t is easy to be taken aback by how quickly digital information and communication technology (ICT) has become indispensable to government, the economy and everyday life. Vital infrastructure such as electrical grids, hospitals, media and transportation networks have become ICT reliant. The weapons and defensive systems of most advanced economies have followed suit. But the same flowering of ICT infrastructure that has produced wondrous gains in efficiency carries with it an inherent vulnerability, presenting a novel avenue of attack through cyberspace by which hostile actors can strike. Governments have been slow to rouse themselves to this threat; a recent report from the US Government Accountability Office (2018) admonished the Department of Defense for its lax standards, asserting that many US weapons systems could be disabled through simplistic cyber attacks. This pervasive vulnerability to threats from cyberspace has worrying implications for national security and international stability.

The technical and political difficulties of accurately attributing cyber attacks offer hostile actors the ability to avoid punishment, creating an “offence-dominant” environment. Shared supply chains and reliance on a small number of ICT platforms ensure that government infrastructure and security systems possess the same technical vulnerabilities as the private sector, many of which are well known or easily discoverable. Antiquated global governance surrounding the use of force has allowed malicious actors to perpetrate mischief while staying just below the threshold that would provoke a response. In combination, these factors present a challenge to the maintenance of global stability, which both national governments and international organizations are struggling to cope with.

Shared supply chains and reliance on a small number of ICT platforms ensures that government infrastructure and security systems possess the same technical vulnerabilities as the private sector, many of which are well known or easily discoverable.

The rapid rate of technological change inevitably outpaces government and society’s ability to comprehend that change. This is true at both the national and the international level. National governments and international organizations are now struggling to understand the vulnerabilities posed by the world’s unprecedented reliance on digital infrastructure, and the destabilizing effect this may have on the current international order.

Well-established concepts within international security, such as the effectiveness of deterrence strategies, have been cast into doubt. Nonetheless, a few broad implications of the new importance of the cyber domain can be observed from within a general climate of uncertainty.

Attribution Uncertainty

Strategic stability at the global level relies on the concept of deterrence — preventing aggression by threatening harsh punishment, or by imposing costs that exceed any benefits from attack. The anonymity granted to actors in cyberspace makes it tough to identify the culprit of a given attack with a high degree of certainty (the origin of a piece of malware is much less obvious than the origin of a missile strike), undermining the effectiveness of deterrence strategies and emboldening attackers (Solomon 2011).

While there has been some progress in improving the technical aspect of cyber attack attribution, political difficulties remain. After all, for a deterrence strategy to work, a state must retaliate once an attack is identified, and allies committed to collective defence must come to their aid. Despite traditional rhetoric, such assistance is never automatic, and the added problem of convincingly attributing cyber attacks adds another layer of uncertainty to the political calculus. Honouring commitments to allies can be costly, and states will be reluctant to bear this burden if there remain any doubts about the identity of the attacker. In this way, the cyber-attribution problem can undermine the cohesiveness of alliances and, by extension, international stability.

Another factor that plays into attribution difficulties is the growing technological capability of the private sector. This has empowered a plethora of actors, such as cyber security firms, to perform their own cyber attribution and contest the attribution claims of state governments (Romanosky 2017). Claims made by states must now survive inspection by subject matter experts in the private sector (many of whom have experience in the defence and intelligence communities), who question all factual disclosures and explanations. The waters of attribution are further muddied by politicians and members of the media who are often quick to denounce suspected culprits despite lacking technical evidence. When the French media outlet TV5Monde was infiltrated by hackers claiming to be affiliated with the Islamic State group, certain politicians and members of the media were quick to run with this story, although the French prosecutor’s office later found the evidence pointed toward a Russian espionage group (Soesanto 2017). This has had the effect of eroding national governments’ authority over such matters, aggravating uncertainty.

Offence Dominance

An assertion frequently made about cyberspace is that attacking is relatively easy, and protection and defence much more difficult, compared to conventional theatres of war (Kello 2013). Attacks and espionage in cyberspace can generally be perpetrated at lower cost compared to traditional methods. The 10 million daily intrusion attempts at the Pentagon speak volumes about the affordability of offensive cyber operations (Fung 2013). This allows traditionally weaker actors to pose a threat to the United States and its allies in ways not previously possible.

The US Pentagon reports getting 10 million cyber intrusion attempts a day, a volume that speaks to the relative affordability of offensive cyber operations. (Photo: Shutterstock.com)
The US Pentagon reports getting 10 million cyber intrusion attempts a day, a volume that speaks to the relative affordability of offensive cyber operations. (Photo: Shutterstock.com)

Furthermore, our ever-increasing reliance upon ICT infrastructure in defence systems and the civilian economy has dramatically multiplied the number of vulnerable points that must be defended. While the size of a state’s physical territory, defended by its conventional forces, usually stays the same over time, the number of “entry points” in cyberspace that it must defend is constantly growing (Singer and Friedman 2014). The arrival of cloud services and the Internet of Things will only add to this difficulty. Compounding this problem is the failure of civilians to adopt safer digital habits. Reliance on a small number of technology platforms ensures that common exploitable vulnerabilities are widely shared, while public disclosures of compromised systems spread knowledge of these common exploits to potential hostile parties.

Tools of cyberwar are largely non-physical and therefore easier to conceal than conventional forces, making it difficult for actors to assess each other’s capabilities. Offensive military cyber doctrines in the United States, Russia, China and elsewhere show that states are imitating neighbours and competitors when they develop their own cyber capabilities. However, these doctrines are not widely understood, feeding mistrust and the perceived need to gain a “first mover advantage” (ibid.). This in turn heightens the danger of escalation and reduces stability. Under the circumstances, a stable and persistent advantage in cyberspace seems unattainable.

Intelligence Tools as Offensive Cyber Weapons

Many observers fail to fully appreciate how much current cyber operations owe to innovation by intelligence agencies charged with obtaining information about the political, economic and defence postures of potential competitors (and allies). The malware and signals intelligence capacity of these agencies grants the ability to maintain an accurate awareness of changes in the cyber environment, as well as the power to reshape it. States feel that access to foreign information systems and critical infrastructures is necessary for them to be aware of incoming attacks and to retaliate against them. However, the ability to degrade an opponent’s conventional military capabilities through cyber-enabled espionage may actually weaken deterrence in other domains such as air, maritime, land and outer space. The timely and coordinated deployment of these conventional forces has become dependent on ICT infrastructure. The possibility that these communication and early warning systems may have been covertly infiltrated erodes actors’ confidence in their defensive abilities, increasing mistrust and the potential for conflict. The effect this may have on the behaviour of nuclear armed states is especially worrying (Cimbala 2016).

Pervasive Infrastructure Cyber Vulnerability

The private sector remains at the forefront of ICT development. Therefore, governments must rely on the same “commercial off-the-shelf technologies” (COTS) that are widespread in the civilian economy (Choo 2011). Due to their shared supply chains, government systems for providing early warning against cyber attack, intelligence collection and operational cyber capabilities face many of the same vulnerabilities as do private sector assets. The constant probing of commercial systems by cybercriminals (some of whom may be proxies for governments) ensures that the weaknesses and exploits of many of these COTS become well known.

Current trends appear to be pushing the ICT supply chain toward greater homogeneity. This is partially a consequence of laws and regulations, but also of industry convergence around common standards driven by commercial incentives. Best-practice guidelines issued by governments generally call for the maintenance of secure system configurations, but this will not solve the problem of vulnerable legacy technology, or the “undirected” nature of technical change driven by commercial competition. This presents another weakness that governments have been slow to acknowledge.

Antiquated Legal Regime and “Grey Zone” Conflict

International law surrounding the use of force is now more contested, with disputes over whether it can properly address the threat posed by cyber attacks in a world rife with vulnerable ICT infrastructure. Existing norms and laws (for instance, as articulated in article 2(4) of the United Nations Charter) were created at a time when the use of force took the form of obvious, more easily attributable discrete events, such as the movement of troops or a missile strike. In contrast, a widely accepted understanding of what would constitute “use of force” in cyberspace has yet to be found (Tsagourias 2017). Many types of hostile action conducted in cyberspace, such as theft of a corporation’s intellectual property or spreading misinformation to influence foreign elections, do not cause direct harm to people in the same way as conventional weapons, leaving doubts as to whether they constitute a “use of force,” and, therefore, whether the victim may invoke their right to self-defence.

This ambiguity, combined with the difficulties of cyber attribution, has been voraciously exploited by an assortment of state, non-state and suspected proxy actors, as part of a strategy sometimes referred to as “hybrid warfare” (Cantwell 2017). The result has been a near constant drizzle of activity in cyberspace calculated to fall into a “grey zone” — undoubtedly hostile, but falling below the threshold of intensity that would provoke retaliation. Russia’s aggressive activities over the past decade provide a prime example of this tactic. These are widely believed to include attempts to influence elections in the United States and Western Europe, and denial of service attacks on government service websites (ibid.). Yet, despite these provocations, Russia’s adversaries — actual and potential — appear hesitant to respond decisively.

Russia’s hostile activities in cyberspace over the past decade — widely believed to include attempts to influence elections in the United States and Western Europe, and denial of service attacks on government service websites — provide a prime example of “grey zone” conflict. (Photo: Dimitrije Ostojic / Shutterstock.com).
Russia’s hostile activities in cyberspace over the past decade — widely believed to include attempts to influence elections in the United States and Western Europe, and denial of service attacks on government service websites — provide a prime example of “grey zone” conflict. (Photo: Dimitrije Ostojic / Shutterstock.com).

Coping with Instability

As a response to grey zone conflict and offence dominance in cyberspace, many national governments, such as the United States, Germany and Canada, have concluded that a static defence is no longer adequate and have been adjusting to allow pre-emptive cyber operations intended to disrupt hostile actors before they can act (Herpig 2018; Nakashima 2018; Grigsby 2017). Organizations at the international level have mirrored this trend. In 2017, the North Atlantic Treaty Organization (NATO) adjusted its policy away from ambiguity on cyber effects to a more responsive stance, establishing a Cyber Operations Centre to integrate the cyber capabilities of its members into military operations (Ricks and Ali 2017). While this may be necessary to cope with the attribution problem and grey zone hostilities, whether or not this will re-enable effective deterrence or cause further destabilization through tit-for-tat escalation remains unclear.

Due to many of its members being on the receiving end of grey zone cyber attacks, NATO has been a leading light in trying to resolve the current uncertainty plaguing international governance of cyber conflict. It has attempted, through efforts such as the establishment of the Cooperative Cyber Defence Centre of Excellence and publication of the Tallinn Manual, to arrive at a clear interpretation of which acts in cyberspace are permissible or not under current international law (Arts 2018). The alliance relies on all members following through on their commitment to collective defence as stipulated under article 5 of the alliance’s treaty. This makes the attribution challenge in cyberwarfare especially problematic, as it can give members a plausible reason to demur on this potentially costly commitment. This is forcing NATO to consider what kind of activity in cyberspace would be serious enough to invoke the collective defence clause. While NATO has affirmed that article 5 could be triggered by a significant cyber attack, as of yet it has not determined a precise threshold (ibid.).

Implications and Policy Consequences

Global strategic stability is undermined by the failure of states to take seriously the erosion of defence capabilities caused by growing reliance on ICT technologies in critical infrastructures and weapon systems. At present, COTS and the ICT supply chain that services critical infrastructure present a particularly vulnerable point of entry for malicious actors. Existing governance and oversight mechanisms concerning the deployment of ICT will prove too lenient for the developing threat environment. Enhanced communication and tighter cooperation between government and the private sector will prove crucial to bolstering defences in this area. More arrangements like the Information Sharing and Analysis Centers, which facilitate intelligence sharing on cyber threats between the public and private sector, would be of great benefit (Lord and Mussington 2017).

Restoring clarity to the “action-reaction” dynamic is necessary both to dissuade hostile actors by guaranteeing reprisal for certain offences, and to solidify an understanding among allies as to when they must come to one another’s assistance.
Superior coordination and information sharing are also required at the international level. In the face of an offence-dominant environment, efforts must be taken to assuage the uncertainties felt by various actors as to each other’s capabilities and intentions. The technical and political difficulties in attributing cyber attacks, combined with their affordability, will continue to encourage attackers. Those defending against cyber attacks must therefore take a firmer, less equivocal stance than they have so far displayed. Absent an international consensus on what constitutes use of force in cyberspace, the United States and fellow NATO members must collectively decide upon a clear code of conduct for responding to grey zone activities, in order to banish ambiguity and the risk of miscalculation. A red line should be drawn around the most pernicious types of cyber hostilities now being perpetrated, such as attempts to sway foreign elections, the violation of which should trigger a measured yet firm response. Restoring clarity to the “action-reaction” dynamic is necessary both to dissuade hostile actors by guaranteeing reprisal for certain offences, and to solidify an understanding among allies as to when they must come to one another’s assistance. In the long term, the United States and its allies should promote more effective international governance by pushing to have these red lines enshrined as international norms in fora such as the United Nations. There is an urgency to this effort — failure to do so will only entrench the idea that the constant grey zone hostilities we are now witnessing have become a tolerable part of international behaviour.
Works Cited

Arts, Sophie. 2018. “Offense as the New Defense: New Life for NATO’s Cyber Policy.” The German Marshall Fund of the United States, December 13. www.gmfus.org/publications/offense-new-defense-new-life-natos-cyber-policy.

Cantwell, Douglas. 2017. “Hybrid Warfare: Aggression and Coercion in the Gray Zone.” American Society of International Law 21 (14). www.asil.org/insights/volume/21/issue/14/hybrid-warfare-aggression-and-coercion-gray-zone.

Choo, Kim-Kwang Raymond. 2011. “The Cyber Threat Landscape: Challenges and Future Research Directions.” Computers and Security 30 (8): 719–31. http://dx.doi.org/10.1016/j.cose.2011.08.004.

Cimbala, Stephen J. 2016. “Nuclear Deterrence in Cyber-ia.” Air and Space Power Journal 30 (3): 54–63. www.airuniversity.af.edu/Portals/10/ASPJ/journals/Volume-30_Issue-3/V-Cimbala.pdf.

Fung, Brian. 2013. “How Many Cyberattacks Hit the United States Last Year?” Nextgov, March 8. www.nextgov.com/cybersecurity/2013/03/how-many-cyberattacks-hit-united-states-last-year/61775/.

Grigsby, Alex. 2017. “Canada’s Military Gets More Cyber, and the Headaches That Come With It.” Net Politics (blog), June 22. www.cfr.org/blog/canadas-military-gets-more-cyber-and-headaches-come-it.

Herpig, Sven. 2018. “As Germany Moves Toward a More Offensive Posture in Cyberspace, It Will Need a Vulnerability Equities Process.” Net Politics (blog), September 4. www.cfr.org/blog/germany-moves-toward-more-offensive-posture-cyberspace-it-will-need-vulnerability-equities.

Kello, Lucas. 2013. “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft.” International Security 38 (2): 7–40. www.mitpressjournals.org/doi/pdfplus/10.1162/ISEC_a_00138.

Lord, Robert and David Mussington. 2017. “Now More than Ever, Don’t Neglect America’s Cyber Infrastructure.” The Hill, February 2. https://thehill.com/blogs/pundits-blog/technology/317568-now-more-than-ever-dont-neglect-americas-cyber-infrastructure.

Nakashima, Ellen. 2018. “White House Authorizes ‘Offensive Cyber Operations’ to Deter Foreign Adversaries.” The Washington Post, September 20. www.washingtonpost.com/world/national-security/trump-authorizes-offensive-cyber-operations-to-deter-foreign-adversaries-bolton-says/2018/09/20/b5880578-bd0b-11e8-b7d2-0773aa1e33da_story.html?utm_term=.ba6310a38936.

Ricks, Thomas E. and Rizwan Ali. 2017. “NATO’s Little Noticed but Important New Aggressive Stance on Cyber Weapons.” Foreign Policy, December 7. https://foreignpolicy.com/2017/12/07/natos-little-noticed-but-important-new-aggressive-stance-on-cyber-weapons/.

Romanosky, Sasha. 2017. “Private-Sector Attribution of Cyber Attacks: A Growing Concern for the US Government?” Lawfare (blog), December 21. www.lawfareblog.com/private-sector-attribution-cyber-attacks-growing-concern-us-government.

Singer, P. W. and Allan Friedman. 2014. “Cult of the Cyber Offensive.” Foreign Policy, January 15. https://foreignpolicy.com/2014/01/15/cult-of-the-cyber-offensive/.

Soesanto, Stefan. 2017. “Attribution is what states make of it.” European Council on Foreign Relations, October 30. www.ecfr.eu/article/commentary_attribution_is_what_states_make_of_it_7233.

Solomon, Jonathan. 2011. “Cyberdeterrence between Nation-States: Plausible Strategy or a Pipe Dream?” Strategic Studies Quarterly 5 (1): 1–25. https://apps.dtic.mil/dtic/tr/fulltext/u2/a538310.pdf.

Tsagourias, Nicholas. 2017. “The Law of Cyberwarfare: Restrictions, Opportunities, and Loopholes.” Canadian Journal of Law and Technology 15 (1): 27–40.

US Government Accountability Office. 2018. Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities. October. www.gao.gov/assets/700/694913.pdf.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.
  • David Mussington

    David Mussington is a senior fellow at the Centre for International Governance Innovation (CIGI), and professor of the practice and director, Center for Public Policy and Private Enterprise, University of Maryland, College Park. In 2010, David was senior adviser for cyber policy in the US Department of Defense, later serving on the Obama administration’s National Security Council staff as director for surface transportation security policy. In addition to his work at the University of Maryland, David is an adjunct member of the research staff at the Institute for Defense Analyses, directing studies for the Department of Defense, the Department of Homeland Security and the Office of the Director of National Intelligence. He holds a B.A. in economics and political science and an M.A. in political science, both from the University of Toronto, and a Ph.D. in political science from Carleton University, as well as the Certified Information Systems Security Professional designation.

to cigi