Encouraging New Thinking on Offensive Cyber Operations

Today RUSI and the UK’s National Cyber Force (NCF) are launching a new initiative to develop a UK community of interest on the subject of offensive cyber operations. The UK Cyber Effects Network is particularly aimed at early career professionals with a view to encouraging new thinking on the theory and practice of offensive cyber.

This is a timely moment to be encouraging new UK-centric thinking on offensive cyber. The last few months have seen the publication of a new Strategic Defence Review and a new National Security Strategy and we are expecting a revision to the UK National Cyber Strategy later this year. A lot of new thinking is going into defence and security issues in the UK, including cyber. And this is all happening against a backdrop of an ever more complex and dangerous international situation and the ever-growing role of technology, both as a threat and opportunity in the security and defence environment.

New thinking on defence, security and technology needs more than ever to be underpinned by a rigorous and well-informed debate on these issues across government, academia and wider society. But in the case of offensive cyber (cyber operations to add, delete or manipulate data on systems or networks to deliver a physical, virtual or cognitive effect) this is not always easy.

Offensive Cyber Operations

Offensive cyber is a relatively new, sometimes opaque and often misunderstood subject. Even the basic terminology can be hard to pin down. There remains no single settled term to describe what we are talking about – offensive cyber, cyber effects and cyber operations are often used interchangeably.

And the boundaries can sometimes be unclear, for example as to where cyber espionage and information operations sit in relation to offensive cyber. For the purposes of the Cyber Effects Network we are looking at cyber operations that can be used to influence individuals and groups, disrupt online and communications systems and degrade the operations of physical systems.

And while there are now plenty of examples in the public domain of destructive and disruptive offensive cyber operations by hostile states, there is very little verifiable information publicly available about offensive cyber operations by the UK and other democracies, not least for the obvious security reasons. The absence of such hard evidence can make analysis of the operationalisation of offensive cyber by democracies difficult.

Despite these complications there is a growing body of literature from academics and think tanks that seeks to consider the theory and practice of offensive cyber. Even in the relatively short time that this has been a matter for study, very different perspectives have emerged, some more helpful than others.

Offensive cyber as a capability has been both over-estimated and under-estimated. There was an early tendency to regard it as a strategic capability akin to nuclear, capable of delivering devastating effect (language like ‘cyber Pearl Harbor’ was sometimes used).

In practice, this proved a ‘red herring’ and more recent analysis has tended to paint a more balanced and realistic picture of these capabilities. Cyber operations may be more relevant in an operational or tactical context, and their cognitive or psychological effect can be more important than the practical one on systems targeted. Critical factors such as co-ordinating with other lines of operation and tools of statecraft in the physical world can make all the difference.

As thinking about the utility of cyber effects evolves there is always a risk of the pendulum swinging too far one way or the other. The relative lack of success of Russian strategic offensive cyber operations targeting Ukraine (with a few notable exceptions) should not be interpreted as meaning these capabilities have little real potential. There is now a more nuanced discussion of the value of cyber operations in Ukraine, including recognising the significance of effects at the operational and battlefield level, such as to disrupt UAV command and control systems.

And just recently, concerns about China pre-positioning cyber capabilities on US critical infrastructure, potentially for future destructive effect, have brought fresh attention to the potential of offensive cyber to disrupt key civilian infrastructure at a time of crisis.

Global Progress

Doctrinal thinking about the application of offensive cyber capabilities by democracies seems still to be in its infancy. Few democratic governments have made public statements about their approach. But US Cyber Command set the agenda in 2018 with its Command Vision which set out key US cyber operations concepts including ‘persistent engagement’ and ‘defend forward’. For some years this was the only significant statement on cyber operations doctrine from a democratic state and as such played an important part in shaping the public debate.

This inevitably strengthened the centrality of US thinking when it came to offensive cyber, reinforced by US Cyber Command’s willingness to bring academics into the heart of their organisation. This has shown an impressively open-minded approach to drawing on expertise from across civil society to help develop doctrinal concepts.

In 2023 the UK published the NCF’s Responsible Cyber Power in Practice, an unprecedented statement of UK thinking on the application of offensive cyber capabilities in a responsible way. This document lifted the veil, to an extent, on the UK government’s approach including to what it calls ‘the doctrine of cognitive effect’ in relation to offensive cyber operations. The publication of Responsible Cyber Power in Practice was a significant step for the UK government and provides a valuable counterpoint to what at times feels a largely US-focused debate on the application of offensive cyber by democracies.

A broader, more diverse, range of voices needs to contribute to the debates around offensive cyber theory and practice. And there is much to explore – are offensive cyber operations escalatory, how should the transition from sub threshold to wartime operations be achieved, what is the role of campaigning and how best can democracies gain a licence to operate are just some of the questions worthy of new perspectives. The creation of the UK Cyber Effects Network is an ambitious initiative aiming to encourage exactly this sort of new thinking, particularly with a UK flavour.

This is important because offensive cyber is still a new field, with nascent thinking including on policy and doctrine. It is one where some of the coverage, particularly that aimed at the general public, can often generate more heat than light. And it is by its nature an area of complex judgements if effect is to be achieved in a responsible way. For democracies a licence to operate from the public is essential. A well informed and diverse public debate is vital to achieving this.

Moreover, that discussion must not be dominated by one particular country or point of view. The US approach to offensive cyber is of course of significant interest and importance. But US doctrine does not necessarily read across to other, smaller democratic nations with different resource levels and legal frameworks. So more alternative voices, including from the UK, are needed. This is what the new Cyber Effects Network is looking to encourage, by providing opportunities in particular for early-career professionals from academia, think tanks, industry or government to publish relevant work and join a community of interest of those generating new thinking on this important topic.

© RUSI, 2025.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.