It appears that more countries are looking to replicate offensive cyber defense, drawing up their own strategies and policies, or else are already engaged in joint hunt forward operations. Examine this in detail here.

South Korea’s Defense Minister official recently acknowledged that the government intends on drafting a proactive offensive cybersecurity strategy to counter increasing cyber threats targeting South Korea.  At a prominent cybersecurity conference, he underscored the need for South Korea to substantially increase its cyberwarfare capabilities, as well as developing policy and international cooperation frameworks so that it could collaborate with global partners.  The Defense Minister also emphasized expanding the ranks of South Korea’s white hat hackers to bolster the country’s national cyber defense posture, as well.  The declaration comes at a time when South Korea and the United States created guidance for their first joint cybersecurity cooperation for the purpose of streamlining joint military operations.  The United States has pioneered the implementation of active cyber defense – a strategy that employs hunt forward teams whose purpose is to disrupt adversary networks and operations in advance of pending cyber attacks.  Unsurprisingly, though few details were provided, it appears that South Korea’s strategy will closely mirror that of the United States facilitating any future collaboration.  

At first blush, the move intimates the standard sentiment of governments working together on cyber security matters.  However, the focus on the offensive aspect of cyber defense suggests that future U.S.-South Korean cooperation may entail something more, especially as North Korea continues to deepen its own offensive cyber capabilities and becomes a formidable cyber actor in its own right since its attack against Sony in 2014 and its ongoing theft and exploitation of cryptocurrency and cryptocurrency exchanges.  Two separate reports on nation state cyber power has North Korea within their respective top rankings. Given that both South Korea and the United States are frequent targets of North Korea, future joint U.S.-South Korean cyber operations conducted under the rubric of “active defense” could well be in store for the Hermit Kingdom.  Having an official offensive cybersecurity strategy would greatly aid such activities.

What’s more interesting about this development is that South Korea is not alone.  Now, it appears that more countries are looking to replicate offensive cyber defense, drawing up their own strategies and policies, or else are already engaged in joint hunt forward operations.  In May 2023, Canada, Latvia, and the United States engaged in a three-month long operation in Latvia, marking the first time that Canada and the United States conducted hunts simultaneously.  Later in September 2023, the deputy commander of the United Kingdom’s Strategic Command acknowledged that the UK was conducting its own hunt forward operations.  Also, Germany shifted the way it was doing cyber defense by focusing on the implementation of offensive cyber capabilities.  Both Norway and the Netherlands have also advocated the use of offensive operations to support defensive efforts though they differ in their approaches.  Also, amidst geopolitical areas of turmoil, NATO has been considering adopting offensive cyber activities into its defensive posture, as several of its member states have already developed or are developing offensive cyber strategies on their own.  

States adopting offensive cyber capabilities is not new, nor is it surprising.  But what is new is that it appears that now states are trying to script their own offensive cyber defense strategies similar to what the United States has.  The question is why?  A simple answer is that it provides justification for them to conduct cyber attacks under the rubric of a preemptive defensive measure designed to thwart an impending attack or threat of one.  While an indiscriminate cyber attack against another state or state asset might be viewed as an antagonistic action, by veiling itself under “active defense” a government can theoretically conduct an offensive attack under the auspices of defense.  Moreover, the more it is being done in the wild by states without oversight by an international body like the International Criminal Court for example, the more acceptable it will be viewed as, and the more other countries will likely follow suit.  What’s more, there are limited if any examples where orchestrators of these hunt-forward or other active defense activities have provided any substantive evidence showing why such operations were conducted in the first place.  This means that there is a real risk that these types of activities can be abused, especially if a state refuses to or is unable to give proof justifying why a preemptive cyber attack was necessary.  In today’s environment, trust” is not adequate justification for states to engage in cyber activity without proper scrutinization. 

It’s interesting to note that the states engaged in hunt forward operations are the very ones that are most often against state cyber sovereignty.  This is curious given that there is a perception that some governments maintain some level of relationship with their hacker communities, cybercriminals, and IT sector whose cyber offerings border on being questionable.  One of the significant aspects of cyber sovereignty is that with autonomy comes responsibility and each government can then be held accountable for any malicious cyber activity originating from state and nonstate actors within its borders.  Should a government protect these proxies from outside investigation and extradition, the international community could hold these governments accountable, enacting a series of economic, political, and diplomatic sanctions in punishment for doing so.  In essence, the world could apply pressure to governments being permissive to how their infrastructures are being used.

By not supporting cyber sovereignty, it gives off the appearance that governments would prefer to be able to conduct strikes and hunt forward operations instead engaging in the diplomatic alternative.  And while it is more than fair to say that cyber defense has been losing to the attack side of the house for quite some time, it seems disingenuous to say that active defense is anything but a preemptive attack that is more about punishment than security.  Clearly the versatility and the ability to scale severity are attractive when deploying cyber attacks perhaps driven by the skewed perception that they can be executed with a surgeon’s focus and deliver a devastating impact.  However, a 2022 book by Smeets called into question the utility of offensive cyber operations because “very few” states have used them to any substantial effect, suggesting that their utility is more limited than previously had been believed or projected.  There is much validity to this hypothesis.  Hunt forward operations may temporarily disrupt adversary infrastructure and operations, but they are temporary gains.  An engagement is won but cyber battles and wars are more lasting.

Nevertheless, there is a sense that future conflicts will bring together state allies into supportive roles, one of those which will be in cyber.  When it comes to active defense and offensive “defense” measures, this is going to require states having formal offensive cyber defense policies to streamline and coordinate activities under established policies as is happening now.  But this is a dangerous gambit.  Instead of adversaries backing down, this may only serve to propel them to do the same.  It will be interesting to see the Western reaction if notable adversaries like China, Iran, North Korea, and Russia started to implement their own active defense strategies in cyberspace.  If any of these states commits its own hunt forward operations against Western targets, it will be difficult to condemn them as precedent has already been set.  The longer international cyber norms and issues like cyber sovereignty go unresolved, the more countries will embrace adopting this “offense as defense” mindset, even if they use it only as justification to conduct offensive cyber operations.  Cyber defense needs to focus on just that – defense.  It is not a one-time winner take all situation.  It is an ongoing effort much like any other element of statecraft that seeks to position a country ahead of its adversaries.  Failing to concentrate on it conveys a sense that a state’s ability to weaponize cyberspace is more important than its ability to defend itself in it.  This is a dangerous message to send, and judging from the role cyberspace is playing in geopolitical conflicts, it’s all anybody is receiving.