Logo: to the web site of the Swedish Defence University

This article addresses the question under which circumstances zero-day vulnerabilities should be disclosed or used for offensive cyberspace operations. Vulnerabilities exist in hardware and software and can be seen as a consequence of programming errors or design flaws. The most highly sought are so-called zero-day-vulnerabilities. These vulnerabilities exist but are unknown and, when exploited, enable one way of entry into a system that is otherwise not thought possible. Therefore, from an anticipatory ethics perspective, it is important to understand in what cases zero-days should be disclosed or not.

Den här rapporten presenterar vilka nationella outtalade normer som kan utläsas hos nio stater som bryter mot internationella överenskommelser i cyberrymden. Det finns olika sorters normer och många definitioner på vad det är, där uttalade normer ofta associeras till skrivna regler, medan outtalade normer associeras till underliggande värderingar som exempelvis styr diplomati. Diplomati är en praktik i hur stater ska interagera med varandra. Den Ryska Federationen använde sig exempelvis av diplomati 1998 under det första utskottet av FN:s generalförsamling då de lyfte frågan om hur informations- och telekommunikationsteknologier kan påverka internationell säkerhet. FN antog då en resolution och 2014/2015 presenterade de elva uttalade normer som ska gälla för ansvarsfullt statligt beteende i cyberrymden. Resultatet i denna rapport visar att alla nio stater har brutit mot FN:s uttalade normer men i olika grad/utsträckning. Resultatet visar därför på att de nationella outtalade normerna som kan utläsas hos de nio staterna under granskning i cyberrymden följer den geopolitiska och geoekonomiska situationen i den internationella miljön.

This article presents the ethical issues using offensive cyberspace operations. Previously enshrouded in secrecy, and now becoming the new norm, countries are using them to achieve their strategic interests. Russia has conducted offensive operations targeting Estonia, Georgia and the Ukraine; Hamas was targeting Israeli targets; and Iran has been targeting U.S. targets. The response has varied; Estonia and Georgia struggled with the attacks and were unable to respond while Ukraine tried to respond but it was inefficient. Israel’s response on Hamas offensive operations was an air strike on a building with Hamas Cyber-operatives. Iran shot down a U.S. Drone over the Strait of Hormuz, and the U.S. initially intended to respond with kinetic capabilities in the form of missile strikes. However, in the last minute, the U.S. chose to respond with offensive cyberspace operations targeting the Iranian missile systems. This last-minute change of response choosing between kinetic or cyber capabilities shows a need to further investigate how offensive cyberspace operations can be used against which targets from an ethical perspective. This article applies anticipatory ethical analysis on U.S. offensive operations in the “Global Hawk”-case when Iran shot down a U.S. drone over the Strait of Hormuz. Anticipatory ethical analysis looks at emerging technologies and their potential consequences. Offensive cyberspace operations present a range of possibilities, which include lowering the risk of harm to cyber operatives’ lives belonging to the responding nation. However, a response can also be kinetic. Therefore, the analysis of the “Global Hawk”-case is compared with the Israeli-air strike of the building of Hamas Cyber-operatives. The authors argue that applying anticipatory ethical analysis on offensive operations and kinetic operations assist decision makers in choosing response actions to re-establish deterrence.

This article presents the ethical dilemma related to under what circumstances vulnerabilities should be disclosed. Vulnerabilities exist in hardware and software, and can be as a consequence of programming errors or design flaws. Threat actors can exploit these vulnerabilities to gain otherwise unintended access to information systems, resources and/or stored information. In other words, they can be used to impact the confidentiality, integrity and availability of information in information systems. As a result, various types of vulnerabilities are highly sought after since they enable this type of access. The most highly sought are so-called “zero-day”-vulnerabilities. These are vulnerabilities that exist but are unknown, and when exploited, enable one way of entry into a system that is not thought possible. This is also why zero-day vulnerabilities are very popular among criminal organizations, states and state-sponsored advanced persistent threats. The other side of the coin is when a state identifies a zero-day, and ends up in the ethical dilemma of whether to release the news and inform the vendor to patch it, i.e. close the vulnerability, or to use it for offensive or intelligence purposes. This article employs these distinctions to apply anticipatory ethics in the Stuxnet-case. Stuxnet was a computer software that was allegedly developed by the U.S. together with Israel to disrupt Iran’s development of uranium for their nuclear program. More exactly, it was developed to disable the uranium centrifuges used to enrich uranium. To achieve this, Stuxnet exploited four zero-day vulnerabilities and, according to some experts, managed to delay Iran’s nuclear program by one to two-years, forcing them to the negotiation table. Using vulnerabilities like zero-days presents opportunities but also risks. The results of the application of anticipatory ethics to the Stuxnet case are then compared with the “Osirak”-case and the “al-Kibar”-case. Osirak was the nuclear reactor in Iraq and was bombed in 1981; al-Kibar was the nuclear reactor being built up in Syria, also bombed in 2007.

This article addresses the rise in state-sponsored cyber attacks over the past three decades and proposes a new ambidextrous framework for offensive cyberspace operations. Since 1982, nation states have embarked in a fierce race to develop both clandestine and covert offensive cyber capabilities. Their intended targets range from foreign militaries and terrorist organizations to civilian populations and the critical infrastructures that they rely upon. Advancements in cyber security have, however, contributed to the discovery and attribution of offensive cyber operations, such as state-sponsored ransomware attacks, where state-built cyber capabilities have been used to attack governments, industries, academia and citizens of adversary nations. The financial and psychological costs of these ransomware attacks are today a threat to any state’s national security. This article draws from academic research, the cyber military doctrines of four countries—a total of eight models from the Netherlands, Sweden, the U.S., and the U.K.—and the authors’ operational experience to propose a new ambidextrous framework for offensive cyberspace operations. This ambidextrous framework for offensive cyberspace operations and the associated Cyberspace Operations Canvas are needed today in order to increase the resilience of national critical infrastructures against attacks from state-developed tools. We use the WannaCry-case to illustrate how the implementation of the ambidextrous framework for offensive cyberspace operations would result in increased awareness and understanding of the prospective cyber threats, their intended target(s), the likelihood of cascading effects and the options available by nation states to minimize them.

The annual cyber defense exercise Locked Shields is the world’s largest unclassified defensive exercise. The exercise participants form “blue teams” that are tasked to defend their critical infrastructure against an attacking “red team.” The blue teams are scored based on how well they keep their essential system functions running and the extent to which they manage to assess and report what they are exposed to. During Locked Shields 2019, 24 blue teams from 30 countries participated in a two-day exercise. The case study presented in this paper focuses on one of the blue teams. The team consisted of around 60 people from governmental institutions as well as private companies. The objective of this paper is to explore the possibilities to collect meaningful data for research on Command and Control, C2, Cyber Situational Awareness, CSA, and Intelligence in conjunction with an inter-organizational cyber defense team during a cyber defense exercise. During preparations preceding the exercise, the research team observed the development of strategy, coordination structures and organization in the temporarily formed team as it prepared to solve the highly challenging exercise tasks. During the exercise, data collection included questionnaires, observations, team communication logs, reporting from the blue to the white team and performance scores. The data collection sought to satisfy needs within three research themes - 1) command and control, C2, 2) cyber situational awareness, and 3) intelligence. A review of the dataset showed that the data is well suited for further analysis. The paper presents initial results as well as an outline of how the different types of data collected contribute to research within the three research themes.

Cyber-attacks have increased since the 1988-Morris worm and can target any connected device from any place in the world. In 2010, Stuxnet received a lot of attention as the first cyber-weapon. Its targets were the Iranian nuclear enrichment centrifuges. Nation states are developing cyberspace capabilities to conduct offensive cyberspace operations. Academic researchers have been calling for a more transparent discussion on offensive capabilities and have pointed out the positive impact researchers had during the development of nuclear capabilities. Shrouded in secrecy, the development of offensive capabilities used for operations makes it difficult to conduct research. Therefore, one way to mitigate this is to conduct a systematic review of the current state of research in offensive cyberspace operations. The systematic review method makes it possible to establish certain inclusion and exclusion criteria and systematically go through academic articles to identify the contents, thoughts and research focus of academic researchers. Six scientific databases were queried and 87 articles were read and clustered. The first insight is that, based on the results of the queried databases, research about offensive cyberspace operations is limited. The resulting clusters are a general cluster about cyberspace operations, followed by research in policy, decision-making, governance, capabilities, levels, models, training, deterrence and international affairs. These are then further grouped into: a) general cyberspace operations; b) deterrence; c) international affairs; d) modelling, simulation and training. The article concludes that research into offensive cyberspace operations is maturing as more information is becoming public. Secondly, current research lists some good basic ideas regarding effects which can be achieved through offensive cyberspace operations, how they should be conducted, and related tools, techniques and procedures. However, discrepancies in research efforts exist, with the majority of research coming primarily from the western world. In addition, secrecy and the resulting limited access to information, coupled with research being either too technically focused or too qualitatively focused, show that there still remains room for research in this field. Finally, some directions for future research are examined.

Cyber deterrence is a strategy to deter attackers from conducting cyber-attacks in the first place. However, several issues exist when implementing cyber deterrence, which are identified in this paper. The findings show (1) non-existence of the deterrence strategy  (2) no doctrine or decision competence to retaliate to an adversary, (3) the armed forces have no authority to retaliate when Swedish sovereignty in Cyberspace is threatened, (4) no norms or regulations exist concerning retaliation, (5) no clear governance on using offensive cyber capabilities, and finally, (6) no credibility in its cyber deterrence posture regarding how much Sweden is willing to sacrifice to protect its electoral system, which is a Swedish national interest. Therefore, this research investigates how cyber deterrence can practically be implemented in Swedish cyber security policy. So far, researchers generally focused on the human aspect of cyber deterrence. By using the case study research strategy and utilizing the Swedish electoral system as a case, this paper examines possibilities to merge the human dimensions of cyber security with the technological dimensions. Data collection is performed through documents studies and semi-structured interviews with experts in the area to identify cyber deterrence components. Further, a mathematical approach is discussed in the paper to express the relationship between an adversary and a deterrent depicting each of the actor’s risk calculus. A result of the research work performed in this paper, the deterrence components for Swedish cyber deterrence are proposed and risk calculus is performed. Moreover, measures to increase Swedish cyber deterrence posture are proposed the practical implementation of cyber deterrence in Swedish cyber security policy in order to deter attacks on the Swedish electoral system is demonstrated.