Offensive cyber capabilities and strategic culture in selected NATO member states – an analysis of strategy and policy documents
FFI-Report
2025
This publication is only available in Norwegian
About the publication
Size
1.5 MB
Language
Norwegian
Download publication
This report examines how selected states portray offensive cyber capabilities. To explore this topic, we have chosen a twofold approach.
In the first part, we examine how states describe their ability to conduct offensive cyber operations in their own strategy and policy papers. This approach may contribute to a better understanding of variations in approaches to cyber operations among states.
The states selected for the first section of this report are the United States, Canada, the United Kingdom, France, the Netherlands, Germany, Denmark, Sweden, Finland, and Estonia. The US and the UK are included due to their influential roles in the field's development, while Denmark, Sweden, Finland, and Estonia provide a Nordic and a small-state perspective.
The US, UK, and France adopt a more explicit offensive approach in depicting their own policy towards offensive cyber operations. The Netherlands, Denmark, Sweden, Finland, and Canada emphasise portraying offensive cyber capabilities within a defensive framework. Estonia and Germany are more reserved in explicitly referring to offensive cyber operations but still emphasise the role of cyber capabilities within a national security framework.
In the second part of the report, we explore why states have developed varying approaches to their offensive cyber capabilities and strategies. This analysis examines their policy and strategy documents through the lens of strategic culture. Strategic culture shapes ideas about acceptable behaviour in security and defence, influencing how states perceive what appropriate use of offensive cyber operations is.
The second part focuses on three states: the United States, Germany, and Denmark. Drawing on existing literature, we establish categories for the strategic culture of each state. We find that the United States and Denmark consider it legitimate to use offensive cyber operations as a means of power beyond their borders and against other states. This approach reflects their strategic culture. By contrast, Germany has a strategy to offensive cyber operations that emphasises its security and non-military threats, especially threats by criminal actors. We find that this approach also reflects Germany’s strategic culture.
In the first part, we examine how states describe their ability to conduct offensive cyber operations in their own strategy and policy papers. This approach may contribute to a better understanding of variations in approaches to cyber operations among states.
The states selected for the first section of this report are the United States, Canada, the United Kingdom, France, the Netherlands, Germany, Denmark, Sweden, Finland, and Estonia. The US and the UK are included due to their influential roles in the field's development, while Denmark, Sweden, Finland, and Estonia provide a Nordic and a small-state perspective.
The US, UK, and France adopt a more explicit offensive approach in depicting their own policy towards offensive cyber operations. The Netherlands, Denmark, Sweden, Finland, and Canada emphasise portraying offensive cyber capabilities within a defensive framework. Estonia and Germany are more reserved in explicitly referring to offensive cyber operations but still emphasise the role of cyber capabilities within a national security framework.
In the second part of the report, we explore why states have developed varying approaches to their offensive cyber capabilities and strategies. This analysis examines their policy and strategy documents through the lens of strategic culture. Strategic culture shapes ideas about acceptable behaviour in security and defence, influencing how states perceive what appropriate use of offensive cyber operations is.
The second part focuses on three states: the United States, Germany, and Denmark. Drawing on existing literature, we establish categories for the strategic culture of each state. We find that the United States and Denmark consider it legitimate to use offensive cyber operations as a means of power beyond their borders and against other states. This approach reflects their strategic culture. By contrast, Germany has a strategy to offensive cyber operations that emphasises its security and non-military threats, especially threats by criminal actors. We find that this approach also reflects Germany’s strategic culture.
About the publication
Download publication
Newly published
