Recent events in Estonia and Georgia have elevated the threat of cyber attacks to the
international consciousness. While this has added visibility to the topic, it has not brought more clarity to
the discussion. Terms like cyber warfare and cyber terrorism are widely used, but their definitions are
rarely agreed upon. As a result, there is lot of skepticism about the true nature of cyber threats and
whether governments are engaging in such attacks in cyberspace.
It should be safe to assume that all governments are developing and using defensive cyber capabilities to
some degree. Defending computer systems is considered a right and typically legal frameworks support
such activity. As soon as one goes on the cyber offensive, however, they are off the map. There is little
consensus, let alone legal guidance, regarding the use of cyber attacks to further a political or military
goal. Very few nations have announced an offensive capability in cyber space, but it is reasonable to
assume that more are covertly creating such a capability.
In this paper the term offensive cyber capability is used instead of the better known computer network
attack (CNA). Offensive cyber capability differs from CNA by including actors from outside the direct
control of the government, such as freelance hackers, criminals and flash mobs as possible extensions to
a nation-state’s offensive capability.
This paper offers a theoretical model composed of three approaches that a nation-state might use when
creating an offensive cyber capability. First, the traditional use of ‘own forces’ is analyzed. The second
way is to cultivate a volunteer force that can be guided to attack designated targets with little or no
attribution to the government. The last approach is to outsource the problem to digital mercenaries. Each
option has unique benefits and drawbacks, while some aspects remain universal across the board. In
reality, the most effective approach is most likely a combination of all three.
Ottis, R. (2009). Theoretical Model for Creating a Nation-State Level Offensive Cyber Capability. In Proceedings of the 8th European Conference on Information Warfare and Security, ECIW 2009, 6-7 July, Lisbon, Portugal. Reading: Academic Publishing Limited, pp 177-182.