘responsible cyber power’ as a way of rationalising and explaining their stances on the various international legal and normative threads relevant to cyber operations. They have done so by issuing statements that helpfully have begun to shed light on the relevant issues, but much more is needed, especially in relation to the responsible use of their own offensive cyber capabilities. Their reticence may be because states perceive more detailed disclosure as too risky, given an understandable wish to protect nationally sensitive capabilities. But states should be able to clarify the relevant principles in ways that avoid revealing sensitive details about their operations or capabilities.

Below, I suggest an eight-point framework with principles for the responsible use of cyber power:

1. 1. Responsible states accept that existing international law can be applied effectively to the use of cyber operations, in peace and war, and demonstrate this in practice.
      The practicalities of applying international law below the threshold of war are most in need of elaboration, but states should not assume that applying it to cyber operations during wartime is straightforward. The governing principle should be to judge cyber operations by the effects they cause, rather than the means used. States should publicly set out how international law affects the conduct of their own cyber operations, rather than focusing solely on what they would consider internationally wrongful if done to them.
   2. Responsible states collaborate with others on improving collective cyber security (i.e., collective defences against all types of hostile cyber incursion). 
      A huge subject in its own right, this is the element with the greatest impact on protecting cyberspace users from the most prevalent day-to-day threats, including during war.
   3. Responsible states carefully control the way they run offensive cyber operations.
      To minimise the possibility of unintended consequences, cyber operations should be as precise as possible, have appropriate command and control, and have assiduous monitoring of their effects throughout. This applies during both peace and war and is especially essential for those operations that are disabling or destructive, but also applies to cognitive operations that have effects which could spiral out of control. States should openly explain their governing principles, processes and oversight for offensive cyber operations. It would then be easier to judge what behaviour is irresponsible; for example, the ‘firing and forgetting’ of uncontrolled computer worms through global IT vulnerabilities.
   4. Responsible states consider certain targets to be off-limits to disabling and destructive offensive cyber operations, while remaining realistic about the parameters they use, given the different legal prohibitions that apply during peace and war.
      Wartime international law is more definitive about the various parameters involved than peacetime international law, but for both there are legal ambiguities concerning the targeting of a state’s critical infrastructure and functions. To help clarify these, it could be openly acknowledged that any state’s critical infrastructure can be a legitimate target during war, provided the attack is in support of a military objective (if, for example, the target is likely to be dual-use military and civilian) and is proportionate, necessary, discriminate and humane. For operations in peacetime, states need to be much clearer about which cyber operations against critical infrastructure might amount to an ‘internationally wrongful act’, such as a use of force or a coercive intervention, and those that would not, such as those used to vandalise, influence, spy and reconnoitre. In doing so, the technical boundaries of what a state might consider to be its critical infrastructure (e.g., its financial or healthcare system, energy sector, communications systems or electoral process) need to be better defined. Prohibitions on the peacetime use of cyber operations to intervene in healthcare, essential medical services and energy supplies would be perhaps the least controversial.
   5. Responsible states counter and control the proliferation of offensive cyber capabilities.This includes how states safeguard their and their private sector’s development and export of relevant capabilities.
   6. Responsible states are transparent about how they minimise the risk to global cyber security when developing offensive capabilities.For example, the United States and the UK have revealed their governing principles and processes for deciding which ‘zero-day’ vulnerabilities they reveal or keep secret for their own use. Essentially, a state’s development of offensive cyber capabilities should always be done in close collaboration with its cyber-security experts.
   7. Responsible states curtail dangerous non-state offensive cyber activity emanating from their territories and collaborate internationally to deal with non-state cyber threats.
      This applies particularly to tackling cyber criminality.
   8. Responsible states encourage and participate in public debate on the responsible use of cyber power, including their own uses of offensive cyber.

Otherwise, it will be assumed that they hypocritically condemn their adversaries while using offensive cyber capabilities in the same way and for the same purposes.

States could clarify the relevant principles of responsible cyber power using the framework above. I know from my professional background that the UK is well positioned to do this, has a good story to tell and can do so without revealing sensitive details about its operations or capabilities. This would help establish sufficient international consensus on one of the most difficult issues that arises in the context of offensive cyber operations: determining whether a state has used cyber capabilities irresponsibly to the extent that an international response, including the use of proportionate countermeasures, is justified.

This analysis is derived from a forthcoming Adelphi book, On Offensive Cyber (London: Routledge for the IISS, 2023).