This think piece first provides a short overview of the evolving strategic cyber threat landscape with a view to then exploring a military’s contemporary role in facing continuing, multi-faceted cyber aggression from a strategic perspective. The rationale behind this piece is to stoke further discussion and analysis within the Irish national security community on key issues facing most technologically advanced democracies in relation to the role of military in cyberspace.[i]
If we are to ensure our digital-dependent future security and prosperity, updated (or new) national security strategies, second generation national cyber strategies and upcoming international cyber negotiations, such as the UN Group of Governmental Experts and Open Ended Working Group, must now grapple with integrating the expanding breadth of new-fangled strategic cyber threats. Taking concrete steps to assure our citizens and businesses that military expertise is being put to its best use by establishing stronger cross-governmental mechanisms may now be needed in the face of evolving cyber threats. This may be essential to not only retain and attract foreign direct investment, but to safeguard our values, to remain economically competitive, to protect our strategic assets and IP, and to ensure that our nations continue to be safe and secure places to conduct all business free from future external interference.
Four quadrants of multi-faceted cyber aggression: Something old, something new
Stronger, orchestrated cross-governmental responses are arguably needed to address present-day cyber aggression that comprises the increasing use (and sometimes integration) of four major types of cyber capabilities and activities. The United Kingdom’s current national cyber security strategy explains, for example, that previous cyber strategies were published when most people still understood cybersecurity through “the prism of protecting devices” whereas new developments such as the Internet of Things change this paradigm so that we are now vulnerable to threats to the interconnected systems that are fundamental to our society, health and welfare.[ii] First, states’ use of cyber capabilities now includes more than cyber-enabled state espionage (commercial or otherwise) and attack capabilities. This is the case even where the increasing centrality of network connected devices to business operation and critical infrastructure means that the consequences of such cyber-enabled attacks have become much more serious.[iii] As part of wider hybrid operations in recent times, a third area of cyber-enabled influence know-how to seek political, diplomatic, economic and military advantage is becoming more prolific.[iv] Influence activities that can be conducted in another state’s territory during peacetime can include, among others, disinformation, targeted manipulation of data, election interference, hack and leak operations, propaganda, and the suppression of unfavourable viewpoints. Major Western powers expect that their strategic competitors will certainly use and refine such influence operations, while learning from each other, in order to (1) Weaken democratic institutions; (2) Undermine Western alliances and partnerships; (3) Shape policy and actions; (4) Undermine authorities; and (5) Stoke racial and social tensions. This means the future threat landscape, including in future elections, is likely to be rather different.[v]
Moreover, strategic competition is clearly rising over emerging and disruptive technologies, tools and tradecraft in areas that include AI, autonomy, 5G wireless networks and quantum computing. Despite warnings, a major awakening to this fourth quadrant of cyber activities and race to acquire components for other future cyber-enabled weapons systems is only recently taking place in Europe. Whereas foreign actors are already racing to acquire top talent, companies, data and IP through legal and illegal means.[vi] Irrespective of pressing present-day cyber-related challenges, decision-makers and military must additionally be cognisant that the speed and scope of technological change could become exponential, thus seriously complicating our understanding and management of the global cyber environment.[vii]
Experts, too, are scrambling to unpack the multi-level characteristics of cyber conflict that include ideological, policing, security and economic dimensions – a humbling experience to say the least.[viii] The United States Presidential Policy Directive 41 now describes a “significant cyber incident” as referring to “an event occurring on or conducted through a computer network that is (or a group of related events that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. The so-called “connectivity paradox” means that while it was assumed during the Cold War that technological supremacy would bring about strength and safety, this seems to have the opposite effect in the digital era – while the most technologically sophisticated countries become even more cyber dependent, their technological advancement means they are becoming disproportionately vulnerable to cyber attack.[ix]
This is all occurring in a global international security environment where strategic competitors are vying it out to shape the international system, regional security dynamics and pursue influence over other nation states’ political systems and economies. While the United States intelligence community considers that China and Russia continue to pose the greatest cyber threats, it is expected that all strategic competitors (including Iran and North Korea) will increasingly build capabilities to advance their own national security.[x] It is understood, for instance, that Beijing will authorise cyber espionage against key United States technology sectors when this addresses an important national security or economic goal that is not achievable through other means.[xi] Moscow, on the other hand, is apparently mapping U.S. critical infrastructure, among other activities, with a long-term goal of being able to cause substantial damage.[xii]
Another significant trend to monitor is the observation that digital technologies are increasingly perceived to be reformulating conventional geopolitics and alliances, rather than conventional geopolitics forcing cyber developments.[xiii] A likely case in point could be the more recent furore over American pleas for its allies and Western governments to ban the non-Western Huawei 5G technologies. While American media writes about a defiance of United States’ pleas, other concerns include the viability of future information sharing agreements between the United States and its Five Eyes partners (and others) – even where this public airing of cyber disputes among friends currently fails to take broader deterrence effects into account.
Contemporary and future cyber threats: A changing role for military?
These recent trends should call into question, once again, whether our use of military expertise is fit for purpose in the 21st Century. Rather than focusing solely upon any individual nation state’s cyber defence strategies for the purposes of this piece, it instead emphasises three general, albeit key, themes facing militaries. In order to provide a wider perspective, this section primarily draws on the detailed discussions among leading cyber and national security strategists, military personnel and thinkers from across the world, including major state powers, in a recent workshop on military operations in cyberspace.[xiv]
First, experts note that the national security communities and militaries of technologically advanced democracies are still trying to better understand the character and implications of the phases of potential conflict in cyberspace – our understanding of cyberspace as an environment, of conflict in that environment, and of the military role in such conflict is apparently still work in progress.
A key observation is that we should ideally exercise intellectual, political and strategic humility in this space. For instance, what exactly is the role of military now where there are several types of cyber activity such as espionage, attack, influence campaigns, and races to acquire strategic future capabilities? What is the role of military during “unpeace” defined by Lucas Kello in his recent book as “mid-spectrum rivalry lying below the physically destructive threshold of interstate violence but whose harmful effects far surpass the tolerable level of peacetime competition and possibly even of war” – in other words, how should we analyse and manage military operations that are in fact taking place in cyberspace?
Notably, while undertaking this analysis – rather than jumping too far ahead of ourselves both in our public commentary and decision making – the workshop report posits that it may not be wise to assume that cyberspace changes everything in the military sphere. Perceiving this field to be completely unique may mean we lose sight of valuable experience that can now be applied. On the other hand, a willingness to think differently is advisable when applying strategic templates of the past to different 21st Century circumstances to avoid errors.
It is found that terms like cyber war and the new cold war are being used to describe vague and sinister activities but do these merely reference familiar and comprehensible terms rather than actually explaining what is indeed complicated and unfamiliar? Instead, it is recommended that a more productive discussion be held about the use of military and other levers of national power for political purposes where states may find themselves in confrontation or conflict with other states or non-state actors.
Second, important questions about the role of military in these types of contemporary “conflict”, “unpeace” and strategic competition abound. Such questions include the following[xv]:
(1) Is that role to fight in the traditional sense of an action/reaction struggle with an adversary? The United States Department of Defense (DoD) cyber strategy posits, for instance, that its military’s ability to fight and win wars in any domain, including cyberspace, is a foundational national security requirement to deter aggression including cyber attacks – it will “defend forward” to halt or degrade cyberspace operations targeting the DoD;
(2); Is the military’s task to contain hostile actions in cyberspace and to prevent them spreading to and compromising military activity in conventional domains like land, sea, air and space?;
(3) Should this defensive function be extended to society more broadly, with military tasked not just to defend their own networks and platforms but to also ensure the resilience of society’s critical infrastructure as a whole? Again, the U.S. DoD is now working to defend, when directed, non-DoD critical infrastructure and Defense Industrial Base entities. It will work (including by “defending forward”) to pre-empt, defeat or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident “regardless of whether that incident would impact DoD’s warfighting readiness or capability”;
(4) Are cyber defence and resilience as much as should be expected of military deterrence in cyberspace, or should the role of military be more organisational than operational? The example provided is a liaison and coordination function to integrate cross-governmental and intra-alliance responses;
(5) Is there a need, as laid out in the UK’s national cyber strategy, to improve the focus of intelligence agencies, law enforcement and military in coordination with international partner agencies to identify, anticipate and disrupt hostile cyber activities by obtaining pre-emptive intelligence on the intent and capabilities of malevolent state and non-state actors?[xvi] The U.S. DoD also alludes to the need to increase “bi-directional” information sharing to advance mutual interests with allies and partners.[xvii]; and
(6) Is there space for defence diplomacy so that military promotes international cyber stability frameworks in a manner that is more than a nod to foreign affairs’ counterparts? The U.S. DoD cyber strategy highlights, for instance, that the DoD will work alongside its interagency and international partners to promote international commitments regarding state behaviour in cyberspace as well as to develop and implement cyber confidence building measures.
What is certain from the expert report is that militaries cannot effectively undertake this analysis on their own and they must ideally be conducted as part of a “comprehensive, integrated civil-military approach to conflict in cyberspace”. Nor is cyberspace seen to be exclusively a military responsibility. Instead, it is recommended that there should be effective coordination of civil-military capacity if cyber activities – of all kinds and at whatever levels – are to be deterred and defeated. It is argued that military operations in cyberspace should be fought as part of a comprehensive integrated civil-military approach in which civil and military efforts are interdependent and thus more effective. The report emphasises that civil-military cooperation is no longer optional and it is expected that we will see even closer and more rapid integration of civil and military agencies in the deterrence of and response to cyber aggression.[xviii] This is otherwise known as the fusion doctrine in the United Kingdom whereby UK military operations in cyberspace should be seen as only one element of a full spectrum cross-governmental strategic approach so that political leadership can at all times receive advice from military commanders as to what military operations can and cannot achieve in cyberspace. The UK has also established a military Cyber Security Operations Centre that will work closely with its National Cyber Security Centre.[xix]
In addition, the EU considers that it is well placed to promote synergies between military and civilian efforts given the blurring lines between cyber defence and cybersecurity and the dual use nature of cyber tools and technologies as well as the very different EU Member State approaches.[xx] And the United States DoD is now tasked to respond to cyber-enabled campaigns that erode U.S. military advantages, threaten its infrastructure and reduce its economic prosperity – it will work to expose, disrupt and degrade cyber activity threatening U.S. interests, strengthening the cybersecurity and resilience of key potential targets and working closely – “expanding DoD cyber cooperation” – with other departments and agencies, industry and international partners.[xxi]
Third, there is a major rethinking of deterrence in cyberspace underway among major powers. The United States DoD currently concludes that it must now take action in cyberspace “during day-to-day competition”, in other words “persistent engagement” to preserve its military advantages and to defend U.S. interests.[xxii] It will do so by ensuring the Joint Force will be capable of employing cyberspace operations through the spectrum of conflict, from day-to-day operations to wartime.[xxiii]
Workshop participants asked whether the Cold War model of strategic deterrence leaves us with an expectation that cyber deterrence should be mainly or exclusively a national military concern. A key question then is how can a state take better account instead of its cyber deterrence capability which may be significantly non-military and often not owned by government. The report notes that the private sector no longer only provides deterrence capability to government but it is itself a deterrent actor now, “with its own interests to protect and its own conflicts to prevent” – in other words, we are seeing what is described as a form of civic deterrence with concerted exposure of malicious actions and actors.
The deterrence of cyber attacks that constitute use of force is argued to remain relatively straightforward insofar as it comprises the traditional combination of denial and punishment. It is more challenging where malicious activity falls below the threshold of the use of force, thus calling for more nuanced positions, including during peacetime. An interesting note on a United States proposal includes developing “a menu of options for swift, costly and transparent consequences below the threshold of the use of force – developed on an interagency basis, this menu of consequences would be discriminatory and proportionate and potentially “adversary agnostic” (unlike more bilateral/relational models of cold war deterrence). Moreover, the U.S. DoD cyber strategy outlines as part of its new “compete and deter in cyberspace” strategy that it will persistently contest malicious cyber activity in day-to-day competition, and work with its interagency and private sector partners to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences.
Thought leaders and seasoned practitioners thus conclude that since future crises will likely include a cyber component and the military will not only likely be a target but also be required to contribute to national security and defence in cyberspace, defence forces will need enough highly trained practitioners for cyber defensive and counter-offensive operations. The U.S. DoD cyber strategy captures this point succinctly by explaining that its “workforce is a critical cyber asset”. At a time when defence budgets are constrained and talent can be attracted to the more profitable private sector, this point is critical. EU strategies similarly recognise this very important skills gap in cyber defence.[xxiv] The Cyber Education Training Evaluation and Exercise Platform at the European Security and Defence College was subsequently established late last year as one way to address this need for cyber defence training and education across EU Member States. While this initiative is laudable, it is currently light years behind other initiatives such as the NATO Cooperative Cyber Defence Centre of Excellence. The United Kingdom, for its part, is developing its own Defence Cyber Academy for cyber training and exercise across its Ministry of Defence and wider Government, addressing specialist skills and wider education.[xxv] This includes developing opportunities for collaboration in training and education between government, the Armed Forces, industry and academia.
Lastly, advanced thinking on deterrence in cyberspace, which is now often laid out within national cyber strategies, is understood to be part of (and to emanate from) a nation’s wider deterrence framework. This is, in turn, often relayed through a national security strategy. In other words, a broader strategic overlay may be necessary to establish better deterrence in cyberspace. Nonetheless, it is safe to conclude that the military role in advanced democratic states’ endeavours to deter and manage the use by state or non-state actors of contemporary and future cyber capabilities needs both significant strategic refinement and investment. This could likely be in favour of establishing more comprehensive civil-military mechanisms, ideally incorporating cross-governmental strategic foresight mechanisms. For a more recent example of thinking on the defence contribution to deterrence, the UK Ministry of Defence recently released doctrine notes on deterrence and strategic communication which consider how technological developments in the 21st Century, along with the effects of globalisation and the associated complex interdependencies, have created a contemporary context in which the concept of deterrence must be contextualised and postures constructed.[xxvi]
So as not to throw the baby out with the bathwater in the wake of tackling these four types of contemporary cyber aggression and grey zone conflict during peacetime, it is likely that healthy levels of both caution and willingness to bring about constructive change will be needed when questioning, and potentially modifying, the traditional role of military for 21st Century risks.
Author: Caitríona Heinl, Executive Strategist & Lead Strategist for Asia Pacific, EXEDEC
[i] This material was prepared in advance of a panel presentation given at the Irish Defence Forces Officers’ Club on 11 April 2019.
[ii] HM Government, “National Cyber Security Strategy 2016-2021”, 2016, p.22.
[iii] Department of Communications, Climate Action & Environment, “National Cyber Security Strategy Draft Public Consultation”, March 2019, p.1.
[iv] See the Department of Communications, Climate Action & Environment, “National Cyber Security Strategy Draft Public Consultation”, March 2019, p.5-6: Hybrid threats are defined by the EEAS as combining conventional and unconventional, military and non-military activities that can be used in a coordinated manner by state or non-state actors to achieve specific political objectives. Threat actors using these means can use cyber-enabled techniques to steal information from political parties, governments or private organisations for subsequent release, sometimes edited, at an opportune time or to support a general campaign of misinformation or to subvert some genuine political or judicial process – this thus represents both a data protection challenge and a risk to the proper function of democracy.
See also Daniel R. Coats, Director of National Intelligence, “Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community”, Senate Select Committee on Intelligence, 29 January 2019: It is expected that Russian online efforts will continue to focus on aggravating social and racial tensions, undermining trust in authorities and criticising perceived anti-Russian politicians, potentially using additional influence toolkits such as spreading disinformation, conducting hack and leak operations and manipulating data in a more targeted fashion to influence policy, actions, and elections. Whereas China is expanding its ability to shape the discourse relating to China abroad and it is expected to continue using legal, political and economic levers such as the “lure of Chinese markets” to shape the information environment. Notably, the country is considered to be capable of using cyber attacks against systems outside China to censor or suppress viewpoints that it deems politically sensitive. It is expected that actors may also try to use cyber means to directly manipulate or disrupt election systems by, for example, tampering with voter registration or disrupting the vote tallying process to alter data or to solely call the voting process into question.
[v] Daniel R. Coats, Director of National Intelligence, “Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community”, Senate Select Committee on Intelligence, 29 January 2019.
[vi] For a U.S. IC perspective, see Daniel R. Coats, Director of National Intelligence, “Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community”, Senate Select Committee on Intelligence, 29 January 2019: The capability gap between commercial and military technologies is apparently “evaporating” and foreign actors are doubling down on acquiring top talent, companies, data and IP through licit and illicit means. In terms of AI, cyber-enabled and AI enhanced systems are likely to be trusted with increasing levels of autonomy and decision-making, thus presenting a host of economic, military, ethical and privacy challenges. Whereas the production of non-Western advanced communication technologies like 5G wireless networks is at the top of states’ policy agenda given concerns about data security where it is expected that data will then flow across foreign produced equipment and foreign controlled networks, raising the risk of foreign access and denial of service. The United States IC is particularly concerned about the potential for Chinese intelligence and security services to use Chinese information technology firms as routine and systemic espionage platforms. Among other emerging technology challenges, quantum computing advances will increase the risk of decryption and challenge current methods of protecting data.
[vii] I participated in this session on cyber futures: See Wilton Park Report, “Military operations in cyberspace”, WP1635, Report author Paul Cornish, October 2018.
[x] Daniel R. Coats, Director of National Intelligence, “Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community”, Senate Select Committee on Intelligence, 29 January 2019.
[xiv] This section focuses on three priority areas mentioned throughout the Wilton Park Report, “Military operations in cyberspace”, WP1635, Report author Paul Cornish, October 2018.
[xv] The first four questions are specifically noted by Wilton Park report. Questions five and six are identified by the author through analysis of the United Kingdom’s current national cyber strategy and the U.S. DoD cyber strategy of 2018.
[xvi] See the United Kingdom’s approach: HM Government, “National Cyber Security Strategy 2016-2021”, 2016, p.28.
[xvii] United States Department of Defense, “Summary: Department of Defense Cyber Strategy 2018”, September 2018, p.2.
[xviii] In the Irish context, current civil-military cooperation is described within the 2015 National Cyber Security Strategy: “The Defence Forces maintains a capability in the area of cyber security for the purpose of protecting its own networks and users. There is already a strong culture of cooperation between the NCSC and DF in areas such as development of technical skill sets, technical information sharing and exercise participation. These arrangements will be formalised by means of a Service Level Agreement with the Department of Defence, which will also include a mechanism for sharing technical expertise in the event of a national cyber incident or emergency.”
[xix] HM Government, “National Cyber Security Strategy 2016-2021”, 2016.
[xx] European Commission and High Representative of the Union for Foreign Affairs and Security Policy, Joint Communication to the European Parliament and the Council, “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”, 13 September 2017.
[xxi] United States Department of Defense, “Summary: Department of Defense Cyber Strategy 2018”, September 2018, p.2 & 3.
[xxii] Ibid, p.1.
[xxiii] Ibid, p.3.
[xxiv] European Commission and High Representative of the Union for Foreign Affairs and Security Policy, Joint Communication to the European Parliament and the Council, “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”, 13 September 2017.
[xxv] HM Government, “National Cyber Security Strategy 2016-2021”, 2016, p.56-57.
[xxvi] UK Ministry of Defence, Doctrine Note 1/19, “Deterrence: The Defence Contribution”, February 2019.