Taylor Grossman is a Senior Research Analyst and Project Manager in the Cyber Policy Initiative at the Carnegie Endowment for International Peace, where her work focuses on capacity-building and financial inclusion. Her other research interests include cyber norm development, ethics of war, and bureaucratic politics in national security decision making. Previously, she worked at the Hoover Institution and as a consultant for cybersecurity companies in Silicon Valley. She has an MPhil in International Relations from the University of Oxford and a B.A. in Political Science from Stanford University.
Offensive Cyber Operations & the Market Incentives for Contracting
The rise of contracting for offensive cyber capabilities is an increasingly well-documented phenomenon. Offensive cyber operations (OCO) can take a number of forms and provide a diverse array of effects, including denying, degrading, disrupting, destroying, or manipulating information, computer systems, or networks. Although many of the most sophisticated OCO capabilities have been developed through government-run programs, a growing number of firms offer such services for hire within private marketplaces. Often termed “Access-as-a-Service” or “Infiltration-as-a-Service,” these companies offer operational support, tools, and vulnerabilities for conducting offensive cyber operations. The marketplace for third-party OCO vendors is growing and takes both legal, state-sanctioned and illicit, underground forms. Contracted military services have a long history of destabilizing international power dynamics; the OCO marketplace poses a particularly nettlesome set of problems, as offensive operative capabilities are notoriously difficult to distinguish from traditional espionage and intelligence activities.
This paper proposes to examine three existing norm regimes and their potential for understanding and regulating the expansion of OCO contracting: (1) export control regimes; (2) anti-money laundering / counter-terrorism financing (AML/CTF) standards; and (3) human rights norms. In Part I, this paper will outline a brief history of the problem of OCO contracting and the growing international concern around intrusion services. In Part II, this paper will explore these three norm regimes—export controls, AML/CTF, and human rights—and the trade-offs associated with applying each to the problem of international OCO firms. Finally, Part III will offer policy recommendations for building hybrid models to address the rise of offensive cyber contracting, with a keen eye toward the potential for international consensus.