The world’s strategic paradigm has shifted. Escalating global fragmentation is dismantling prevailing notions of power, conflict and the liberal international order. Although these changes have been underway for decades, the emergence of a global pandemic, disruptive technologies and accelerated climate change have introduced additional volatility and pressure. A decline in international cooperation – and what the UN terms ‘diminishing global potential for the prevention and resolution of conflict and violence in all forms’ – is a collateral outcome of these tensions. The character of war is changing too, challenging our assumptions regarding its very nature and of how militaries think and fight.
Nowhere is this more obvious than in cyber conflict. Whilst cyberwarfare is a relative newcomer to the battlefront, replete with its domain immaturity, the increased militarization of cyberspace is nevertheless fundamentally reshaping the dynamics of contemporary and future conflict.
The military significance of cyberspace
Cyberspace aligns effortlessly with two key characteristics of contemporary conflict. First, the abundance of State and non-State actors and the rise of proxy relationships between them, characterized by their transactional and variable nature. Second is the predominance of persistent, low-intensity irregular conflict. Decisive battles fought by large, conventional armies are no longer at the core of modern warfighting. Wars, using political rather than military means, are aimed at the control or coercion of large civilian populations, against whom the violence is now directed. In this way, territory can be controlled without having to defeat opposing forces in the field. The utility of cyberwarfare in achieving these ends will ensure its growing importance as a conflict domain.
It is imperative to distinguish strategic conflict in cyberspace from other nefarious forms of cyber activity, such as cybercrime and cyber vigilantism. Strategic conflict in cyberspace is essentially conducted by actors who are motivated by geostrategic interests. Such activities pose a threat to national and regional peace and security architectures and impact strategic targets, democratic processes and wider civilian populations.
To this end, cyber conflict has both a national security dimension as well as a human security dimension. Indeed, it is the human security factor in cyber conflict which poses the gravest concern. Unlike the conventional battlespace, with its physical frontlines, the cyber battlespace shares its geography and artefacts with civilian technologies, supply chains and critical infrastructures. A major cyber-attack with systemic impact could cause endemic societal devastation with significant human and economic costs – particularly in countries with high levels of cyber dependency.
Low levels of cyber dependency are not, however, an indicator of cyber immunity, and – in an interconnected world – all societies are at risk. Cyberspace reflects the divide between wealthier and poorer countries even more sharply than the other domains of war. Many less developed States, while digitizing at a rapid pace, possess negligible military cyber capabilities. This capability gap is likely to widen rather than narrow. Aside from creating further mistrust between wealthy and poor nations, this disequilibrium poses a significant risk to already vulnerable populations whilst also promoting further instability in international cyber space through regional cyber fragility.
Militaries in cyber conflict: the state of play
To date, cyberspace has primarily been a battleground for power projection, proxy operations, and intelligence and information operations. These actions, which frequently take place in peacetime or fall below the threshold of armed conflict, are conceptually associated with hybrid warfare or grey-zone conflict. Within the battlespace, current military usage of cyber operations is often to disrupt and degrade adversary capabilities. The destructive potential of unconstrained cyber warfare, however, remains largely untested.
The distinctive nature of cyberspace – and its seemingly elastic range of possibilities – pushes the boundaries of conventionally conditioned military thinking. The low barriers to entry and the asymmetric potential of cyber operations pose distinct challenges to State primacy, providing a perfect vector for malign State and non-State actors to participate and make gains across the spectrum of conflict. For military forces, defending against cyber threats presents an exceptionally difficult prospect. Unlike other war types, cyberwarfare favours the attacker; offering a wide attack surface and target-rich setting. Its opaque, persistent, and pervasive character requires agility and constant readiness. The vexatious issue of attack attribution, and the difficult geography of cyberspace, creates a climate of near impunity for attackers. This in turn makes responses to malevolent cyber operations difficult.
For military planners, new operational demands, forces structures and the race to develop cyber capabilities constitute legal, organizational and strategic challenges. Developing cyber warfare dexterity to compete and win in cyberspace is a complicated task with many moving parts. Unlike other warfighting domains, which have developed strategic and doctrinal maturity over time, cyber warcraft has the key differentiators of evolving possibilities and potential applications through rapid technology advancement as well as the dual-use nature of digital technologies. These can be ‘used as much to serve malicious or lethal purposes as they can be harnessed to enhance social and economic development, rendering efforts to manage them much more complex’.
There are further challenges. The military understanding of cyber conflict and its escalation dynamics (ICRC report, p. 12) is still at a nascent stage, resulting in the risk of strategic miscalculations. The potential for a serious miscalculation grows in tandem with States becoming increasingly reluctant to take ‘hits’ from adversaries in cyberspace, growing international tension and the associated stockpiling of cyberweapons. Given this incendiary mix, maintaining the principle of civilian oversight in cyber operations cannot be overstressed. Yet, policymakers often lack ‘the necessary understanding to be able to make effective decisions to guide, supervise or approve military cyber operations’ (ICRC report, p. 14).
The challenge experienced by policymakers in lower income and lower middle-income countries is probably even greater. Arguably, in under-resourced States, militaries may be expected to play a pivotal role in defending national critical infrastructure (NCI) against cyber-attacks. All too often NCI in many such countries also constitute massive single points of failure due to a lack of industrial and infrastructure diversification. Critically, in locations where there is both a shortage of cyber skills as well as fiscal constraints, the logical solution would be to utilize the military cyber capacity in conjunction with other State cyber capabilities to defend all strategic targets. Indeed, such thinking is contained in a number of national cyber strategies in Global South nations. This opens the possibility of national computer emergency response teams (CERTs) doubling as military CERTs and – under such circumstances – potentially becoming legitimate targets for State-sponsored cyber-attacks during armed conflicts. Such obstacles are sometimes not readily conceptualized or understood by the wealthier States, who tend to have an amplified presence at the multi-lateral forums that debate cyber norms and related matters.
Amidst this disequilibrium and the multitude of challenges which cyber conflict poses to all States – albeit at varying levels – there, somewhat dauntingly, also remains the additional consideration of preparing for future cyber conflict and considering what that may look like.
Cyberspace and future conflict
Cyber activity over the past 20 years indicates an exponential increase in the build-up of cyber forces and adversarial cyber contestation, with parties taking progressively greater risks and testing the boundaries. Somewhat counterintuitively, one of cyberwarfare’s most dominant utilities has been as an ‘offramp to war’ through its value both as a de-escalatory tool and a means of neutralizing adversary capabilities without having to deploy conventional forces.
For some, this appears to have assuaged early fears of an intense cyber war, best encapsulated in the concept of a ‘Digital Pearl Harbour’. However, the absence of a hot war between great powers during this period creates the risk of discounting the future use of its full destructive capability in an age of accumulating geopolitical risk. To quote Gady, ‘we really do operate in a fog of peace when it comes to deliberations about future warfighting’.
Uncertainty prevails regarding the future force design and application of cyber capabilities. The only certainty is that the use of cyber means in conflict is on an upward trajectory and that this will become more sophisticated and exponentially integrated with additional revolutionary technologies – primarily artificial intelligence, quantum computing and autonomous weapons systems (ICRC report, p. 32-24). Gady foresees a frictionless integration into combined operations as a means to achieve a decisive effect in the battlespace. A transition from a platform-centric (weapon-systems) approach to an increasingly network-centric approach in warfighting will see the expanded utilization of outer space and cyberspace resources in future warfare. The continued evolution of a Military Internet of Things will create a virtual and kinetic kill chain, which may take cyber conflict closer to our original imaginings of cyber warfare and its kinetic effects. Key considerations here would include increased, significant digital and physical destruction; and the possibility that, during an armed conflict, ‘the military use of civilian cyberspace infrastructure can turn that infrastructure into a military objective’ – with the pursuant ramifications for human security. This prompts urgent questions regarding how States might reach consensus on the normative and legal responses required to limit civilian harm from cyber activities and other technology threats.
* * * * *
Attackers in cyberspace have become adept at exploiting the attribution dilemma and conducting their activities on a level that falls narrowly below the threshold of armed conflict. While most States agree that IHL applies in cyberspace, debates exist as to how and when it applies and whether it requires adaptation in an age of rapid technological advances. Healey and Jervis sound a cautionary note on the ‘incredibly destabilizing’ potential of cyberwar and threshold brinkmanship; they warn that ‘the “grey zone” – below the level of armed conflict – may be narrower than policymakers, practitioners, and academics expect’. As cyberspace ‘becomes increasingly existential for economies and societies’, cyber conflict’s causative capacity for significant damage requires a renewed commitment to multilateralism and a global compact to build stability in cyberspace.
For armed forces, clear and applicable doctrines (ICRC report, p. 12) for cyber operations – that align with IHL – need to govern activities in cyberspace. For all States, now more than ever, a genuine commitment to consensus building around the international norms for responsible State behaviour in cyberspace is a pressing necessity. Lawson reminds us that ‘[t]here is a need to recognize that the operational theatre and the home are now indivisible.’ Within this reality, civil-military cooperation is vital in this endeavour. ‘New, more complex and more sophisticated threats require imaginative and bold responses, and strengthened collaboration between States, as well as the private sector and civil society.’
- Kubo Mačák & Ewan Lawson, Avoiding civilian harm during military cyber operations: six key takeaways, June 15, 2021
- Tilman Rodenhäuser, Kubo Mačák, Even ‘cyber wars’ have limits. But what if they didn’t?, March 9, 2021
- Kubo Mačák, Tatiana Jančárková and Tomáš Minárik, The right tool for the job: how does international law apply to cyber operations?, October 6, 2020
- Kubo Mačák, Tilman Rodenhäuser & Laurent Gisel, Cyber attacks against hospitals and the COVID-19 pandemic: How strong are international law protections? April 2, 2020