Why do countries resort to cyber operations or cyberattacks (depending on the terminology)? It’s a long discussion that involves matters of performance, speed, aptness, ability, and risk.
Some better-informed folks used to speak about it and we also covered it during the ICRC assessment of cyber operations. But only recently the publication of the Netherlands's General Intelligence and Security Services revealed how some State organizations may view it.
Why offensive cyber operations are used
Cyber espionage operations are cost-effective, but this cost is of course relative to the other potential methods at disposal (i.e. direct human involvement, perhaps on-site). So concerning the other methods, in some cases, cyber operations are far superior because they are fast, carry a low risk, relatively easy to conduct (some organizations do have the funds), and yield significant results.
- Cost - are low compared to some other information-gathering operations
- Time and effort - once the team is prepared, running operations may be fast, especially comparing to non-cyber means like human intelligence (which requires recruitment, etc)
- Results - more and more data is in a digital form, so accessible via digital means this way or another (manual typewriters may change the calculus here, you say? No actual advanced tech company will limit to that)
- Accessibility - “digital means for cyber-attacks are relatively easy to obtain”
- Reusability - as with most other IT aspects, tools can be reused or repurposed
- High success rate - aligned towards offense - offense tends to be simpler than defense; good defense is good, but while defenders must think of the system holistically (and secure it as a whole), attackers may focus on particular flaws
Of course, such operations merit a case-by-case assessment but this post was rather indicative of those times where costs favor ‘cyber’.
Cyber operations are a standard tool used by States
The document also acknowledges that cyber operations are an integral part of Statecraft now, and can be used to exert economic, political, financial, and other reasons. Such operations happened in the past. They will happen again.
Bonus news: terrorists carry zero cyber risk ;-)
As a side note, Denmark’s Center for Cyber Security recently made an interesting assessment of cybersecurity risk posed by “terrorists”. They say it’s none (zero, no risk). Fair. This fact is increasingly acknowledged although in some coverage ‘terrorists and extremists’ still to often function as a mental shortcut.
Why this is useful should be obvious to anyone dealing with cybersecurity, both in technology or policy angle, both defense or offence, both industrial, state, academic, or whatnot. It's simply good to know that cybersecurity will remain a challenge in the foreseeable future - for example because of the fact that offensive cyber operations are seen as useful and cost effective in their jobs. This, on the other hand, creates a challenge for the jobs of other people.
This also has implications for data protection. Because in how many cases did you see a well crafted data protection impact assessment that correctly mentions the actual risk actors and is at the same time informative and specific to the organisation?