Since times immemorial, the principal domains of warfare were land and sea. Kings and rulers built armies and navies, fortresses and castles, and sent scouts and spies to find out what their potential adversaries were up to. If properly organized, one would normally have some kind of early warning that an attack was in the making before it actually took place, so that countermeasures could be taken. The fortress gave a sense of security, at least until the advent of modern artillery.
As the technology of flight developed, air evolved as a new domain. There was simply no opting out; if your adversary developed an air force, you needed air defences, or your armies and navies would prove of little avail. Military strategy evolved: why spend resources on attacking a well-protected border when you could strike deep behind enemy lines, at population centres or even at the very centre of decision-making. The combination of technology and military strategy led to the shift from World War I trench warfare to World War II blitzkrieg.
Today, cyberspace has emerged as a domain of its own, in many ways like land, sea and air. Indeed, it might be the domain of choice: We can safely postulate that any future conflict between reasonably advanced actors will be a cyber-conflict. No modern attacker would resist the temptation to destroy, disrupt or confuse enemy sensors, communications and decision-making loops. What will vary is whether the conflict will take place in the physical domains as well. This insight will change the nature of conflict in fundamental ways, and possibly, lower the threshold of war and confuse the very distinction between war and peace.
And just as with the advent of human flight, opting out is not an option. Modern societies have become existentially dependent on cyberspace. In the words of Rod Beckstrom, the former head of ICANN: anything networked can be hacked, everything is being networked so everything is vulnerable.
Cyber-conflict shares certain characteristics with conflicts in the physical domains, but differs in many others. To start with, technologies tend to be typically dual-use: if a nation acquires a fighter aircraft, it clearly has a military purpose in mind; the same cannot be deduced if it acquires a new IT system.
Since anything networked can be hacked, that does not solely mean military bases communication systems, but any kind of infrastructural installations, energy sources, electricity grids, health systems, traffic control systems, or water supplies, as well as communications and sensors. The task of securing a country’s strategically important cyberspace is further complicated by the fact that much of it is owned and controlled by the private sector.
A second, major difference lies in the potential universe of “adversaries”. For the medieval king, this would typically be neighboring peers, the number of which he more or less knew. Proximity mattered. Today, the number of entities with the capacity to mount a potentially devastating attack is infinitely greater: not just states, but also hackers, terrorists, businesses, social groups, criminals, and even unsuspecting computer users. Proximity has become totally irrelevant, which takes away a fundamental premise in traditional military theory. Thirdly, the potential for “early warning” is low or non-existent. You need to be protected, here and now. There is no corollary to the call for “mobilizing forces” of old, you need to be resilient, and you need to factor in that attacks might actually happen and probably even will.
In cyber-wars, you no longer necessarily know who may attack you – or even who already has attacked you. Attributing blame for cyber-attacks is difficult, as attackers can use proxies to implicate innocents. Much of the emphasis today is therefore to improve the technology of attribution. Without attribution, no retaliation, and no deterrence. Even with the right technology in place, the issue of attribution is tricky: stating all that you know might be politically sensitive and it could risk revealing critical intelligence capacities, which in turn could compromise the ability to attribute sources in the future.
Thirdly, in cyberspace, early warning is rendered largely irrelevant. Traditional defence logic assumes that there would always be some signs of a coming attack, whether in months or minutes ahead: armies marching to the border, or radar systems detecting incoming missiles. Not so with a cyber-attack. At best, you know that you are under attack as it is happening; more likely, you discover you have been attacked only after the fact. This renders obsolete any concepts of “mobilization”, “regrouping” or point-specific defence measures.
All these factors add up to one conclusion: in cyberspace, offence is significantly easier than defence. In traditional warfare, the defender tended to have the advantage, and the attacker needed a certain supremacy in numbers, technology or strategy to succeed. Indeed, cyber-defence must be omnipresent throughout one’s critical infrastructure, everywhere, all the time, and combined with effective redundancy.
All states, however, are mutually dependent in cyberspace. In this lies some hope: This fact creates for state actors a game-theoretic rationale not to engage in all-out cyber warfare, not unlike the logic that has restricted nuclear warfare in the form of MAD – Mutually Assured Destruction. This may also create an incentive for governments to work together on sharing defensive technologies.
However, a cyberspace “terror balance” could be threatened by governments playing “tit-for-tat” in probing each other’s’ cyber defences. It is well known that advanced states, as well as advanced non-state actors, are placing sleeping “agents” in each other’s information systems. Such malware is frequently found everywhere from defence systems to various critical infrastructure systems. This, in turn, can lead to inadvertent escalation into full-scale conflict.
As pointed out in a previous article, extremist movements are increasingly using cyber tools as a force multiplier including propaganda, scare-tactics, recruitment and fundraising with such ease that policy makers, military leaders and intelligence agencies are struggling to keep pace. Efforts to respond has so far been reactive rather than forward-looking.
Cyber is also critical in state’s military strategies, which are typically supplemented by cyber operations (“cy ops”), often hand-in-hand with psychological operations (“psy ops”). This may, for instance, include disinformation campaigns or data integrity attacks that could set off false alarms, such as sensors at nuclear power plants or air raid warnings.
Thus, as everyday life becomes increasingly dependent on cyberspace, the potential grows for cyber warfare to cause physical, economic, and social havoc and damage. The world needs a policy framework to address issues ranging from pre-emption and deterrence to rules of modern conflict. The Geneva Conventions’ principles of proportionality and distinction seems as relevant as ever, but increasingly difficult to ensure and enforce or even to translate into a new reality.
For example, what constitutes an act of war in cyberspace? If a cyber-attack causes physical destruction, does it justify physical countermeasures? What level of confidence about the origin of a cyber-attack would be needed to justify retaliation? Where should the line be drawn between military and civilian actors and installations in a cyber-conflict?
Existing provisions exist in national and international law, and cyberspace should not be seen as a lawless room. International norms are gradually emerging, but technological change is outpacing progress towards cyber versions of arms treaties. Without stepping up efforts to elaborate a system of global norms and regulations, we are at risk of severe fragmentation of cyber-security policy.
Governments should do a better job of communicating their positions and actions to the public, responding to the deterioration of trust which has resulted from privacy and human rights concerns, but also ensuring that their ability to secure society through appropriate and legitimate measures is in place.
Private sector companies carry a responsibility to put systems and procedures in place to alert governments about, and in some instances help to counter, malevolent cyber activities that risks compromising international security. Unfortunately, this is not always happening, as companies often do not want to lay bare their proven vulnerabilities for public scrutiny and may not want to report a successful attack.
Enhanced and more consistent collaboration is needed between the public and private sector to ensure a common understanding of both where the lines should be drawn between them, but also where collaboration is warranted in order to counter adversaries that will never play be the book. Without such collaboration, threats are outpacing our preparedness.
The current effort by President Barack Obama and President Xi Jinping to explore an agreement on a new set of principles to treat cyber as a military capability is a step in the right direction. Although there are a number of outstanding questions still on how to implement any form of agreement on how regulate the international security threats in the cyber domain and how to deal with the politically sensitive issue of attribution, better cooperative measures are urgently needed.
As the public institution for public-private cooperation, the World Economic Forum provides a platform for a broad, multistakeholder dialogue around these issues. Without sufficient preparedness and greater public awareness, we may be up for a rather bumpy ride as we make ourselves not only more connected, but also more interdependent and vulnerable.
Authors: Espen Barth Eide, Member of the Managing Board, and Anja Kaspersen, Head of International Security and Member of the Executive Board, World Economic Forum
Image: Employees of IT Company CCP work at the company’s head office in Reykjavik February 13, 2013. REUTERS/Stoyan Nenov