Theoretical Model for Creating a Nation-State Level Offensive Cyber Capability
Rain Ottis
Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia
rain.ottis@ccdcoe.org
Abstract: Recent events in Estonia and Georgia have elevated the threat of cyber attacks to the
international consciousness. While this has added visibility to the topic, it has not brought more clarity to
the discussion. Terms like cyber warfare and cyber terrorism are widely used, but their definitions are
rarely agreed upon. As a result, there is lot of skepticism about the true nature of cyber threats and
whether governments are engaging in such attacks in cyberspace.
It should be safe to assume that all governments are developing and using defensive cyber capabilities to
some degree. Defending computer systems is considered a right and typically legal frameworks support
such activity. As soon as one goes on the cyber offensive, however, they are off the map. There is little
consensus, let alone legal guidance, regarding the use of cyber attacks to further a political or military
goal. Very few nations have announced an offensive capability in cyber space, but it is reasonable to
assume that more are covertly creating such a capability.
In this paper the term offensive cyber capability is used instead of the better known computer network
attack (CNA). Offensive cyber capability differs from CNA by including actors from outside the direct
control of the government, such as freelance hackers, criminals and flash mobs as possible extensions to
a nation-state’s offensive capability.
This paper offers a theoretical model composed of three approaches that a nation-state might use when
creating an offensive cyber capability. First, the traditional use of ‘own forces’ is analyzed. The second
way is to cultivate a volunteer force that can be guided to attack designated targets with little or no
attribution to the government. The last approach is to outsource the problem to digital mercenaries. Each
option has unique benefits and drawbacks, while some aspects remain universal across the board. In
reality, the most effective approach is most likely a combination of all three.
Keywords: offensive cyber capability, cyber attack, computer network attack, People’s War
1. Introduction
Attacks in cyberspace have been a part of many international conflicts over the last ten years (Geers
2008). Arguably the most influential of these attacks occurred in Estonia in 2007 and in Georgia in 2008.
It is notable, however, that in both cases the attackers remained largely anonymous and no direct state
sponsorship has been proven in either cyber campaign. Instead, it looks like the attacks were planned
and launched by concerned individuals who merely were expressing their political views via computer
hacking. While this approach may be true on the surface, it fails to explain the lack of international law
enforcement cooperation and open propaganda support for the attackers by the Russian authorities (Ottis
2008, Carr 2008).
This paper proposes a theoretical model that consists of three general ways to create a nation-state level
capability to inflict damage on another nation-state or even non-state actors via cyber attack. The first
option is the ‘do-it-yourself’ approach, or using the nation-state’s own forces. The second is to cultivate a
volunteer force that can be guided to attack designated targets with little or no attribution to the
government. The last approach is to outsource (parts of) the problem to other governments, commercial
entities or the criminal underworld in a mercenary model. As shown in Figure 1, combinations of two or
three approaches can also be used, if there a need for it exists. The benefits, drawbacks and ways to
recognize each approach are qualitatively analyzed in the following chapters.
According to Joint Publication 3-13 (Information Operations), computer network operations (CNO)
represent one of the five core capabilities of information operations (IO). CNO, in turn, consists of three
elements: computer network attack (CNA – offensive), computer network defense (CND – defensive) and
computer network exploitation (CNE – intelligence). In this paper the term offensive cyber capability is
used instead of the better known CNA, which refers to “actions taken through the use of computer
