Why a Common Lexicon for Cyber Operations Matters

I have a confession that may sound odd coming from a lawyer: I think protracted debates over terminology are often a waste of time. Sure, you’ve got to speak a common language if you’re going to have a meaningful conversation, but you don’t need to agree on how to pronounce every word. Over two decades of interagency policy work, I’ve endured plenty of meetings that devolved into definitional hairsplitting, wasting time better spent grappling with substantive issues.

Cyber operations are a different story, though. Here, progress has stalled in part because the vocabulary has become muddled. Policymakers conflate terms like active defense, hack back, cyber effects operation, and offensive cyber operations, spurring debates that unfold in parallel about disparate operational models. Similar confusion surrounds concepts like deterrence, resilience, and cyber defense, complicating strategic planning for cyber operations and obscuring points of genuine disagreement.

This series of blog posts aims to clarify the conversation and, in doing so, reduce uncertainty surrounding cyber operations. It begins by defining “cyber operations” and outlining the contours of that term. Subsequent posts will flesh out other key concepts, explaining how they align with — or diverge from — the lexicon commonly used to discuss cyber operations. You may not agree with every definition offered here, but you will at least know what pivotal terms mean and, I hope, why you disagree.

What are “Cyber Operations”?

Many perfectly serviceable definitions of “cyber operations” or “cyberspace operations” already exist. Nonetheless, I offer my own — that draws on common elements of existing definitions while avoiding elements that tend to generate confusion. For instance, I avoid the term “cyberspace” because it obscures the fact that all actions conducted over the Internet occur on, or affect, data or devices physically located in the jurisdiction of states.

Technologies like cloud computing can render it difficult — or even impossible — to identify the precise location of data or devices targeted by a cyber operation. Even so, those data or devices are situated somewhere that’s subject to the domestic laws of the United States or another country. That fact must be factored into operational decision making.

So, for purposes of this series, a “cyber operation” is defined as:

The execution of a command, program, or code to respond or counter an ongoing or imminent cyber threat by remotely causing one or more of the following effects without authorization or consent:  

• Alteration, impairment, disruption, or destruction of hardware, software, devices, or services
• Alteration, deletion, or access to data stored on systems or devices; or
• Impairment, disruption, acquisition, or redirection of electronic communications occurring on or transmitted by systems or devices. 

Means of Execution

This definition anticipates that the “command, program, or code” used in a cyber operation may take many forms, including malware, exploits, or legitimate tools and native system resources used in so-called “living off the land” techniques. Under this framework, the nature of the tool is not dispositive, but the effects produced are.

This definition also excludes social engineering that doesn’t rely on technology. For example, a phishing campaign that deploys malware or surreptitiously redirects users to a spoofed web site to harvest their credentials could qualify as a cyber operation, whereas merely impersonating a user in an email that deceives help-desk personnel into voluntarily disclosing credentials would not. Social engineering can be highly effective, but operations that don’t leverage technology are not the type of scalable conduct that meaningfully accelerates the execution of cyber operations and, therefore, aren’t the types of activity embroiled in current policy debates.

Avoid the “Offensive” or “Defensive” Labels

This definition deliberately avoids the terms offensive and defensive. Those labels tend to spark distracting (and often unproductive) line-drawing debates about where defense ends, and offense begins. Although international humanitarian law draws important distinctions between offensive and defensive actions, U.S. federal and state cyber statutes do not. For example, the Computer Fraud and Abuse Act (18 U.S.C. § 1030) doesn’t differentiate between initiating a hack and responding to one. Furthermore, as explained in the next post, this series will focus on the activity of private actors rather than the government, which renders much of the debate about cyber operations rooted in international law moot (but not all, as we’ll explore).

Instead, the definition focuses on whether operations “respond to or counter” an “ongoing or imminent” cyber threat. In other words, the cyber operations considered here require a precipitating cyber threat.

So, the definition limits the discussion to actions that can plausibly be characterized as protective, but without invoking freighted terminology. It also excludes indiscriminate threat intelligence-gathering activities. While targeted intelligence gathering undertaken in support of an operation that responds to an ongoing or imminent threat is included, general, non-targeted collection is not.

Limiting the definition to actions that respond to a cyber threat — rather than to threats writ large — also steers the analysis toward cybersecurity activities that private actors might plausibly undertake. It simultaneously avoids sweeping counterterrorism or military cyber operations typically conducted by governments in response to physical or kinetic threats into a discussion that is focused on the conduct of private actors.

“Remote” Execution

Each of the effects falling under this definition is generated remotely, meaning from afar on a system or device the actor does not own or control. “Remote” also signals activity delivered over the internet, as opposed to “close access” techniques. In-person operations involving physical trespass raise unique legal and policy considerations and, like social engineering tactics, fall outside the scope of activities that proponents of expanded private-sector involvement typically envision as near-term responses to escalating cyber incidents.

The definition does not require that the operation be conducted by the victim itself, recognizing that victims may rely on cybersecurity firms or third-party contractors to protect their systems. Still, the operation must respond to an actual, identified event or threat, not a speculative or hypothetical one.

The Range of Covered Effects

This definition is intended to cover the full range of technical actions commonly undertaken surreptitiously or without authorization during a cyber operation conducted in response to a cyber threat. Covered effects include:

• Damaging, disrupting, destroying, or degrading any hardware, software, devices, or services
• Modifying (including by encrypting) or deleting data 
• Accessing or stealing data
• Interrupting or redirecting communications to, from, or on a system 

Some effects may be so fleeting, or their consequences so de minimis, that they arguably should not be treated as cyber effects at all. In the interest of completeness, this definition doesn’t draw that line. It makes no distinction between transient and persistent effects, so long as the operation produces one of the specified effects. I think a robust assessment of effects is more useful than threshold-setting debates about duration or magnitude.

The definition also distinguishes between effects involving data and those involving communications. That distinction mirrors a divide found in federal law: deleting a file stored on a system (data) is treated differently from intercepting an email (a communication). Preserving that separation helps align the definition with existing statutory schemes, which we will explore in a subsequent post on legal prohibitions.

Authorization or Consent

Only effects-generating actions undertaken “without authorization or consent” fall within this definition. While the concept of consent is relatively straightforward, the meaning of “authorization” has been contested ever since Matthew Broderick and Ally Sheedy inspired legislators to draft a computer crime statute through their portrayal of plucky hackers in the 1983 movie WarGames. (No, really).

For purposes of this series, an action is authorized when it is undertaken with the knowledge and permission of an owner, operator, or user who is legally situated to permit the affected asset—such as a system, device, account, or data—to be altered, accessed, damaged, or otherwise affected.  

There are, of course, edge cases in which authorization may be implicit or inferred from prevailing norms. Orin Kerr’s essay on the norms of computer trespass offers an extensive treatment of these questions. The activities contemplated by policymakers considering expanded cyber operations authority, however, generally involve actions taken against criminal or nation-state actors without their authorization, or nonconsensual actions affecting third-party infrastructure that hosts those actors’ assets. Accordingly, this series focuses primarily on scenarios where the target’s authorization is not given, while acknowledging and accounting for foreseeable fringe cases.

Inclusion of Electronic Surveillance Activities

Finally, by including “acquiring” communications as an effect, this definition encompasses electronic surveillance that may be conducted in support of an operation. Legal discourse about cyber operations has centered on the Computer Fraud and Abuse Act (18 U.S.C. 1030) to the exclusion of electronic surveillance laws, even though cyber operations may require reconnaissance on the targeted system to obtain technical information to enable the operation.

The interception and collection of electronic communications associated with such reconnaissance is captured by the definition’s reference to “acquiring” electronic communications, a term lifted from the federal Wiretap Act (18 U.S.C. 2510 et seq.). Electronic surveillance statutes raise legal and practical considerations distinct from anti-hacking laws, and they warrant individual attention.

Conclusion

The proposed definition of cyber operations helps refine the category of activities addressed in this series. Still, attempting to analyze every action encompassed by this definition would render the project unmanageably broad. In the next post, we will identify the specific types of activities that policymakers have emphasized during current discussions about expanding private-sector authority to conduct cyber operations.

‍