Offensive cyber power is spreading fast and changing global security

Offensive cyber activity has moved far beyond a handful of major powers. More governments now rely on digital operations to project influence during geopolitical tension, which raises new risks for organizations caught in the middle. A new policy brief from the Geneva Centre for Security Policy examines how these developments influence international stability and what steps could lower the chance of dangerous escalation.

Growing field with low barriers

The research shows that at least 40 states were conducting cyberattacks by 2019, which represents a fourfold jump from 2011. This spread has allowed smaller and less resourced governments to punch above their weight. The brief notes how incidents such as North Korea’s 2017 ransomware campaign and Iran’s attack on Albanian government networks show how states with modest conventional tools can still disrupt far from home.

Major powers have also expanded their own offensive doctrines. China treats cyberspace as an important arena of strategic competition and blends intelligence gathering with broader political goals. Russia continues to mix disruptive malware with data leaks that play into geopolitical aims. NATO members have also increased activity. In 2016 the alliance recognised cyberspace as an operational domain. Soon after, members began contributing national cyber capabilities to collective defence planning.

One quote in the report captures this shift: “The combination of empowered weaker actors and major-power investment has turned cyberspace into an intensely competitive and contested environment.”

Escalation risks in a crowded threat landscape

The research warns that miscalculation grows more likely as more states develop and deploy offensive tools. Attribution remains difficult, timelines shrink, and thresholds for response vary widely.

Many operations occur in the “grey zone” between peace and war. Governments carry out intrusions, data theft, and low-level disruption while staying below the legal definition of an armed attack. These actions seldom trigger formal military responses, but they can produce slow-burning tit-for-tat activity that increases tension.

The report highlights the Stuxnet incident as an early example of how secret operations can be misunderstood. Its unintended spread raised worry among governments and accelerated global investment in offensive cyber units.

Compounding the risk, civilian and military systems are deeply interconnected. Logistics, transport, energy, and communications networks often rely on the same infrastructure. A narrowly intended operation can affect hospitals or financial systems without the attacker intending to reach them.

Legal gaps and uncertain norms

The spread of offensive cyber activity has outpaced legal and policy development. The brief explains that many governments keep their response thresholds vague and seldom describe their offensive capabilities. Some Five Eyes countries have disclosed limited information, but most activity remains hidden.

International law also struggles in this domain. Many operations cause disruption rather than physical harm, which leaves them outside the definition of an armed attack under the UN Charter. This has produced wide grey zones in which states operate without shared expectations. Attempts to create voluntary norms through UN groups have gained some support, although rivalries slow progress toward anything binding.

Regional bodies have tried to help. The OSCE has promoted confidence-building measures, and ASEAN has piloted joint capacity-building projects. Implementation is uneven, however, and legal uncertainty continues.

Pathways to reduce global cyber risk

The report’s final section offers several steps that governments can adopt to reduce risks. One priority is improving confidence-building measures. These include incident notification rules, cyber hotlines, and joint crisis exercises.

Regional organizations can also serve as testing grounds. The OSCE, ASEAN, and the African Union have helped members build habit-forming cooperation, share lessons, and conduct simulations. These efforts show promise because they create routines that can reduce misinterpretation during tense periods.

The brief also calls for stronger capacity-building. Many countries lack practitioners who can implement norms or operate incident-response procedures. Sharing knowledge, offering training, and promoting South-South cooperation can help build a wider pool of capable responders.