Not a week seems to go by without yet another newspaper report of a cyber-attack on a business or public service. Cyber-attacks have become more common and a real menace for many organisations, primarily because of the disruption and the financial costs incurred. The cost of preventing such attacks is also significant. One industry estimate has forecast that worldwide spending on cybersecurity hardware, software, and services could reach nearly $300 billion in 2026.

Just this month, several major London hospitals were subject to a cyber-attack that created a “major IT incident” and severely reduced the capacity of pathology services. It was a ransomware attack reported to have been carried out by a Russian criminal gang.

This attack is just one of many reported this year such as the Wall Street firm that processes trillions of dollars of securities transactions a month, which took several days to get back online, or the Australian healthcare company that has gone into administration following a major cyber-attack on its business which stole patient data and the personal information of healthcare providers. Confidential patient information is now apparently available for sale on the dark web.

However, it is not just shady criminal gangs looking to make a quick buck who engage in cybercrime. For many years, there have also been cases where state actors were believed to be involved. One of the most prominent examples in recent years was the malware attack on Sony Pictures in 2014, which wiped the company’s hard drives and dumped sensitive documents on the internet. It was one of the worst cyberattacks ever against an American company. At the time, American intelligence officials concluded that North Korea was behind it, and the Obama administration slapped new sanctions on North Korea as a consequence.

Attacking a company is bad enough, but state-sponsored cyberattacks have also proved to be a real menace for society as a whole. In the run-up to the 2016 U.S. election,s hackers linked to Russian intelligence were prime suspects for breaking into the Democratic National Committee’s computer networks and gaining access to confidential emails and information, which a bipartisan U.S. Senate report later concluded was intended to try to influence the 2016 election.

In May 2024, Germany recalled its ambassador to Russia for a week of consultations after the government accused Russian agents of hacking members of Chancellor Olaf Scholz's Social Democrats party and other government targets. The German government was not alone. In the same month, the Czech government also called in the Russian ambassador after accusing Russia of cyberattacks against Czech institutions and critical infrastructure.

In June 2024, the Danish Centre for Cyber Security raised its threat level assessment for destructive cyberattacks due to increasing threats from Russia. Meanwhile, in the Netherlands, the websites of at least three political parties were targeted by hackers as Dutch voters cast their ballots in the European elections. A pro-Kremlin hacker group claimed responsibility.

This latest attack comes just a couple of weeks after the EU’s top cybersecurity official said that disruptive digital attacks have doubled in the European Union in recent months and are also targeting election-related services, with many linked to Russian-backed groups.

But it is not just Russia that stands accused of recent state-sponsored cyberattacks. In March of this year, New Zealand accused Chinese state-sponsored hackers of infiltrating their parliament, joining the United States and the United Kingdom in accusing Beijing of malicious cyberactivity.

A handful of countries are believed to be behind most state-sponsored cyberattacks. The New York-based Council on Foreign Relations has estimated that since 2005, thirty-four countries are suspected of sponsoring cyber operations. However, China, Russia, Iran, and North Korea are suspected to be sponsors in 77 percent of all operations.

The rise of the internet and its supporting digital infrastructure has created a new landscape for espionage, sabotage, and disruption in cyberspace. Nation-states have found new ways to steal secrets, disrupt critical systems, create and control information, and sow discord through cyberattacks that can easily transcend sovereign national borders. This can be done long-distance, without ever setting foot in a targeted country. They are low-cost, all that is needed is a computer, coding skills, and a connection to the internet. They are also high-impact.

The bigger and more connected a state's cyberspace becomes, the more opportunities also exist for it to be exploited. That potentially makes highly connected Western societies more vulnerable and necessitates increased expenditure on cybersecurity. A successful cyber-attack is capable of not only disrupting the democratic process, as happened in America in 2016, but also has the capability of causing real material damage to everyday life such as bringing chaos to traffic systems, attacking undersea internet cables, knocking out water plants or electricity power grids, or even worse, causing dangerous damage to nuclear plants or military installations. Real damage can also be caused to the economy.

Given the potential cyber menace that nation-states and their citizens face, the task of defending critical infrastructure, the integrity of the political process, the economy, and classified and confidential information has to be high on the national security agenda of all responsible governments.

When a state suffers a severe state-sponsored cyber-attack by another, the key question for its government to ask is how best to respond. In the case of the hacks on Sony and the Democrats, the U.S. government responded with sanctions. But what if a future attack were more serious and, say, cost lives? That would raise the stakes. At what point is a cyber-attack considered cyber warfare, and what would be the appropriate response in that scenario? Complicating matters is that cyber-attacks can be difficult to attribute blame with a high degree of confidence, even for the most sophisticated states. So, before a state responds, how can they know for sure and prove beyonda reasonable doubt that those they think carried out an attack did it? How can they know if a third party was not trying to stir things up?

When we are dealing with cyber warfare rather than cybercrime, we are crossing a threshold where a different response is needed. At this point, political and military responses seem more appropriate than responses more suited to punishing a criminal for conducting a crime.

International laws and norms, such as those outlined in the Tallinn Manual, should be the first port of call as a source of guidance. Such laws and norms are made on the basis that they will be obeyed. Still, it is, unfortunately, the case that these alone can not offer a solid guarantee of cybersecurity as enforcement and interpretation of international laws and norms can be disrupted, contested, or even ignored by some hostile states.

At the most basic level, when a state finds itself at the point of confronting cyber warfare, probably the most fundamental question that needs to be asked is: Why would a hostile state want to or even dare to conduct or sponsor a cyber-attack on another state? Well, in answering this question, I think the pursuit of power in international relations goes a long way to explain why that would be so.

In a nutshell, power in international relations should be best understood as the ability of one state to influence the behaviour of another state. In other words, to get them to do what they want them to do rather than what the other state might prefer. Such a power can extend beyond cyberspace to the physical world, such as influencing voters to support a friendlier party, more useful to the hostile state.

In our anarchic global system, where no overarching authority exists, states often take opportunities to increase their relative power if they think they can get away with it, as seen historically with events like Pearl Harbour. Cyber capabilities are a new tool for this age-old pursuit of power. Moreover, if a state can get away with a cyber-attack or intrusion, it will probably keep doing it.

While cyber is a relatively new capability, there is still no real reason for us to believe that we have entered the great unknown, where it is impossible for our state to properly prepare and respond to a threat that we largely cannot see.

Technology may have advanced considerably over the last few decades, but analytical tools can help when dealing with these types of threats. Classical military theory remains quite useful. Clausewitz never wrote about cyber warfare, but his ideas on war are useful when cyberattacks are understood as a weapon of war rather than just another tool of crime. State-sponsored cyberattacks are merely the continuation of politics by other means.

State-sponsored cyberattacks offer some of the same advantages as those available to criminals who mainly target businesses for ransom. States may have more sophisticated systems than the average criminal working from his basement, but still, compared to other kinetic weapons, cyber power is low-cost, has a high impact, and transcends national borders.

A strong cyber capability makes it much easier for hostile states to strike at what Clausewitz had considered a nation's centre of gravity, such as critical infrastructure, disrupting communications, or undermining public trust in institutions. Such high-impact events could cause confusion or even chaos within a society, affecting the interplay between the people, the military, and the government. Thus, they offer states another means to increase their relative power more cost-effectively. If state behaviour in international relations is somewhat predictable, then we can expect this capability to be a key feature of military strategy in the coming years.

Already, several of the world’s best-resourced militaries have developed a significant cyber ability. The U.S. is one of many countries, including China, Russia, Israel, and the United Kingdom, that have significantly invested in developing not just defence capabilities but also offensive cyber warfare capabilities. Iran and North Korea have also demonstrated their cyber prowess, notably with Iran’s attack on Saudi Arabia’s national oil company in 2012.

As more nations feel compelled to enhance their cyber capabilities, a possible security dilemma arises, prompting a cycle of action and reaction where other nations seek to follow suit. In such a scenario, states face a prisoner's dilemma, where international cooperation offers the best way forward in reducing risk. If states fail to cooperate in developing robust cyber diplomacy to manage and mitigate the risk of state-sponsored cyberattacks, then we are all worse off, and the risk of such attacks occurring becomes greater.

There has been some progress towards cooperation in recent years at bilateral and multilateral levels, such as the U.S.-China Agreement in 2015. The EU has developed a framework and strategy for a joint diplomatic response to malicious cyber activities, and the U.N. has produced several reports outlining and reaffirming norms and rules of responsible state behaviour in cyberspace.

However, given the nature of the risk, more efforts towards building trust, preventing escalation, and promoting stability, particularly among the most cyber-capable states, will be needed in the coming years. If a robust international regime to mitigate cyber risk cannot be fully achieved, then there will always be an incentive for some nations to cheat, leaving rule-abiding states more exposed.

In such a scenario, it seems more sensible to prioritize defence over offense in the first instance. A strong defensive posture with strong offensive capabilities can deter attacks in the first instance and provide a solid foundation for a more effective offensive response later if necessary. Even if robust international cooperation does not ultimately materialize, states can still create a more stable and predictable international environment by focusing more on defense. Such an approach helps reduce the potential gains available when states seek to increase their relative power. If a hostile nation cannot penetrate another nation's cyber defences or get them to do things they otherwise would not do, well then, they don’t have a lot of power after all, and the threat is not as grave as it may first have appeared to be.