Assessing Offensive Cyber Capabilities
Exploring the Talent Behind Cybersecurity
Copyright (c) 2023 Selján Gábor
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
The copyright to this article is transferred to the University of Public Service Budapest, Hungary (for U.S. government employees: to the extent transferable) effective if and when the article is accepted for publication. The copyright transfer covers the exclusive right to reproduce and distribute the article, including reprints, translations, photographic reproductions, microform, electronic form (offline, online) or any other reproductions of similar nature.
The author warrants that this contribution is original and that he/she has full power to make this grant. The author signs for and accepts responsibility for releasing this material on behalf of any and all co-authors.
An author may make an article published by University of Public Service available on a personal home page provided the source of the published article is cited and University of Public Service is mentioned as copyright holder
Abstract
The recent emergence of mercenary spyware like Pegasus or Russia’s ongoing conventional warfare in Ukraine, supplemented by a cyber offensive we never experienced before, made cybersecurity even more critical. Despite the considerable research in the field, it seems that academia and the private sector have not been able to keep up with the growing importance of security and privacy resulting from the significant increase in cyber threats to critical services, infrastructure and human rights. Research on cyber capabilities tends to focus on the general understanding of the field and pays less attention to the rapid spread of increasingly advanced offensive cyber capabilities. Correctly assessing the capabilities of others and recognising the steps necessary to develop their own capabilities are essential for any country in combating future cybersecurity challenges. However, since there is no consensus on describing even basic cyber capabilities, current research uses different interpretations and usually lacks offensive capabilities altogether. In this article, I discuss the problem of assessing, measuring and evaluating offensive cyber capabilities, starting from the different definitions of some related terms through the various cyber power indices, right down to the talent behind cybersecurity, and perhaps the most promising indicators for assessing offensive capabilities.
Keywords:
How to Cite
References
Allison, Graham – Schmidt, Eric (2022): The US Needs a Million Talents Program to Retain Technology Leadership. Immigration is the United States’ Secret Sauce – Including in Its Competition with China. Foreign Policy, 16 July 2022. Online: https://foreignpolicy.com/2022/07/16/immigration-us-technology-companies-work-visas-china-talentcompetition-universities/
AttackIQ [@AttackIQ] (2020): Think Bad, Do Good: Julia Voo and the National Cyber Power Index. YouTube, 05 October 2020. Online: https://www.youtube.com/watch?v=OESUV5qRfdY
Billo, Charles – Chang, Welton (2004): Cyber Warfare – An Analysis of the Means and Motivations of Selected Nation States. Institute for Security Technology Studies at Dartmouth College, 01 November 2004. Online: https://www.researchgate.net/publication/230687826
Blue , Violet (2018): When China Hoards Its Hackers Everyone Loses. Engadget, 16 March 2018. Online: https://www.engadget.com/2018-03-16-chinese-hackers-pwn2own-no-go.html
Chawla, Gunjan – Srivastava , Vagisha (2020): What Are ‘Offensive Cyber Capabilities’? The CCG Blog, 07 August 2020. Online: https://ccgnludelhi.wordpress.com/2020/08/07/whatare-offensive-cyber-capabilities/
Chivvis, Christopher S. – Dion-Schwarz, Cynthia: Why It’s So Hard to Stop a Cyberattack – And Even Harder to Fight Back. The RAND Blog, 30 March 2017. Online: https://www.rand.org/blog/2017/03/why-its-so-hard-to-stop-a-cyberattack-andeven-harder.html
Çifci, Hasan (2022): Comparison of National-Level Cybersecurity and Cyber Power Indices: A Conceptual Framework. Research Square, 17 October 2022. Online: https://doi.org/10.21203/rs.3.rs-2159915/v1
CSRC (2021): Vulnerability – Glossary. NIST, 2021. Online: https://csrc.nist.gov/glossary/term/vulnerability
Demchak, Chris – Kerben, Jason – McArdle, Jennifer – Spidalieri, Francesca (2015): Cyber Readiness Index 2.0. Potomac Institute for Policy Studies, November 2015. Online: https://potomacinstitute.org/images/CRIndex2.0.pdf
DeSombre, Winnona – Campobasso, Michele – Allodi, Luca – Shires, James – Work, JD – Mor gus, Robert – O’Neill, Patrick Howell – Herr, Trey (2021a): A Primer on the Proliferation of Offensive Cyber Capabilities. Atlantic Council, 01 March 2021. Online: https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/a-primer-on-theproliferation-of-offensive-cyber-capabilities/
DeSombre, Winnona – Shires, James – Work, JD – Mor gus, Robert – O’Neill, Patrick Howell – Allodi, Luca – Herr, Trey (2021b): Countering Cyber Proliferation: Zeroing in on Access-as-a-Service. Atlantic Council, 01 March 2021. Online: https://www.atlanticcouncil.org/in-depth-research-reports/report/countering-cyber-proliferation-zeroing-in-on-accessas-a-service/
Economist Intelligence Unit (2011): Cyber Power Index. Findings and Methodology. Booz Allen Hamilton, August 2011. Online: https://web.archive.org/web/20151017081309/www.boozallen.com/content/dam/boozallen/media/file/Cyber_Power_Index_Findings_and_Methodology.pdf
ENISA (2023): Cybersecurity Higher Education Database: Programmes Location. Online: https://www.enisa.europa.eu/topics/education/cyberhead/#/statistics
Feldstein, Steven – Kot, Brian (2023): Why Does the Global Spyware Industry Continue to Thrive? Trends, Explanations, and Responses. Carnegie Endowment for International Peace, 14 March 2023. Online: https://carnegieendowment.org/2023/03/14/why-doesglobal-spyware-industry-continue-to-thrive-trends-explanations-and-responses-pub-89229
IISS (2021): Cyber Capabilities and National Power: A Net Assessment. International Institute for Strategic Studies, 28 June 2021. Online: https://www.iiss.org/blogs/research-paper/2021/06/cyber-capabilities-national-power
ITU (2021): Global Cybersecurity Index 2020. International Telecommunication Union, 29 June 2021. Online: https://www.itu.int/epublications/publication/D-STR-GCI.01-2021-HTM-E
Joint Chiefs of Staff (2018): Joint Publication 3-12. Cyberspace Operations. Online: https://irp.fas.org/doddir/dod/jp3_12.pdf
Kueh l, Daniel T. (2009): From Cyberspace to Cyberpower: Defining the Problem. In Kramer, Franklin D. – Starr , Stuart H. – Wentz, Larry K. (eds.): Cyberpower and National Security. University of Nebraska Press. 24–42. Online: https://doi.org/10.2307/j.ctt1djmhj1.7
Laszka, Aron – Zhao, Mingyi – Malbari, Akash – Grossklags, Jens (2018): The Rules of Engagement for Bug Bounty Programs. In Meiklejohn, Sarah – Sako, Kazue (eds.): Financial Cryptography and Data Security. Berlin–Heidelberg: Springer. 138–159. Online: https://doi.org/10.1007/978-3-662-58387-6_8
Liff, Adam P. (2012): Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War. Journal of Strategic Studies, 35(3), 401–428. Online: https://doi.org/10.1080/01402390.2012.663252
Marczak, Bill – Scott-Railton , John – McKune, Sarah – Razzak, Bahr Abdul – Deibert , Ron (2018): Hide and seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries. Citizen Lab, 18 September 2018. Online: https://citizenlab.ca/2018/09/hideand-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
Minárik, Tomáš (2016): NATO Recognises Cyberspace as a “Domain of Operations” at Warsaw Summit. NATO CCDCOE, 21 July 2016. Online: https://ccdcoe.org/incyder-articles/natorecognises-cyberspace-as-a-domain-of-operations-at-warsaw-summit/
Ministry of Defence (2018): Joint Doctrine Note 1/18. Cyber and Electromagnetic Activities. Online: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/682859/doctrine_uk_cyber_and_electromagnetic_activities_jdn_1_18.pdf
Miralis, Dennis (2019): Defining Offensive Cyber Capabilities. NGM Lawyers, 19 March 2019. Online: https://ngm.com.au/defining-offensive-cyber-capabilities/
Miyashita , Lynn – Eckert , Madeline (2022): Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards. Microsoft Security Response Center, 11 August 2022. Online: https://msrc.microsoft.com/blog/2022/08/microsoft-bug-bounty-programs-year-in-review-13-7-in-rewards/
Murphy, Ben – Creemers, Rogier – Kania, Elsa – Triolo, Paul – Neville, Kevin – Webster, Graham (2021): Xi Jinping: ‘Strive to Become the World’s Primary Center for Science and High Ground for Innovation’. DigiChina at Stanford University, 18 March 2021. Online: https://digichina.stanford.edu/work/xi-jinping-strive-to-become-the-worlds-primarycenter-for-science-and-high-ground-for-innovation/
NATO Standardization Office (2020): Allied Joint Publication-3.20. Allied Joint Doctrine for Cyberspace Operations. Online: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/899678/doctrine_nato_cyberspace_operations_ajp_3_20_1_.pdf
Nurse, Jason R. C. – Adamos, Konstantinos – Grammato pou los, Athanasios – Di Franco, Fabio (2022): Addressing the EU Cybersecurity Skills Shortage and Gap through Higher Education. Publications Office of the European Union, 03 January 2022. Online: https://doi.org/10.2824/033355
Sanborn, Howard – Thyne, Clayton L. (2013): Learning Democracy: Education and the Fall of Authoritarian Regimes. British Journal of Political Science, 44(4), 773–797. Online: https://doi.org/10.1017/S0007123413000082
Sarri, Anna – Kyra noud i, Pinelopi – Thirriot, Aude – Charelli, Federico – Dom inique , Yang (2020): National Capabilities Assessment Framework. Publications Office of the European Union, December 2020. Online: https://doi.org/10.2824/590072
Šendelj, Ramo – Ognjanović, Ivana (2015): Cyber Security Education in Montenegro: Current Trends, Challenges, and Open Perspectives. 7th Annual International Conference on Education and New Learning Technologies (EDULEARN15), 08 July 2015. Online: https://ecesm.net/sites/default/files/EDULEARN_Sendlej.Ognjanovic.pdf
Shen, Xinmei (2022): China’s Demand for Cybersecurity Talent Will Exceed Supply by over 3 Million in Five Years, Says Education Ministry Report. SCMP, 08 September 2022. Online: https://www.scmp.com/tech/tech-trends/article/3191781/chinas-demandcybersecurity-talent-will-exceed-supply-over-3
The White House (2022): Fact Sheet: Biden–Harris Administration Actions to Attract STEM Talent and Strengthen our Economy and Competitiveness. The White House, 21 January 2022. Online: https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/21/fact-sheet-biden-harris-administration-actions-to-attract-stem-talent-and-strengthen-oureconomy-and-competitiveness/
Trump, Donald J. (2019): America’s Cybersecurity Workforce. The White House, 02 May 2019. Online: https://www.federalregister.gov/documents/2019/05/09/2019-09750/americascybersecurity-workforce
Uren, Tom – Hogeveen, Bart – Hanson, Fergus (2018): Defining Offensive Cyber Capabilities. Australian Strategic Policy Institute, 04 July 2018. Online: https://www.aspi.org.au/report/defining-offensive-cyber-capabilities
Voo, Julia – Hemani, Irfan – Jones, Simon – DeSombre, Winnona – Cassidy, Dan – Schwarzenbach, Anina (2020): National Cyber Power Index 2020. Belfer Center for Science and International Affairs, September 2020. Online: https://www.belfercenter.org/publication/national-cyber-power-index-2020
Xiangzhan, Yu – Hongli, Zhang – Haining, Yu – Zhihong, Tian – Jianhong, Zhai – Zhut ing, Pan (2016): Cyberspace Security Competition and Talent Management. Strategic Study of Chinese Academy of Engineering, 18(6), 49–52. Online: https://doi.org/10.15302/JSSCAE-2016.06.010
Ziv, Amitai (2020): Cellphone Hacking and Millions in Gulf Deals: Inner Workings of Top Secret Israeli Cyberattack Firm Revealed. Haaretz, 07 September 2020. Online: https://www.haaretz.com/israel-news/tech-news/.premium-mobile-spytech-millions-in-gulf-deals-topsecret-israeli-cyberattack-firm-reve-1.9125915