In an ever more uncertain world, countries from Finland to Japan are creating cyber commands, adapting previously defensive capabilities, and facing new legal and diplomatic challenges.
At an October parliamentary briefing, German foreign intelligence chief Martin Jaeger offered a stark warning to Europe: Russia, aiming to expand its sphere of influence westward, could provoke a ‘direct military confrontation with NATO’ at any moment. He added that ‘attempted manipulation of elections and public opinion, propaganda, provocations, disinformation, espionage, sabotage, airspace violations by drones and fighter jets, contract killings, [and] persecution of opposition figures living abroad’ showed that Russian attacks were not some concern for the distant future; ‘We are already under fire today.’ Last month, in her first speech as the UK’s foreign intelligence chief, Blaise Metreweli struck a similar note, saying the ‘front line is everywhere’.
In response to these increasing threats, cyber and otherwise, from authoritarian regimes like Russia and China, many countries are updating their security strategies. Alongside traditional rearmament and defence spending increases, many states are shifting from purely defensive to increasingly offensive cyber postures. States are building on pre-existing defensive cyber capabilities – intended to detect and respond to malicious activity and harden systems and networks – by adding offensive cyber capabilities, designed to manipulate, disrupt, degrade, or destroy foreign and adversary systems.
Material infrastructures for cyber offence
One new trend is that states that previously did not have the material or organisational capacity to utilise offensive cyber are creating new agencies responsible for offensive cyber operations.
Historically the domain of secretive intelligence agencies, countries are now creating more transparent military cyber command structures, with uniforms, insignia, barracks, and offensive cyber troop contingents. Finland, which previously had purely defensive cyber posture, is currently expanding its approach to include offensive capabilities. Japan, which has historically pursued a culture of military restraint similar to Germany’s, is now setting up its own 4,000-strong military cyber command and is developing its first cyber strategy for preemptive attacks against foreign servers. Another major shift occurred in Ukraine, which before 2022 had a strictly defensive posture and now regularly conducts cyber operations against Russian entities. Since the full-scale invasion of Ukraine in 2022, many other countries have created or upgraded military cyber command structures.
There have been three major waves of cyber command creation. The first wave was around 2010, when the Stuxnet attack led to worldwide recognition of the real-world impacts of cyberwarfare. The second came around 2015-2018, when many EU countries developed their cyber commands for the first time. This was likely in reaction to prominent cyberattacks, including the 2015 US Office of Personnel Management breach, the 2015 Russian BlackEnergy attack on the Ukrainian power grid, the 2015 Sandworm hack of the German Bundestag, and the 2016 hack of the US Democratic National Committee, as well as the 2016 election interference campaign against the US. All of this resulted in new threat assessments and cybersecurity strategies. Lastly, we see a clear uptick from 2022 to 2024, with 13 new cyber commands created, mostly in smaller countries in geographical hotspots in Eastern Europe and Southeast Asia.
Updating laws
The recent turn to cyber offence has also seen the passing of new laws and legislation allowing for more flexible use of existing offensive capabilities. Countries that created cyber commands during the first and second waves are now realising that they can hardly use them. Most cyber commands were originally designed as military structures, and many democracies restrict their militaries from attacks, conventional or digital, in peacetime. Legal frameworks often restrict the use of military cyber commands against non-military threats, such as cybercriminals or hacktivists, leaving cybercrime to civil law enforcement.
This is beginning to change, however. The US Cyber Command was given the authority to use its military cyber capabilities against the cybercriminals responsible for the Colonial Pipeline attack in 2020, and a similar trend is happening in other countries as well.
The UK lowered the threshold for use of offensive cyber capabilities in 2020, and the Polish government is currently discussing a new framework for peacetime cyber operations. The Netherlands enacted the Temporary Cyber Operations Act in 2024, broadening legal authority for offensive and intelligence-driven cyber operations outside of armed conflict. And the conservative German government is planning to upgrade its active defence posture as well to include offensive capabilities for non-military, peacetime use.
Refining preexisting offensive cyber doctrines
Meanwhile, countries with established offensive cyber capabilities and legal mandates to use them are updating their offensive cyber strategies and capabilities to enhance operational effectiveness. These offensive cyber doctrines specify the strategic goals offensive cyber postures might pursue – such as deterrence by denial, deterrence by punishment, or ‘persistent engagement’ – and how they aim to achieve those goals.
France, for example, is one of the few countries that transparently published an offensive cyber doctrine in 2019. This marked a shift from a primarily defensive posture to a balanced approach that included offensive cyber operations, and signalled a readiness to conduct cyber warfare supporting conventional military objectives. France’s 2025 National Strategic Review expands on this by combining offensive cyber and information operations. The strategy aims to be able to conduct real-time information operations, influence the media, counter disinformation, and inflict losses on opponents through cyber means. The review also sets goals to increase the number of cyber personnel, adding 1,600 positions to its military cyber command, and improve military cyber warfare exercises.
Other countries, including Sweden, Denmark, the Netherlands, and Canada, are likewise expanding their approaches to offensive cyber activity.
Persistent engagement versus active defence
Another aspect of the change in offensive strategies is the move from ad hoc active defence postures and deterrence by punishment strategies towards US-style ‘persistent engagement’ and ‘forward defence’ strategies. Persistent engagement is a strategic concept introduced by the US Cyber Command in 2018, referring to continuous competition in cyberspace. Rather than waiting for attacks, forces aim to be constantly engaged with adversaries, anticipating, contesting, and disrupting hostile actions before they reach their target networks. The goal of persistent engagement is to impose friction, degrade adversary offensive capabilities, and deter aggression by staying in constant contact with hostile operators. Forward defence, meanwhile, authorises cyber operators to act outside of their own networks ‘as close as possible to the source of adversary activity’ – which can mean on foreign territory.
More countries with advanced cyber capabilities are now following this approach. For example, South Korea, facing ongoing cyber threats from China and other adversaries, is shifting toward a proactive and preemptive cyber offensive posture as part of its 2024 National Cybersecurity Strategy. This marks a departure from the more reactive approach outlined in 2019. South Korea’s strategy focuses on early detection, identification, and timely response to cyber threats before they materialise into attacks, mirroring the ‘defend forward’ concept.
The UK, Australia, Japan, and the Netherlands likewise are embedding persistent engagement elements in their strategies.
Implications and risks
Whether this offensive shift elevates or stabilises security largely depends on the quality of diplomatic and military communication accompanying these operations. To manage the complexities of this environment, allied states must establish common thresholds for intervention, transparency measures, and escalation management protocols. While enhanced cyber capabilities promote burden-sharing among allies and strengthen collective defence, these benefits hinge on harmonising strategies, intelligence sharing, and joint command structures to avoid operational gaps and redundancies.
States should invest in developing comprehensive offensive cyber doctrines that clearly define strategic objectives such as deterrence, disruption, and influence; outline operational boundaries; and integrate cyber activities with conventional and intelligence operations. Equally important is fostering joint doctrines and communication channels to uphold cohesion amid continuous cyber competition. Conducting joint cyber exercises and war games will enhance operational experience and reduce the risk of misinterpretation or unintended escalation.
At the same time, expanding military cyber roles into peacetime – particularly against non-state actors like cybercriminals – challenges existing legal frameworks. Democracies must strike a careful balance between exercising offensive cyber powers and protecting civil liberties, sovereignty norms, and robust oversight. The lack of uniformity in national thresholds and doctrines risks fragmenting international norms on acceptable peacetime cyber operations, complicating multilateral cooperation, and increasing the risk of conflict.
Moving towards proactive and continuous cyber engagement offers significant strategic advantages but necessitates careful legal, diplomatic, and operational management. Only by fostering transparency, coordination, and respect for international norms can states effectively harness offensive cyber capabilities to deter aggression without exacerbating instability.