Strategic Stability, Cyber Operations and International Security

t is easy to be taken aback by how quickly digital information and communication technology (ICT) has become indispensable to government, the economy and everyday life. Vital infrastructure such as electrical grids, hospitals, media and transportation networks have become ICT reliant. The weapons and defensive systems of most advanced economies have followed suit. But the same flowering of ICT infrastructure that has produced wondrous gains in efficiency carries with it an inherent vulnerability, presenting a novel avenue of attack through cyberspace by which hostile actors can strike. Governments have been slow to rouse themselves to this threat; a recent report from the US Government Accountability Office (2018) admonished the Department of Defense for its lax standards, asserting that many US weapons systems could be disabled through simplistic cyber attacks. This pervasive vulnerability to threats from cyberspace has worrying implications for national security and international stability.

The technical and political difficulties of accurately attributing cyber attacks offer hostile actors the ability to avoid punishment, creating an “offence-dominant” environment. Shared supply chains and reliance on a small number of ICT platforms ensure that government infrastructure and security systems possess the same technical vulnerabilities as the private sector, many of which are well known or easily discoverable. Antiquated global governance surrounding the use of force has allowed malicious actors to perpetrate mischief while staying just below the threshold that would provoke a response. In combination, these factors present a challenge to the maintenance of global stability, which both national governments and international organizations are struggling to cope with.

The rapid rate of technological change inevitably outpaces government and society’s ability to comprehend that change. This is true at both the national and the international level. National governments and international organizations are now struggling to understand the vulnerabilities posed by the world’s unprecedented reliance on digital infrastructure, and the destabilizing effect this may have on the current international order.

Well-established concepts within international security, such as the effectiveness of deterrence strategies, have been cast into doubt. Nonetheless, a few broad implications of the new importance of the cyber domain can be observed from within a general climate of uncertainty.

Strategic stability at the global level relies on the concept of deterrence — preventing aggression by threatening harsh punishment, or by imposing costs that exceed any benefits from attack. The anonymity granted to actors in cyberspace makes it tough to identify the culprit of a given attack with a high degree of certainty (the origin of a piece of malware is much less obvious than the origin of a missile strike), undermining the effectiveness of deterrence strategies and emboldening attackers (Solomon 2011).

While there has been some progress in improving the technical aspect of cyber attack attribution, political difficulties remain. After all, for a deterrence strategy to work, a state must retaliate once an attack is identified, and allies committed to collective defence must come to their aid. Despite traditional rhetoric, such assistance is never automatic, and the added problem of convincingly attributing cyber attacks adds another layer of uncertainty to the political calculus. Honouring commitments to allies can be costly, and states will be reluctant to bear this burden if there remain any doubts about the identity of the attacker. In this way, the cyber-attribution problem can undermine the cohesiveness of alliances and, by extension, international stability.

Another factor that plays into attribution difficulties is the growing technological capability of the private sector. This has empowered a plethora of actors, such as cyber security firms, to perform their own cyber attribution and contest the attribution claims of state governments (Romanosky 2017). Claims made by states must now survive inspection by subject matter experts in the private sector (many of whom have experience in the defence and intelligence communities), who question all factual disclosures and explanations. The waters of attribution are further muddied by politicians and members of the media who are often quick to denounce suspected culprits despite lacking technical evidence. When the French media outlet TV5Monde was infiltrated by hackers claiming to be affiliated with the Islamic State group, certain politicians and members of the media were quick to run with this story, although the French prosecutor’s office later found the evidence pointed toward a Russian espionage group (Soesanto 2017). This has had the effect of eroding national governments’ authority over such matters, aggravating uncertainty.

An assertion frequently made about cyberspace is that attacking is relatively easy, and protection and defence much more difficult, compared to conventional theatres of war (Kello 2013). Attacks and espionage in cyberspace can generally be perpetrated at lower cost compared to traditional methods. The 10 million daily intrusion attempts at the Pentagon speak volumes about the affordability of offensive cyber operations (Fung 2013). This allows traditionally weaker actors to pose a threat to the United States and its allies in ways not previously possible.

Furthermore, our ever-increasing reliance upon ICT infrastructure in defence systems and the civilian economy has dramatically multiplied the number of vulnerable points that must be defended. While the size of a state’s physical territory, defended by its conventional forces, usually stays the same over time, the number of “entry points” in cyberspace that it must defend is constantly growing (Singer and Friedman 2014). The arrival of cloud services and the Internet of Things will only add to this difficulty. Compounding this problem is the failure of civilians to adopt safer digital habits. Reliance on a small number of technology platforms ensures that common exploitable vulnerabilities are widely shared, while public disclosures of compromised systems spread knowledge of these common exploits to potential hostile parties.

Tools of cyberwar are largely non-physical and therefore easier to conceal than conventional forces, making it difficult for actors to assess each other’s capabilities. Offensive military cyber doctrines in the United States, Russia, China and elsewhere show that states are imitating neighbours and competitors when they develop their own cyber capabilities. However, these doctrines are not widely understood, feeding mistrust and the perceived need to gain a “first mover advantage” (ibid.). This in turn heightens the danger of escalation and reduces stability. Under the circumstances, a stable and persistent advantage in cyberspace seems unattainable.

Many observers fail to fully appreciate how much current cyber operations owe to innovation by intelligence agencies charged with obtaining information about the political, economic and defence postures of potential competitors (and allies). The malware and signals intelligence capacity of these agencies grants the ability to maintain an accurate awareness of changes in the cyber environment, as well as the power to reshape it. States feel that access to foreign information systems and critical infrastructures is necessary for them to be aware of incoming attacks and to retaliate against them. However, the ability to degrade an opponent’s conventional military capabilities through cyber-enabled espionage may actually weaken deterrence in other domains such as air, maritime, land and outer space. The timely and coordinated deployment of these conventional forces has become dependent on ICT infrastructure. The possibility that these communication and early warning systems may have been covertly infiltrated erodes actors’ confidence in their defensive abilities, increasing mistrust and the potential for conflict. The effect this may have on the behaviour of nuclear armed states is especially worrying (Cimbala 2016).

The private sector remains at the forefront of ICT development. Therefore, governments must rely on the same “commercial off-the-shelf technologies” (COTS) that are widespread in the civilian economy (Choo 2011). Due to their shared supply chains, government systems for providing early warning against cyber attack, intelligence collection and operational cyber capabilities face many of the same vulnerabilities as do private sector assets. The constant probing of commercial systems by cybercriminals (some of whom may be proxies for governments) ensures that the weaknesses and exploits of many of these COTS become well known.

Current trends appear to be pushing the ICT supply chain toward greater homogeneity. This is partially a consequence of laws and regulations, but also of industry convergence around common standards driven by commercial incentives. Best-practice guidelines issued by governments generally call for the maintenance of secure system configurations, but this will not solve the problem of vulnerable legacy technology, or the “undirected” nature of technical change driven by commercial competition. This presents another weakness that governments have been slow to acknowledge.

International law surrounding the use of force is now more contested, with disputes over whether it can properly address the threat posed by cyber attacks in a world rife with vulnerable ICT infrastructure. Existing norms and laws (for instance, as articulated in article 2(4) of the United Nations Charter) were created at a time when the use of force took the form of obvious, more easily attributable discrete events, such as the movement of troops or a missile strike. In contrast, a widely accepted understanding of what would constitute “use of force” in cyberspace has yet to be found (Tsagourias 2017). Many types of hostile action conducted in cyberspace, such as theft of a corporation’s intellectual property or spreading misinformation to influence foreign elections, do not cause direct harm to people in the same way as conventional weapons, leaving doubts as to whether they constitute a “use of force,” and, therefore, whether the victim may invoke their right to self-defence.

This ambiguity, combined with the difficulties of cyber attribution, has been voraciously exploited by an assortment of state, non-state and suspected proxy actors, as part of a strategy sometimes referred to as “hybrid warfare” (Cantwell 2017). The result has been a near constant drizzle of activity in cyberspace calculated to fall into a “grey zone” — undoubtedly hostile, but falling below the threshold of intensity that would provoke retaliation. Russia’s aggressive activities over the past decade provide a prime example of this tactic. These are widely believed to include attempts to influence elections in the United States and Western Europe, and denial of service attacks on government service websites (ibid.). Yet, despite these provocations, Russia’s adversaries — actual and potential — appear hesitant to respond decisively.

As a response to grey zone conflict and offence dominance in cyberspace, many national governments, such as the United States, Germany and Canada, have concluded that a static defence is no longer adequate and have been adjusting to allow pre-emptive cyber operations intended to disrupt hostile actors before they can act (Herpig 2018; Nakashima 2018; Grigsby 2017). Organizations at the international level have mirrored this trend. In 2017, the North Atlantic Treaty Organization (NATO) adjusted its policy away from ambiguity on cyber effects to a more responsive stance, establishing a Cyber Operations Centre to integrate the cyber capabilities of its members into military operations (Ricks and Ali 2017). While this may be necessary to cope with the attribution problem and grey zone hostilities, whether or not this will re-enable effective deterrence or cause further destabilization through tit-for-tat escalation remains unclear.

Due to many of its members being on the receiving end of grey zone cyber attacks, NATO has been a leading light in trying to resolve the current uncertainty plaguing international governance of cyber conflict. It has attempted, through efforts such as the establishment of the Cooperative Cyber Defence Centre of Excellence and publication of the Tallinn Manual, to arrive at a clear interpretation of which acts in cyberspace are permissible or not under current international law (Arts 2018). The alliance relies on all members following through on their commitment to collective defence as stipulated under article 5 of the alliance’s treaty. This makes the attribution challenge in cyberwarfare especially problematic, as it can give members a plausible reason to demur on this potentially costly commitment. This is forcing NATO to consider what kind of activity in cyberspace would be serious enough to invoke the collective defence clause. While NATO has affirmed that article 5 could be triggered by a significant cyber attack, as of yet it has not determined a precise threshold (ibid.).

Global strategic stability is undermined by the failure of states to take seriously the erosion of defence capabilities caused by growing reliance on ICT technologies in critical infrastructures and weapon systems. At present, COTS and the ICT supply chain that services critical infrastructure present a particularly vulnerable point of entry for malicious actors. Existing governance and oversight mechanisms concerning the deployment of ICT will prove too lenient for the developing threat environment. Enhanced communication and tighter cooperation between government and the private sector will prove crucial to bolstering defences in this area. More arrangements like the Information Sharing and Analysis Centers, which facilitate intelligence sharing on cyber threats between the public and private sector, would be of great benefit (Lord and Mussington 2017).