Proactive cyber defence

Last updated

Proactive cyber defence means acting in anticipation to oppose an attack through cyber and cognitive domains. [1] Proactive cyber defence can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence. Common methods include cyber deception, attribution, threat hunting and adversarial pursuit. The mission of the pre-emptive and proactive operations is to conduct aggressive interception and disruption activities against an adversary using: psychological operations, managed information dissemination, precision targeting, information warfare operations, computer network exploitation, and other active threat reduction measures. The proactive defense strategy is meant to improve information collection by stimulating reactions of the threat agents and to provide strike options as well as to enhance operational preparation of the real or virtual battlespace. Proactive cyber defence can be a measure for detecting and obtaining information before a cyber attack, or it can also be impending cyber operation and be determining the origin of an operation that involves launching a pre-emptive, preventive, or cyber counter-operation.


The offensive capacity includes the manipulation and/or disruption of networks and systems with the purpose of limiting or eliminating the adversary's operational capability. This capability can be required to guarantee one's freedom of action in the cyber domain. Cyber-attacks can be launched to repel an attack (active defence) or to support the operational action. Proactive cyber defence differs from active defence, meaning that it is pre-emptive (not waiting for an attack to occur). The distinction between active cyber defence and offensive cyber operations (OCO) is that the later requires legislative exceptions to undertake. Hence, offensive cyber capabilities may be developed in collaboration with industry and facilitated by private sector. But, these operations are often led by nation-states.

Cyber defense

Strategically, cyber defence refers to operations that are conducted in the cyber domain in support of mission objectives. The main difference between cyber security and cyber defence is that that cyber defence requires a shift from network assurance (security) to mission assurance. Cyber defence focuses on sensing, detecting, orienting, and engaging adversaries in order to assure mission success and to outmanoeuver the adversary. This shift from security to defence requires a strong emphasis on intelligence, and reconnaissance, and the integration of staff activities to include intelligence, operations, communications, and planning.

Defensive cyber operations refer to activities on or through the global information infrastructure to help protect an institutions' electronic information and information infrastructures as a matter of mission assurance. Defensive cyber does not normally involve direct engagement with the adversary.

Active cyber operations refers to activities on the global information infrastructure to degrade, disrupt, influence, respond, and interfere with the capabilities, intentions, and activities of a foreign individual, state, organization, and terrorist groups. Active cyber defence decisively engages the adversary and includes adversarial pursuit activities.

History of the term proactive

In the fifth century, B.C., Sun Tzu advocated foreknowledge (predictive analysis) as part of a winning strategy. He warned that planners must have a precise understanding of the active threat and not "remain ignorant of the enemy's condition". The thread of proactive defense is spun throughout his teachings. Psychiatrist Viktor Frankl was likely the first to use the term proactive in his 1946 book Man's Search for Meaning to distinguish the act of taking responsibility for one's own circumstances rather than attributing one's condition to external factors.

Later in 1982, the United States Department of Defense (DoD) used "proactive" as a contrary concept to "reactive" in assessing risk. In the framework of risk management "proactive" meant taking initiative by acting rather than reacting to threat events. Conversely "reactive" measures respond to a stimulus or past events rather than predicting the event. Military science considers defence as the science-art of thwarting an attack. Furthermore, doctrine poses that if a party attacks an enemy who is about to attack this could be called active-defence. Defence is also a euphemism for war but does not carry the negative connotation of an offensive war. Usage in this way has broadened the concept of proactive defence to include most military issues including offensive, which is implicitly referred to as active-defence. Politically, the concept of national self-defence to counter a war of aggression refers to a defensive war involving pre-emptive offensive strikes and is one possible criterion in the 'Just War Theory'. Proactive defence has moved beyond theory, and it has been put into practice in theatres of operation. In 1989 Stephen Covey's study transformed the meaning of proactive as "to act before a situation becomes a source of confrontation or crisis". [2] Since then, "proactive" has been placed in opposition to the words "reactive" or "passive".


Cyber is derived from "cybernetics", a word originally coined by a group of scientists led by Norbert Wiener and made popular by Wiener's book of 1948, Cybernetics or Control and Communication in the Animal and the Machine. [3] Cyberspace typically refers to the vast and growing logical domain composed of public and private networks; it means independently managed networks linked together the Internet. The definition of Cyberspace has been extended to include all network-space which at some point, through some path, may have eventual access to the public internet. Under this definition, cyberspace becomes virtually every networked device in the world, which is not devoid of a network interface entirely. With the rapid evolution of information warfare operations doctrine in the 1990s, we have begun to see the use of proactive and preemptive cyber defence concepts used by policymakers and scholars.

Current status

The National Strategy to Secure Cyberspace, a book written by George W. Bush, was published in February 2003 outlining the initial framework for both organizing and prioritizing efforts to secure the cyberspace. It highlighted the necessity for public-private partnerships. In this book, proactive threads include the call to deter malicious activity and prevent cyber attacks against America's critical infrastructures.

The notion of "proactive defence" has a rich history. The hype of "proactive cyber defence" reached its zenith around 1994, under the auspices of Information Warfare. Much of the current doctrine related to proactive cyber defence was fully developed by 1995. Now most of the discussions around proactive defence in the literature are much less "proactive" than the earlier discussions in 1994. Present-day proactive cyber defence strategy was conceived within the context of the rich discussion that preceded it, existing doctrine and real proactive cyber defence programs that have evolved globally over the past decade.

As one of the founding members of Canada's interdepartmental committee on Information Warfare, Dr. Robert Garigue and Dave McMahon pointed out that "strategic listening, core intelligence, and proactive defence provide time and precision. Conversely, reacting in surprise is ineffective, costly and leaves few options. Strategic deterrence needs a credible offensive, proactive defence and information peacekeeping capability in which to project power and influence globally through Cyberspace in the defence of the nation. Similarly, deterrence and diplomacy are required in the right dosage to dissuade purposeful interference with the national critical cyber infrastructures in influence in the democratic process by foreign states. [4]

Vulnerabilities equities

Intelligence agencies, such as the National Security Agency, were criticized for buying up and stockpiling zero-day vulnerabilities and keeping them secret and developing mainly offensive capabilities instead of defensive measures and, thereby, helping patch vulnerabilities. [5] [6] [7] [8] This criticism was widely reiterated and recognized after the May 2017 WannaCry ransomware attack. [9] [10] [11] [12] [13] [14]

Proactive pre-emptive operations

The notion of a proactive pre-emptive operations group (P2OG) emerged from a report of the Defense Science Board's (DSB) 2002 briefing. The briefing was reported by Dan Dupont in Inside the Pentagon on September 26, 2002, and was also discussed by William M. Arkin in the Los Angeles Times on October 27, 2002. [15] The Los Angeles Times has subsequently quoted U.S. Secretary of Defense Donald Rumsfeld revealing the creation of the "Proactive, Pre-emptive Operations Group". The mission was to conduct Aggressive, Proactive, Pre-emptive Operations to interdiction and disruption the threat using: psychological operations, managed information dissemination, precision targeting, and information warfare operations. [16] Today, the proactive defence strategy means improving information collection by stimulating reactions of the threat agents, provide strike options to enhance operational preparation of the real as well as virtual battle space. The P2OG has been recommended to be constituted of one hundred highly specialized people with unique technical and intelligence skills. The group would be overseen by the White House's deputy national security adviser and would carry out missions coordinated by the secretary of defence. Proactive measures, according to DoD are those actions taken directly against the preventive stage of an attack by the enemy.

Other topics (relevance to international relations [IR])

The discipline of world politics and the notions of pre-emptive cyber defence topics are the two important concepts that need to be examined because we are living in a dynamic international system in which actors (countries) update their threat perceptions according to the developments in the technological realm. [17] Given this logic employed frequently by the policymakers, countries prefer using pre-emptive measures before being targeted. This topic is extensively studied by the political scientists focusing on the power transition theory (PTT), where Organski and Kugler first discussed that powerful countries start the attack before the balance of power changes in favor of the relatively weaker but the rising state. [18] Although the PTT has relevance to explain the use of pre-emptive cyber defence policies, this theory can still be difficult to apply when it comes to cyber defence entirely because it is not easy to understand the relative power differentials of the international actors in terms of their cyber capabilities. On the other hand, we can still use the PTT to explain the security perceptions of the United States and China, as a rising country, in terms of their use of pre-emptive cyber defence policies. Many scholars have already begun to examine the likelihood of cyber war between these countries and examined the relevance of the PTT and other similar international relations theories. [19] [20] [21]

See also

Related Research Articles

Information warfare (IW) is a concept involving the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is. Information warfare may involve the collection of tactical information, assurance(s) that one's information is valid, spreading of propaganda or disinformation to demoralize or manipulate the enemy and the public, undermining the quality of the opposing force's information and denial of information-collection opportunities to opposing forces. Information warfare is closely linked to psychological warfare.

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, programming scripts can all be forms of internet terrorism. Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a nation

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

A cyber force is a military branch of a nation's armed forces that conducts military operations in cyberspace and cyberwarfare. The world's first independent cyber force was the People's Liberation Army Strategic Support Force, which was established in 2015 and also serves as China's space force. As of 2022, the world's only independent cyber forces are the PLA Strategic Support Force, the German Cyber and Information Domain Service, and the Singapore Digital and Intelligence Service.

Strategic defence is a type of military planning doctrine and a set defense and/or combat activities used for the purpose of deterring, resisting and repelling a strategic offensive, conducted as either a territorial or airspace, invasion or attack; or as part of a cyberspace attack in cyberwarfare; or a naval offensive to interrupt shipping lane traffic as a form of economic warfare.

<span class="mw-page-title-main">United States Cyber Command</span> Unified combatant command of the United States Armed Forces responsible for cyber operations

United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integrates and bolsters DoD's cyber expertise.

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

<span class="mw-page-title-main">Marine Corps Forces Cyberspace Command</span> Cyber warfare command of the U.S. Marine Corps

The U.S. Marine Corps Forces Cyberspace Command is a functional formation of the United States Marine Corps to protect critical infrastructure from cyberattack. Marine Corps Forces Cyberspace Command is the Marine Corps component to U.S. Cyber Command. It comprises a command element, the Marine Corps Cyber Operations Group, and the Marine Corps Cyber Warfare Group, a total of approximately 800 personnel. MARFORCYBER was established on January 21, 2010 under the command of LtGen George J. Flynn,. As of 7 July 2021, MajGen Ryan P. Heritage is in command.

Informatized warfare of China is the implementation of information warfare (IW) within the People's Liberation Army (PLA) and other organizations affiliated or controlled by the Chinese Communist Party (CCP). Laid out in the Chinese Defence White Paper of 2008, informatized warfare includes the utilization of information-based weapons and forces, including battlefield management systems, precision-strike capabilities, and technology-assisted command and control (C4ISR). However, some media and analyst report also uses the term to describe the political and espionage effort from the Chinese state.

The 2011 U.S. Department of Defense Strategy for Operating in Cyberspace is a formal assessment of the challenges and opportunities inherent in increasing reliance on cyberspace for military, intelligence, and business operations. Although the complete document is classified and 40 pages long, this 19 page summary was released in July 2011 and explores the strategic context of cyberspace before describing five “strategic initiatives” to set a strategic approach for DoDʼs cyber mission.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

The cyber security community in the United Kingdom is diverse, with many stakeholders groups contributing to support the UK Cyber Security Strategy. The following is a list of some of these stakeholders.

A Master of Science in Cyber Security is a type of postgraduate academic master's degree awarded by universities in many countries. This degree is typically studied for in cyber security. What is offered by many institutions is actually called a Master in Strategic Cyber Operations and Information Management (SCOIM) which is commonly understood to be a Master in Cybersecurity. This degree is offered by at least some universities in their Professional Studies program so that it can be accomplished while students are employed - in other words it allows for "distance learning" or online attendance. Requirements for the Professional Studies program include: 3.0 or better undergrad GPA, professional recommendations letters and an essay.

<span class="mw-page-title-main">Gabi Siboni</span>

Gabriel "Gabi" Siboni is a colonel in the Israel Defense Forces Reserve service, and a senior research fellow and the director of the Military and Strategic Affairs and Cyber Security programs at the Institute for National Security Studies. Additionally, he serves as editor of the tri-yearly published, Military and Strategic Affairs academic journal at INSS. Siboni is a senior expert on national security, military strategy and operations, military technology, cyber warfare, and force buildup. Siboni is as a professor at the Francisco de Vitoria University in Madrid.

The Fourth Department (4PLA) of the Chinese People's Liberation Army Joint Staff Department (JSD) is also known as the Electronic Countermeasures and Radar Department.

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

Active defense can refer to a defensive strategy in the military or cybersecurity arena.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.


  1. PricewaterhouseCoopers. "Proactive cyber defence and detection". PwC. Retrieved 2022-10-30.
  2. Covey, Stephen (1991). "The seven habits of highly effective people". National Medical-Legal Journal. UT: Covey Leadership Center. 2 (2): 8. PMID   1747433.
  3. Wiener, Norbert (1948). Cybernetics or Control and Communication in the Animal and the Machine. MIT press.
  4. "Information Warfare 2.0".
  5. Schneier, Bruce (24 August 2016). "New leaks prove it: the NSA is putting us all at risk to be hacked". Vox. Retrieved 5 January 2017.
  6. "Cisco confirms NSA-linked zeroday targeted its firewalls for years". Ars Technica. 17 August 2016. Retrieved 5 January 2017.
  7. Greenberg, Andy. "The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days". WIRED. Retrieved 5 January 2017.
  8. "Trump Likely to Retain Hacking Vulnerability Program". Bloomberg BNA. Archived from the original on 5 January 2017. Retrieved 5 January 2017.
  9. Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". The Guardian. Retrieved 12 May 2017.
  10. Heintz, Sylvia Hui, Allen G. Breed and Jim. "Lucky break slows global cyberattack; what's coming could be worse". Chicago Tribune. Retrieved 14 May 2017.
  11. "Ransomware attack 'like having a Tomahawk missile stolen', says Microsoft boss". The Guardian. 14 May 2017. Retrieved 15 May 2017.
  12. Storm, Darlene (2017-05-15). "WikiLeaks posts user guides for CIA malware implants Assassin and AfterMidnight". Computerworld . Retrieved 2017-05-17.
  13. Smith, Brad (14 May 2017). "The need for urgent collective action to keep people safe online". Microsoft. Retrieved 14 May 2017.
  14. Helmore, Edward (13 May 2017). "Ransomware attack reveals breakdown in US intelligence protocols, expert says". The Guardian. Retrieved 14 May 2017.
  15. "Do Examines "Preemptive" Intelligence Operations". Secrecy News. October 28, 2002.
  16. Arkin, William M. (Oct 27, 2007). "The Secret War". Los Angeles Times.
  17. Clarke, Richard; Knake, Robert (2011). Cyber War: The Next Threat to National Security and What to Do About It.
  18. Organski, A.F.K.; Kugler, Jacek (1980). The War Ledger.
  19. Akdag, Yavuz (2019-06-01). "The Likelihood of Cyberwar between the United States and China: A Neorealism and Power Transition Theory Perspective". Journal of Chinese Political Science. 24 (2): 225–247. doi:10.1007/s11366-018-9565-4. ISSN   1874-6357. S2CID   158222548.
  20. Davis, Elizabeth (2021). Shadow Warfare: Cyberwar Policy in the United States, Russia and China. Rowman & Littlefield.
  21. Zhang, Li (2012). "A Chinese perspective on cyber war". International Review of the Red Cross. 94 (886): 801–807. doi:10.1017/S1816383112000823. S2CID   144706963.