![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
Across the world, states are establishing military cyber commands or similar units to develop offensive cyber capabilities. One of the key dilemmas faced by these states is whether (and how) to integrate their intelligence and military capabilities to develop a meaningful offensive cyber capacity. This topic, however, has received little theoretical treatment. The purpose of this paper is therefore to address the following question: What are the benefits and risks of organizational integration of offensive cyber capabilities (OIOCC)? I argue that organizational integration may lead to three benefits: enhanced interaction efficiency of intelligence and military activities, better(and more diverse) knowledge transfer and reduced mission overlap. Yet, there are also several negative effects attached to OIOCC. It may lead to 'cyber mission creep' and an intensification of the cyber security dilemma. It could also result in arsenal cost ineffectiveness in the long run. Although the benefits of OIOCC are seen to outweighs the risks, failing to grasp the negative effects may lead to unnecessary cycles of provocation, with potentially disastrous consequences.
Disclosure statement
No potential conflict of interest was reported by the author. The author would like to thank Florian Egloff, Richard Harknett, Lennart Maschmeyer, Nikolas Ott, Henry Rõigas, James Shires, and anonymous reviewers for their comments on early drafts. An earlier version of this paper was published in the conference proceedings of the 9th International Conference on Cyber Conflict of NATO CCD COE.
Notes
1. Compare for example the broad focus of the new German command on cyber and information space with the more narrow set up of the Dutch Cyber Command.
2. The point that the nature of the organization matters for the conduct of cyber operations has been made before. For example, as Slayton (Citation2017) notes, “cyber offense and defense depend not only on the skills of individuals, but also on skilled managers and the organization of workers.”
3. On path dependency of organizations see Pierson (Citation2004).
4. There are dozens of definitions of OI. As the definition indicates, I focus on the cross-function orientation reflecting linkages within government, i.e. internal integration.
5. It occupies a central place in several bodies of literature, including organizational theory, management, information systems, and organisational strategy. (Barney Citation1991, Truman Citation2000, Chalmeta et al. Citation2001, Ettlie and Reza Citation2001).
6. Ettlie and Reza, “Organizational Integration and Process Innovation”.
7. In most countries, the creation and reorientation of institutions dealing with cyber security is ongoing and occurs in parallel to a range of other initiatives such as strategy formulation, regulation, and the creation of informal partnerships.
8. I focused on this level because it is the one which has received the least amount of rigorous analysis but where the stakes are potentially the highest. Unlike discussions about initiatives promoting defensive measures, offensive cyber capability development has remained shrouded in secrecy, perhaps even more so than conventional security issues.
9. Unlike discussions about initiatives promoting defensive measures, offensive cyber capability development has remained shrouded in secrecy, perhaps even more so than conventional security issues.
10. Note that a sophisticated actor does not always have to use sophisticated capabilities. For a more extensive discussion on this topic see Buchanan (Citation2017b).
11. Note that I differ from Aitel, as his framework does not distinguish between type of vulnerability exploited (i.e. zero-day versus non zero-day exploits).
12. The term multi-stage attack is often used in the literature. It however has two different meanings. For Landau and Clarke this occurs when computer A penetrates computer B, which is then used to penetrate computer C, and so on. For others (see for example Rid and Buchanan), multi-stage is when a cyber attack occurs through steps that can be temporarily be distinguished. It refer to the latter meaning in this article. See Clarke and Landau (Citation2010); Rid and Buchanan (Citation2015).
13. Other common forms of interdependence concern “pooled interdependence” and “reciprocal interdependence” (Thompson Citation1967).
14. I follow the framework of Mathew et al. (Citation2016). Other frameworks exist, see for example: FireEye (Citation2012).
15. This is usually for buffer overflow attacks, in which the program overwrites memory adjacent to a buffer that should not have been modified.
16. With “x” being a positive number.
17. Legal compliance increases the costs of development due to the additional need for testing, grading costs, and the losses of rejected capabilities.
18. Lindsay and Gartzke (Citation2015) consider deception to be a distinct strategy, similar to deterrence in the nuclear era.
19. As Martin Libicki (Citation2007, pp. 31–36) states, there is no “forced entry” when it comes to offensive cyber operations.
20. This means a serial relationship exists as the output from the reconnaissance operation becomes the input for the cyber operations with as aim to cause harm or damage.
21. As a report from the National Research Council adds, “In at least one way, command and control for cyberexploitation is more complex than for cyberattack because of the mandatory requirement of report-back – a cyberexploitation that does not return information to its controller is useless. By contrast, it may be desirable for a cyberattack agent or weapon to report to its controller on the outcome of any given attack event, but its primary mission can still be accomplished even if it is unable to do so.” (Owens, Citation2008, p. 155).
22. The size and budget of most other cyber commands is much smaller. For example, according to the Wall Street Journal, the Danish government “[a]llocates about $10 million a year for “computer-network operations,” including defense and offense, since 2013 (Valentino-Devries and Yadron Citation2015).
23. FireEye (Citation2012) offers an example in their report on attribution advanced cyber-attacks. They emails of “four separate attacks that use different exploits, different lures, and different first-stage malware implants. But they all target religious activities. And […] they are all sent from the same server […]. This evidence points to multiple actors on the same team, using the same infrastructure.”
24. For original formulations see Butterfield (Citation1951), Herz (Citation1951), Jervis (Citation1976, Citation1978), Tang (Citation2009).
25. The U.S. Cyber Command has recently proposed the development of “loud” cyber weapons when you want to be attributed. Though this raises a great number of operational questions; Bing (Citation2016), Lin (Citation2016a, Citation2016b).
26. States also mention this in their nationals strategies. For example, in their 2012 National Cyber Security Strategy, Spain wrote that one “line of action” is to “boost military and intelligence capabilities to deliver a timely, legitimate and proportionate response in cyberspace to threats or aggressions that can affect National Defence” (Brey Citation2013).
27. Note that certain cyber capabilities are more transitory than others (See Smeets Citation2018).
28. Although it refer to this as a new form of mission creep, I do not argue that the same dynamics which cause military mission creep cause cyber mission creep.
29. “To ensure that an offensive cyber attack is successful, the attacker needs to constantly find innovative ways to mislead the enemy – which may mean deviating from routines, or crafting routines that permit individuals to make adjustments at their discretion,” Smeets states (Citation2017).
Additional information
Notes on contributors
Max Smeets
Max Smeets is a cybersecurity fellow at Stanford University Center for International Security and Cooperation (CISAC). He is also a non-resident cybersecurity policy fellow at New America and Research Associate at the Centre for Technology & Global Affairs, University of Oxford. Max has previously held research positions at Columbia University SIPA, Sciences Po CERI, and NATO CCD COE. He earned his MPhil and DPhil in International Relations from the University of Oxford, and holds an undergraduate degree from University College Roosevelt.