Where Does Cyber Defense Stop and Offense Begin?
German Institute for International and Security Affairs (SWP)
Matthias Schulze is a cybersecurity expert at the German Institute for International and Security Affairs (Stiftung Wissenschaft und Politik, SWP), where he is the co-coordinator of the cyber research cluster. He currently focuses on cyber conflict, government hacking, encryption, and vulnerability disclosure. He holds a Master’s Degree in political science, sociology, and philosophy and defended is Ph.D. thesis “From Cyber-Utopia to Cyber-War. Normative Change in Cyberspace” in August 2017.
It is a well-known platitude that the Internet transcends national boundaries, just as it does domestic and foreign policy. However, when countless information technology (IT) networks are bound together in a global system, and more and more countries understand cyberspace as a domain for warfare, then one must ask the fundamental question of what constitutes offensive and defensive action. Traditional definitions of cyberattacks, such as “actions taken to disrupt, deny, degrade or destroy information resident in a computer and/or network” are too simplistic. This is because, among other things, activities in cyberspace have problems with authentication and attribution of actors and are constantly changing and ambiguous.
A cyberattack is usually latent, as compared with kinetic attacks, such as a rocket that has range and explosion impact characteristics. Code is constantly changeable and has no manifest characteristics. Cyber activities can also be anything from digital vandalism, to cybercrime, political and economic espionage, or disruptive or destructive military cyberattacks. The distinct areas cannot be sharply differentiated from each other. A cyber operation developed originally for espionage can become destructive through adding malware modules, or gains the character of cybercrime through selling stolen data obtained through the cyber operation. The spectacular events of 2017—WannaCry and Not Petya—make clear that the mix of political and criminal goals makes it increasingly difficult to classify the attacks. The constant changeability of cyber operations calls into question many governments’ classic division of labor in criminal prosecution, divided between the police and espionage units, intelligence services and defense services, and IT security offices and defense/attack forces.
In addition, in political discourse, specific terms exist, such as “lawful hacking,” “active defense,” and “hack back,” which pose new questions about cyber defense and offense and the territoriality of government activity. For example, if police agencies respond to a cyberattack with a hack back targeting a server in a foreign country using penetrating malware in order to gather evidence, they might inadvertently attack a Command and Control Server (C2) of a foreign intelligence service. This defensive cyber-attack can quickly lead to a political escalation. On the other hand, it would be fatal if a criminal uses government-developed malware to launch a cyber intrusion and the attack is then inadvertently classified as a government attack. For this purpose, the factors that define offensive and defensive actions in cyberspace must be defined. If one reviews the cyber strategies of different countries, one discovers that there is little said on what actually constitutes the difference between cyber offense and defense.
This essay presents an analytical process which helps to classify ambivalent activities in cyberspace. It will be argued that the offensive and defensive classification is dependent on the following factors: Where did the action take place (location)? Why did the action happen (intention)? How and with what means was the operation conducted (modus operandi)? What effect did the action have (effect)? What is the context of the activity? These factors should always be considered together.
Location of the Cyber Operation
Both the EU’s Budapest Convention (2004) as well as the U.S.’ Computer Fraud and Abuse Act of 1986 state that the non-authorized intrusion into a foreign system should be qualified as illegal. This is a purely perimeter-based definition, which refers to the place of a digital operation, and whether one is legally online in their own network, or that of someone else. According to this definition, defensive activities can be understood as those that secure your own perimeters and take place on your own system. Defensive measures can include technical, preventive measures such as firewalls and anti-virus systems, but also organizational processes such as digital rights management and update policies. The active collection of information through intrusion detection systems, honey pots, “threat intelligence,” or the use of Hunter-Teams is usually based in your own perimeter and in your own organization. If an external service provider such as CloudFlare is used to mitigate denial of service attacks, to reroute destructive data (“sink holing”), or to block certain servers or IP addresses, it is no longer merely passive defense, but it still takes place in your own legal sphere and national jurisdiction.
According to this location-based typology, offensive actions are those that take place in a foreign network. This includes spying on foreign IT systems or intruding into their systems, either with malware or social engineering.
Intention of the Cyber Operation
Purely location-based definitions usually ignore the motivation or intention of the cyber actor, which is central for classifying the cyber event. An ethical hacker, who uses an offensive cyberattack to perform penetration testing of a company’s network, or to test foreign IT systems’ weaknesses, would be classified as a criminal actor according to the location-based definition. Making white hat hackers criminals through vague legal bureaucracy is a huge problem for cybersecurity.
Location-based definitions are blind to defensive actions that happen outside one’s own perimeters, as well as to offensive actions taken for defensive purposes. Another grey area is the use of a “beacon,” which lures the potential attacker to data in your network that appears to be of special interest, but when the data is extracted, it sends the IP address and the location of the attacking computer back to the data’s original owner. Technically speaking, a beacon is malware that infects a foreign computer, but the intention behind it makes it defensive rather than offensive. “Bot vaccination,” which includes offensively hacking and forcefully patching a remote-controlled computer, also has a defensive goal. Other offensive actions taken for defensive purposes that fall in this grey area include taking over enemy Command and Control (C2) infrastructure or botnet servers in foreign countries with malicious software. Intelligence services call such actions “active defense,” and this includes the observation of a cyber attacker on its own system in order to be prepared for attacks. Active defense via beacons or honey pots does not have to be limited to one’s own perimeter.
The reason for hacking is therefore a critical part of the analysis for classifying a cyber intrusion. One can differentiate between ego-driven motives, such as personal gain or infamy; political motives, such as “signaling,” propaganda, political espionage, coercion, and retribution; and economic motives, including financial gain and espionage. An interesting phenomenon in differentiating between these motives is called “fourth-party collection,” when intelligence service A hacks the C2 infrastructures of intelligence service B, and in the process observes how B is spying on target C. Whether intelligence service B’s actions are considered offensive once they are discovered depends on whether they share the information they obtained through espionage with intelligence service A.
The effect of an action is therefore just as important as its motivation, as will be outlined below. Ethical motivations, such as the increase of collective security through forced patching, can be rated through the purity of the motives (deontological ethics), as well as through the consequences of the actions (consequential ethics). The purpose does not always justify the means used, and even good motivations can cause damages, for example, when a computer that has been forcefully vaccinated no longer functions.
Of course, multiple motives can overlap, which is why motivation-based definitions of offensive and defensive actions are not enough. The WannaCry incident from 2017 appeared to be a classic ransomware incident, with the aim of financial gain. In reality, it also had a political objective. The intention of an incident is often not easily determined. Due to ambiguities in the digital sphere, problems with attribution, and the frequent absence of claims of responsibility, the motivations are often not clear and should be regarded with caution. For a cyber defender, it is often not clear whether a hacker is infiltrating a system due to espionage or with destructive motives, which is why often the worst is assumed. Often the indicators of compromise—i.e., the digital footprints—reveal the motivation.
Similar to a break-in at someone’s home, with a cyber intrusion, the type of action and the choice of means—the modus operandi—illuminates much about the professionalism and implicitly also the motives of the attacker. Thus, analyzing the modus operandi helps with the classification of acts as offensive or defensive. When the goal is to remain undiscovered for the longest possible period, the attacker will put great effort into trying to hide, which, depending on the complexity, often speaks for an intelligence service. Military cyber operations in time-sensitive situations are less interested in camouflage than military targets which can be immediately destroyed. Cyber criminals do not have the financial resources to develop Zero Day exploits, and they therefore use well-known security weaknesses. Cyber criminals frequently use a form of monetization with a large amount of automation, i.e., sending massive numbers of spam or phishing mails. The choice and characteristics of the target and the boldness of the attack, its complexity, and its camouflaging are all parts of the modus operandi of the attacker. The choice of target also reveals much about the motivation behind the incident.
The modus operandi influences the political categorization of an incident and is closely associated with the process of attribution. Without exact forensics and analysis of the incident, valid attribution cannot be made. This is especially important for false flag operations, since with false attribution an innocent third party could be harassed. Pretending to be someone else while breaking into highly sensitive networks of a country might produce more severe political reactions in contrast to cases where an attacker gains access to a network due to a badly configured firewall. The same circumstances play a role in the many cyber incidents occurring around the inadvertent data leaks.
The modus operandi can be determined through the tools and scripts used in a cyber operation. Here there is also a certain ambivalence, so that these criteria should not be used alone. Offensive and defensive cyber operations are based on similar skills and often use the same tools, including those previously installed. This is called “living off the land.” Such a circumstance makes the classification of cyber weapons quite complex.
Just because a system or network has been hacked does not automatically mean that negative consequences should be expected. Most cyber incidents produce only slight, hardly recognizable effects. Many cyber operations successfully penetrate a network but fail when delivering the payload. They fail due to defensive mechanisms, which by definition prevent negative ramifications of an attack. It also can happen that an intruder does not find something in the system that he’s looking for and leaves empty-handed. The malicious WannaCry software could have had a greater effect had there not been coding mistakes in the integration of a “kill switch.” Alternatively, a successful hack of a honey pot or a fake network is actually a tactical failure if the modus operandi is revealed in the process. For the same reason, a tactical success can also be a strategic failure.
One can also differentiate between quality and scope of an effect. One can differentiate levels of quality of an incident as follows: a temporary interruption, a semi-permanent destruction of data or systems (through a “wiper” module), permanent physical destruction (e.g., Stuxnet), or as the exfiltration and manipulation of data. To produce kinetic effects takes an enormous amount of time and resources and therefore seldom occurs.
A Distributed Denial of Service (DDoS) attack is easier because it lasts just a few minutes, or at the most, just a few days. If a company network stops working due to malicious software, it is often a matter of days or weeks until a backup is up and running and business can return to normal. Political or economic espionage operations usually only produce indirect costs, such as the underestimated psychological effects of the lack of trust in your own system or processes, or negative externalities in the form of insurance costs, and the loss of competitive advantage through the theft of intellectual property.
The Tallinn Manual, which attempts to apply international law to cyberspace, provides a helpful typology for rating the effects of cyber operations. Digital incidents which cause human injury or loss of life, or which damage or destroy physical objects, can be classified as use of force according to international law. Retaliatory actions or the right to defense can be activated when the incident can be compared to an armed attack.
As this is a legal grey zone, the severity, the immediacy, the directness, the invasiveness, the degree to which the effects can be measured, the military character, the state participation as well as the assumed legality must be considered. The severity describes the previously named spectrum from disruption to destruction. Immediate consequences count more than hypothetical losses in the future. The direction describes the units in the chain of causation from source to effect. For example, economic sanctions usually have long-term effects and create collateral damage. An armed, physical attack has direct effects. Collateral damage describes the range of the effects. But system failure in hundreds of countries because of the WannaCry incident can also influence the severity. The more innocents are affected, the worse the incident. The intrusiveness describes the degree to which operations penetrate a state’s critical functionality: the more secure and sensitive a state considers a system, the more invasive it will consider the attack.
The military character can usually be identified through targeting, since militaries usually attack other military systems according to international law, and only attack civilian infrastructure based on the jus in Bello concept, when these supply military structures. It is usually difficult to identify whether an operation is state-sponsored or operated. The same goes for the criteria of the assumed legality.
A direct, immediate cyber incident with many visible, long-term collateral effects will be more likely considered an offensive act than a qualitatively smaller and shorter incident such as a DDoS attack.
The phrase “context is for kings” is also applicable in cyberspace. The context of a cyber incident has an immense influence on how these will be politically assessed, and which reactions would be reasonable.
That is why it plays a role if a cyber incident is a singular event or takes place at the end of a chain of events or is part of a longer cyber campaign. Path dependencies of historical events are relevant for classifying cyber incidents. Cyber escalations between two actors who have a history with each other tend to intensify. Cyber conflicts with a longer history can also lead to the problem that each actor knows his enemy’s red line and politically instrumentalizes it.
The gravest contextual condition is the question of whether a cyber operation takes place during peacetime or in the context of an armed conflict. This determines in many countries when certain actors or institutions become active. Military hackers play a role especially in the context of armed conflict. There, the usual international law restrictions apply to cyberattacks in the framework of self-defense, and the victim can either respond in kind or with other methods. Spying on a target through military reconnaissance must be evaluated differently during a conflict than in peace time, where defense against espionage or the law enforcement authorities would call the actions to account.
The subjective, psychological perception of incidents should not be underestimated. The actual damages must be differentiated from perceived damages and must influence whether the victim interprets the cyber incident as offensive.
There is surely an additional long list of contextual factors that should be considered. As with all government activities, interpretation and perception play a role in whether a state sees its own action as aggressive or offensive.
It is difficult to generalize about cyber incidents, because each one has very individual characteristics and contexts. It is no coincidence that cyber forensic companies look at most incidents on a case by case basis, and rarely make inductive generalizations. Quick generalizations and categorizations can lead to mistaken conclusions and to wrong political consequences. Thus, it is difficult to say if a cyber incident was offensive or defensive in nature. Often when there are immediate, visible effects such as physical damages, the judgment seems easier to make. These cases are only a very small minority.
Most cases occur in a hybrid spectrum underneath the threshold of an armed attack. Digital incidents show a high degree of ambiguity and changeability, which is why they can’t be put in tight legal frameworks. This is the reason why in many countries there is a question of which agency has purview, for example when an operation mixes criminal and political intent. Would this then be under the law enforcement agency’s purview or a job for the espionage defense officials? The question of whether a cyber incident is defensive or offensive is usually based on the combination of the legal, technical, and political analysis of the incident. The three levels of analysis must not be congruent with one another. However, the factors of place, intention, modus operandi, effect, and context of the political classification and determination of response reactions—no matter whether those responses are digital or analogue—must be considered as a whole, and given enough time for analysis.
 Belgium defines it as follows: “Offensive capacity includes the manipulation or disruption of networks and system with the purpose of limiting or eliminating the adversary’s operational capability.” See NATO CCDOE Cyber Definitions.
 Juan Andrés Guerrero-Saade and Costin Raiu , “Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell,” Virus Bulletin, 4 October 2017. Online.
 Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38 (2014): 4–37.
 Due to a false server migration the data of a Swedish transport was exposed for a longer period, meaning viewable on the Internet. This was not a hack in the classical sense.
 Christopher A. Ford, “The Trouble with Cyber Arms Control,” The New Atlantis 29 (2010): 52–67.
 Rebecca Slayton, “What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment,” International Security 41:3 (2017): 995.
 Erik Gartzke and Jon R. Lindsay, “Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace,” Security Studies 24 (2015): 8330.
 Michael N. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn: NATO CCDOE, 2013), p. 49.