On the Same Page

Aspen Digital’s US Cybersecurity Group convened an Offensive Cyber Working Group in response to growing strategic, legal, and operational uncertainty regarding the United States’ posture in cyberspace. In light of increasing frequency and severity of cyberattacks—ranging from ransomware to nation-state espionage—the US would be best served with a clearly articulated doctrine that delineates when, how, and under what conditions industry might participate in offensive cyber operations. Such clarity would bolster deterrence strategies, reduce friction in public-private coordination during crises, and decrease the likelihood of miscalculation or unintended escalation in cyberspace.

Introduction

Playing Offense is a strategic initiative of the Aspen US Cybersecurity Group designed to explore how the United States should posture against cyberattacks—legally, operationally, and collaboratively across the public and private sectors.

Tactically, the Project analyzes how the US might achieve its offensive cyber goals. It examines what has been publicly stated by government officials and explores the practical means of implementation. This is followed by a series of in-depth discussions that delve into the nuances of decision-making—especially around the contentious concept of “hacking back.” These essays examine the factors that one must consider before taking such action.

Industry experts contribute perspectives throughout the Project, including Internet Service Providers, security companies, former government officials, and cyber insurers. Informed by their experiences engaging the dynamic cyber threat landscape, they provide perspectives on how they view and respond to cyber aggression. These insights help round out the picture, showing how different parts of the digital ecosystem think about risk, responsibility, response, and return on investment.

Finally, the Project closes with a broader look at the toolkit available to respond to cyberattacks. It considers non-cyber options—like economic sanctions or diplomatic pressure—and how they can complement technical responses.

At its core, this Project asks how the nation—encompassing government, industry, and civil society—can collaborate to reduce exposure to cyber vulnerabilities, respond to cyber threats, and deter cyber attacks in a manner that is effective, lawful, and aligned with democratic values.

To begin, we must establish first principles for disruption in the digital age.

First Principles for Disruption in the Digital Age

We face the uncomfortable truth and problematic asymmetry where our adversaries understand our cyber vulnerabilities better than we understand our retaliatory options. What is worse, the adversary is not deterred from attacking infrastructure owned and operated by the private sector. From ransomware attacks that shut down critical infrastructure to nation-state cyber espionage campaigns that pilfer intellectual property worth billions, cyber intrusions have become routine tools of statecraft and criminal enterprise. Yet our response frameworks remain ad hoc—a patchwork of defensive measures, public callouts, diplomatic protests, and occasional sanctions that fail to alter adversary behavior meaningfully. The adversary is not deterred.

Consider the continued cost of inaction: the average ransomware payment now averages $2 million, with some organizations paying tens of millions to restore operations. Meanwhile, the perpetrators of these crimes operate with near impunity from jurisdictions that either encourage this behavior, flat-out deny that it occurred, or turn a blind eye. This imbalance is unsustainable and emboldens further aggression.

But the solution is not simply to “hack back” with abandon. Poorly conceived offensive action can escalate conflicts, harm innocent parties, and undermine the very digital ecosystem that powers modern commerce, communication, and society. The time to establish clear first principles for offensive cyber action is now. The United States needs a foundation for a coherent strategy that strengthens cyber disruption while avoiding the escalatory spiral that could destabilize cyberspace for everyone.

We need a framework that makes offensive action credible, proportional, legally-grounded, and designed for specific outcomes. Public-private coordination of offensive cyber operations should focus on the desired outcomes and effects. The private and public sectors have a range of actions at their disposal to achieve everything from minimal effects such as improved resilience against attacks to severe effects which impose deterrent costs on the adversary. We explore the existing range of offensive cyber operations and the desired effects.

A Taxonomy for Offensive Cyber Action

To enable coordinated planning and response and legal precision: a shared vocabulary is essential. Words matter. Policy discussions often conflate fundamentally different types of cyber activities, resulting in misaligned expectations between the government and industry. First, we must distinguish between defense, active defense, and offense. Network or cyber defense includes passive and active defensive measures that are internal to a network, whereas cyber offense includes measures that are external to a given network. We describe the current status of cyber defense and active defense that organizations can take internally within their own networks before discussing industry’s role in taking action external to their own networks.

Passive Cyber Defense

Cyber defense encompasses the protective but often passive measures we take within our networks to achieve improved resilience against cyber risks. This includes all that encompasses good cyber hygiene to ensure the confidentiality, accessibility, and integrity of our information and information systems, such as patching known exploitable vulnerabilities, deploying multi-factor authentication or passkeys, encrypting data in transit and at rest, and executing well-exercised incident response. These measures typically remain within the defender’s boundaries, focusing on protecting digital infrastructure from cyber intrusions. 

As a result, Congress authorized industry to monitor their own networks and take defensive measures for cybersecurity purposes notwithstanding any other provision of law. Congress defined defensive measures as an “action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability” and owned by the entity operating the measure. Examples of defensive measures include endpoint detection, continuous systems monitoring, patching, and firewall management. Importantly, this authorization for taking defensive measures is limited to actions on internal networks of the defender and expressly excludes any action that is destructive to any network external to the entity operating the defensive measure. 

Active Cyber Defense

Active cyber defense are protective actions that are more aggressive than passive defense and are aimed at anticipating, neutralizing, or disrupting cyber threats within or at the perimeter of one’s own networks. Defenders do not cross into adversary territory but also do not passively wait for attacks. These measures are confined to a defender’s own systems or third-party systems that give consent or authority to a defender to protect that third-party system and are sufficiently limited to avoid violating the Cyber Fraud and Abuse Act, otherwise known as the “hack back” law. Examples of such actions include threat hunting, beaconing malware for tracking, and honeypots. This sometimes involves deception tactics to mislead adversaries or disrupt their own operations within the defender’s infrastructure. Large service providers often take these active defense measures on their own platforms on behalf of their customers – for example, Cloudfare’s Cloudforce One and Microsoft’s Digital Crimes Unit (DCU) take action to protect their networks from unauthorized access and use. Recently, Microsoft, Cloudflare, and their victim-customer members of the Health Information Sharing and Analysis Center (Health ISAC) announced a joint operation to take down a criminal enterprise known as Racoon0365 that was using infrastructure on Cloudflare’s networks and executing phishing kits designed to steal Microsoft credentials from victim accounts. The active defense methods used by Cloudflare and Microsoft with consent from customers within the healthcare industry proved effective, and are good examples of active defense.

Cyber Offense    

The focus of this paper is on cyber offense – actions taken by stakeholders that have effects that are external to their own networks. Cyber offense includes a range of action from cyber scanning resulting in minimal effects to cyber force resulting in severe physical effects. The paper defines the range of offensive actions on networks external to the owner or operator and arranges them according to the effects or intended outcomes: (1) minimal effects, (2) informational effects, (3) disruptive or damaging effects, and (4) potentially lethal effects.

Range of Possible Offensive Cyber Actions in order of minimal effect to severe effects

Offensive cyber actions cross the digital border and are currently preserved for government military operations and not industry action. These are actions that have effects outside of the defender’s own networks ranging from minimal effects to severe damage. It involves deliberately accessing, disrupting, or degrading systems outside of the defender’s networks. US law currently only authorizes the government to take certain offensive action such as deploying disruptive malware. These government-authorized offensive operations require careful legal review and policy authorization precisely because they extend beyond our sovereign boundaries.

1. Minimal Effects

Cyber Scanning

Cyber scanning involves systematically probing networks to identify vulnerabilities, open ports, or configurations, and while external scanning may exist in legal gray areas resembling legitimate security research, more targeted reconnaissance can constitute preparation for future attacks. 

Cyber Intrusion

Cyber intrusions involve unauthorized access conducted with operational restraint—avoiding data exfiltration or service disruption—but unauthorized access itself typically constitutes a serious criminal offense regardless of the intruder’s intentions, often serving intelligence collection or establishing persistent access. 

Even so, “limited technical impact” should not be confused with “minimal consequences,” as even restrained cyber operations can trigger significant costs through incident response, security upgrades, diplomatic tensions, and erosion of trust, with ultimate significance depending heavily on targeting, scale, attribution, and broader geopolitical context.

2. Informational Effects

Cyber Information Collection

Espionage represents the most common form of nation-state cyber activity. While espionage is illegal under domestic law, cyber espionage somehow falls within accepted norms of international statecraft—similar to traditional human intelligence collection. The recent actions of Salt Typhoon are an example of a state-sponsored campaign attributed to China’s Ministry of State Security that covertly infiltrated US telecommunications networks to exfiltrate sensitive data, including call metadata and voice recordings, from high-value targets over an extended period. The appropriate response to cyber espionage typically involves diplomatic protest, defensive measures, and counterintelligence operations rather than offensive cyber action. 

Cyber Information Dissemination

Influence operations occupy a particularly insidious space enabled by cyber. Cyber-enabled disinformation campaigns, deepfake videos, and social media manipulation campaigns can undermine democratic processes and social cohesion. But they also blur the line between legitimate expression and malicious interference, making offensive action both legally complex and potentially counterproductive.

3. Disruptive or Damaging Effects

Cyber Attack

A cyber attack occurs when there is a disruptive effect on a target external to the stakeholder’s own network or without authorization from the owner or operator of the target network.

The most permissible form of cyber attack is a cyber counterattack or an otherwise pre-emptive action. A cyber counterattack may be a pre-emptive action designed to stop an ongoing cyber attack that has an impact on an attacker’s network. Unlike the earlier example of active defense measures that Microsoft, Cloudflare, and the Health ISAC took against a criminal enterprise, known as Racoon0365, that was up to no good on their networks, an offensive cyber counterattack takes the fight to a network not otherwise controlled by the defender. A good example of this type of offensive cyber attack is law enforcement’s use of Rule 41 to disrupt botnets or other criminal infrastructure outside of its jurisdiction. Using its legal authority, the FBI was able to do what industry is prohibited by law from doing: use remote access software to disrupt a major botnet originating from Russia called, Sandworm. 

Denial of Service

A common cyber attack executed on networks outside of the attackers networks is a denial of service attack disrupting the availability of a target’s network. When multiple sources connect to overwhelm a system and disrupt availability, it becomes a Distributed Denial of Service (DDOS) attack. One of the most famous DDOS attacks was attributed to the Mirai botnet. Attackers deployed Mirai malware that was designed to scan for internet of things with default passwords and exploit those devices by installing malware that would beacon to a command and control server controlled by the attacker. Once the device was infected with the Mirai bot, those then became part of a bot network used to launch massive DDOS attacks disrupting websites and online services. The Mirai botnet has lasting effects today.

Cyber Sabotage

As compared to espionage, sabotage and disruption cross a clearer red line. Volt Typhoon was an example of cyber disruption involving again PRC state-sponsored actors infiltrating US critical infrastructure networks to pre-position for potential destructive attacks rather than conducting traditional espionage. When adversaries deliberately damage or disrupt critical infrastructure, paralyze business operations through ransomware, or deploy destructive “wiper” malware, they are engaging in acts that approach or constitute armed attacks in cyberspace. These activities cause immediate economic and operational harm and may warrant proportional offensive cyber action.

4. Potentially Lethal Effects

Use of Cyber Force

Use of offensive cyber capabilities that can potentially produce lethal effects are only deployed upon legal authorization. In the US cyber offense is careful to play by the rules. It is the element that distinguishes lawful activity from criminal activity. Consistent with the military’s intelligence authorities in Title 10, National Guard authorities in Title 32, or national defense authorities in Title 50, the US military may conduct offensive cyber operations. According to military guidance, these operations may create effects on adversary systems across multiple domains. Cyberspace targets include specific components, systems, networks, or even physical locations. Effects may be temporary, long-term, or permanent. By design, these offensive cyber operations may exclusively target adversary cyberspace functions or create cyberspace effects with manifestations in physical domains against adversary weapon systems, command and control processes, logistics nodes, etc. The employment of these offensive cyber operations should be viewed as an application of military force. Regarding the use of force, some missions may rise to the same level as physical damage or destruction of adversary systems and equipment. For this reason, US military guidance requires offensive cyber operation missions to undergo careful consideration regarding scope of operations, rules of engagement, potential repercussions, and measurable progress towards the commander’s objectives. 

Proactive measures, whether passive or active defense, can create the foundation for credible deterrence. These measures include developing robust threat intelligence capabilities, conducting regular exercises that test the ability to coordinate a response across government and industry, and establishing the legal and policy frameworks necessary for rapid response. We must also invest in diplomatic efforts to build international consensus around responsible state behavior in cyberspace. Proactive preparation involves developing the attribution capabilities necessary to identify attackers confidently. Offensive action without accurate attribution risks harming innocent parties, escalating the conflict with the wrong adversary, or providing cover for false flag operations.

Toward Credible Deterrence

Credibility means adversaries must believe we will retaliate for significant attacks. This requires both capability and demonstrated will. We must develop and maintain the technical tools necessary for effective offensive action while also signaling our readiness to use them when appropriate.

Proportionality means that the offensive action is proportionate to the attack. Massive offensive cyber action for minor intrusions will escalate conflicts unnecessarily and potentially violate international law. Weak responses to major attacks will invite further aggression. The challenge is calibrating responses that meaningfully increase costs for adversaries without triggering uncontrolled escalation.

Persistence involves sustaining pressure over time rather than relying on one-off responses. Criminal organizations and state-sponsored groups are adept at adapting quickly to setbacks. Effective deterrence, therefore, requires the ability to impose costs repeatedly and predictably when red lines are crossed.

Conclusion

Grounding offensive cyber action decisions in shared first principles—such as taxonomy alignment, clear definitions of aggression, a balanced proactive/reactive posture, and infrastructure-aware technical planning—will enable the United States to build a more coherent, effective, and credible cyber deterrence framework. This principled approach enhances national cybersecurity resilience, mitigates the risk of escalation, and fosters responsible state behavior in cyberspace. Ultimately, it aligns the US strategic posture with democratic norms and operational realities, reinforcing both deterrence and global stability.