xvii Beyond Citations | Seeing through the charm of cyber offence
That cyber offence is useful during conflict or war is understandable. But does an aggressive strategy work during peacetime?
So much has happened in the world of geopolitics in the last three weeks as this newsletter took a programming break. From Ukraine’s audacious drone attack deep within the mammoth Russian territory to Trump announcing a deal with China on trade and rare earths to the Iran-Israel projectile contest, news cycles have been unrelenting and overwhelming. It appears as if suddenly the world is moving towards more disorder.
But this edition of Beyond Citations covers an aspect of tech politics that goes beyond the developments of the last three weeks — the increasing charm of cyber offence.
Naturally, in the aftermath of the Pahalgam terror attack and India’s Operation Sindoor, news cycles were dominated by developments in the air, land and sea domains. But India and Pakistan also dueled in the cyber domain.
As Karthik Bappanad and I wrote for the India’s World magazine recently:
Little is known publicly about the offensive cyber aspect of Operation Sindoor barring the 13 May post on X by India’s Integrated Defence Staff: ‘highlighting Technological Superiority of #IndianArmedForces in niche non-kinetic domains of #Space, #Cyber & #ElectronicWarfare.’
However, on the defensive front, India has appeared to have done reasonably well, especially in protecting critical infrastructure from debilitating attacks. India is one of the most cyber-attacked countries in the world, and it was only expected that malicious activity would surge during heightened India-Pakistan tensions and military clashes. Hackers from Pakistan, Turkey, and Bangladesh, among others, reportedly targeted India’s critical infrastructure when Operation Sindoor was underway.
What do we know from official sources? Here’s what a report from Maharatra’s cyber department dated 10 May 2025 has to say:
Following the Pahalgam terror incident, MH-CERT has found a dramatic surge in hostile cyber activity originating from Pakistan and its ideological allies. According to telemetry from multiple threat monitoring systems, over 10 million intrusion attempts were recorded within days of the attack a mix of DDoS floods, website defacements, phishing campaigns, and exploit attempts targeting public, critical infrastructure and defence portals. (emphasis in original)
Most of the attacks from Pakistan’s side were not sophisticated in nature. Looking back at the last few weeks, it appears that nothing significant happened in the cyber domain — at least nothing is known in the public domain about a major successful cyber attack on either side. But why did India not show its cyber prowess? This is a question worth investigating as there are no answers currently.
But the question worth foraying into at this moment is about cyber offence during peacetime — an idea that is increasingly becoming more charming to states. That states would employ all of their warfighting capabilities during wars and ‘conflicts-that-are-not-called-wars’ across all domains is understandable. But should states adopt aggressive cyber offence posture even during peacetime? Should India adopt this stance?
The fact that even Japan, which is otherwise (largely) pacifist, has now enacted an active cyber defence law only demonstrates how appealing this idea has become.
But does it help to have an active cyber defence strategy? Has it made the US, which has the most expansive and aggressive cyber posture in place (with persistent engagement and defend forward as its two central pillars) more cybersecure? If the phenomenal cyberattacks on the US in the last few years, including the Salt Typhoon, are any indicator, then it doesn’t seem so. It is one thing that aggressive strategy doesn’t make one necessarily more secure, but can this posture be even counterproductive?
Jenny Jun, a cyber researcher in the US, may have some answers in her following paper for the Atlantic Council:
Jenny Jun, “Preparing the next phase of US cyber strategy,” Atlantic Council, Issue Brief March 2022, https://www.atlanticcouncil.org/wp-content/uploads/2022/03/Preparing-the-next-phase-of-US-cyber-strategy.pdf (no paywall)
The idea behind persistent engagement and forward defence is to neutralise threats preemptively before they emerge in the network of adversaries. But there are multiple issues with such an approach. The obvious one is that if the adversary detects the offensive state’s presence, especially in critical networks, it can be seen as a fresh provocation and can lead to escalation cycles.
But there is one more that is not so obvious. Sophisticated malwares are not crude weapons developed at the tap of a button. These are unending lines of codes written based on months, if not years, of effort by some of the best cyber experts a state can muster. An important element of a cyber weapon is that it is highly customised for the target. Cyber weapons are dangerous if they are not ring-fenced. Because such malwares can spread far and wide, causing damage to all kinds of unintended systems, from healthcare to transportation of states that are friendly to you (or even one’s own). Hence a lot of effort goes into ring-fencing malwares.
Now how does an aggressive cyber defence posture come into play here? As Jun explains:
Early detection of their activities may trigger a “use it or lose it” mentality for threat groups, when they expect to have a relatively short window of opportunity to exploit a vulnerability. These groups would then no longer see a need to exercise restraint as their activity will be detected regardless of such careful and costly efforts. In addition, this closing window of opportunity could encourage groups to hasten the tempo of their operations. This race against time could increase the likelihood of coding errors or the omission of critical controls such as “kill switches,” leading to more collateral damage or open doors to further third-party exploitation.
As Jun’s argumentation demonstrates, offensive cyber, while appealing and charming, may end up being counter productive. States considering an aggressive cyber posture should therefore rethink and carefully weigh the costs and benefits.