How can nations prepare for cyber wars on an unprecedented scale? Geopolitical tensions are rising, and major powers are increasingly engaging in territorial expansionist policies. In a recent article, Mara Karlin argues that conflicts in Ukraine and the Middle East signal a shift in the global war landscape, whereby large-scale warfare will be akin to previous eras of total war. She also highlights the critical role cyberspace will play in such conflicts; after all, an all-out war will also include an all-out cyberwar. In other words, not only will military assets—ranging from computers to servers to drones—be targeted, but critical infrastructure, organizations of various sizes, and even civilian devices will be, too.
Therefore, in a total war scenario, both the quality and the sheer size of a cyber force will be a key determinant of success. Given that reality, leveraging civilian penetration testers—IT professionals who conduct offensive security assessments for corporations, public agencies, and private organizations—as cyber reservists can significantly expand a nation’s cyber capabilities. A well-structured cyber reserve would allow states to rapidly scale their offensive cyber operations, ensuring they are prepared to project power in wartime.
The Need for a Larger Offensive Cyber Force
Past cyberattacks have demonstrated the diverse and destructive potential of digital warfare. For example, the Stuxnet worm interrupted Iran’s nuclear program by not only affecting software but also inflicting physical damage on the centrifuges used to refine uranium. Similarly, a more recent cyberattack on Iranian gas stations rendered many fuel pumps unusable. Likewise, the WannaCry ransomware attack impacted millions of computers worldwide, including one-third of the trusts in UK’s National Health Service, forcing hospitals to close. Even unintended incidents, such as the CrowdStrike outage, which affected 8.5 million Windows devices due to a defective update, reveal the potential damage cyber vulnerabilities can cause. These examples highlight the necessity of effective offensive cyber capabilities in a total war scenario.
Currently, for offensive cyber capabilities, governments rely primarily on military and intelligence personnel specifically recruited for these purposes. While these small and specialized groups of experts equipped with abundant resources (e.g., a well-funded arsenal of zero-day exploits) are effective during limited conflicts, they would likely be overloaded in a full-scale cyberwar scenario, where opposing nation-states aim to paralyze each other by hacking every device they can reach. This is because only some attack types (e.g., malware examples above) can be automated, while more sophisticated attacks require significant manual effort. For instance, an attack on critical infrastructure, such as a power plant, may require months or even years of creative work on the attackers’ side. Expanding the size of these units is an obvious solution, but a costly and challenging one due to budgetary and recruitment limitations. Budgetary restrictions, in particular, place a strict upper limit to the size of the available offensive cybersecurity personnel.
A more efficient alternative is to leverage civilian penetration testers as a force multiplier. Historically, civilian expertise, from engineering to cryptography, has often been integrated into military efforts. Perhaps the most notable example is World War II, when civilian cryptographers at Bletchley Park played a crucial role in decrypting German Enigma codes. Today, a similar approach could once again prove useful in the realm of offensive cybersecurity. Specifically, I am proposing a structured and proactive approach: a cyber-reservist model.
The cybersecurity industry, in general, and the penetration testing industry, in particular, are experiencing rapid growth, due to organizations being regular targets of cyberattacks. With the advent of relevant online training platforms such as EC-Council, OffSec, and CREST, penetration testers are preparing for certifications such as Certified Ethical Hacker, Offensive Security Certified Professional, and CREST Certified Infrastructure Tester, which demonstrate expertise in areas critical to cyber operations. Certainly, penetration testers who investigate corporate networks are not a substitute for government personnel who have access to specialized tools and classified intelligence. However, as previously mentioned, in a total war scenario, the sheer size of the offensive cyber force will also be a determining factor, as state actors will be aiming to hack an immense number of targets. Moreover, penetration testers—due to being a very diverse group—might possess some rare and specialized skills, such as experience in hacking certain uncommon devices or high-level certifications for cutting-edge software.
A Cost-Effective Force Multiplier
Most importantly, including penetration testers in a cyber reserve requires significantly less financial investment compared to recruiting and maintaining an additional offensive team of equivalent size, which makes it an effective force multiplier. Governments can prepare in peacetime by creating a voluntary registry where penetration testers can list their certifications and skills, updating them regularly. Then, if the need arises, governments could selectively mobilize these individuals, prioritizing those who have indicated a preference for being called in an emergency (e.g., volunteers). To enhance readiness, volunteers could be invited to periodic (e.g., annual) training sessions, ensuring they can be rapidly mobilized when needed. Offering government-issued certifications in exchange for participation would further incentivize engagement.
Certainly, there are potential challenges in integrating civilian penetration testers into military operations. The most pressing concern is operational security, particularly the risk of information leaks. However, unlike other civilian groups, penetration testers, as cybersecurity specialists, are less likely to inadvertently disclose sensitive information—especially with periodic training sessions. Furthermore, vetting processes—which both military and intelligence organizations are deeply familiar with given the security investigations already used to vet employees—can help to mitigate these risks.
Overall, this solution significantly expands the total size as well as the diversity of expertise in the offensive cyber force in a cost-effective manner. These individuals can participate especially in less sensitive and relatively simpler operations that do not require specialist government tools or multimillion-dollar exploits. In doing so, the smaller group of formal and full-time military and intelligence personnel with access to highly classified information and knowledge of government-developed tools can focus their energy on those operations.
Preparing for total war requires utilizing the totality of resources, and penetration testers constitute a key resource in such a conflict.
Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London and a research affiliate of King’s AI Institute. He is also a member of the King’s Cybersecurity Research Centre (Informatics Department) and the King’s Cyber Security Research Group (War Studies Department). His books have been published by Oxford University Press, Routledge, and Edward Elgar, and his research appears in leading academic journals. In addition, Aybars contributes to practitioner-oriented outlets, including Defence Strategic Communications, Scientific American, and Dark Reading.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.
Image credit: Staff Sgt. Jeffrey Reno, US Army