While there has been a substantial debate over what constitutes cyber war or conflict in cyberspace, few experts would deny the central role that cyber operations will play in future warfare. Indeed, given the reliance of most armed forces on computer networks for any aspect of war making, including coordinating attacks, operating weapon systems and communication, cyberspace has already permeated all domains of warfare today.
Countries such as China, Iran, Russia, and the United States are heavily investing in their cyberwar capabilities and are accumulating not just single cyber weapons but entire cyber weapon arsenals for use in wartime. Other countries are following suit, and it is fair to say that we are in the midst of a cyber arms race. Given that operations in cyberspace generally favor the attacker, the spread of cyber weapons helps fuel a presumable security dilemma, forcing countries to increase both their offensive and defensive cyber capabilities.
Considering the lack of interest among the major cyber powers—China, Russia, and the United States—in strategic stability in cyberspace, i.e., limiting the development of their cyber war capabilities and allotting increasing portions of military budgets to attacking and defending cyberspace, smaller powers will not have adequate financial and manpower resources to keep up with the leading states in that sphere.
This asymmetry in cyber power is one of the principal reasons why discussions about codes of conduct, norms, and confidence building measures in cyberspace have made little progress over the last few years.
There are very few signs that this will change in the years ahead. It took NATO and the Warsaw Pact three decades after the first deployment of nuclear weapons to agree to a set of confidence building measures (CBM) to help avert nuclear war. The Helsinki Final Act, not coincidentally, occurred when the Soviet Union and the United States reached roughly nuclear parity in the middle of the 1970s. It was, however, only in the 1980s that both sides agreed to a more comprehensive set of CBMs aimed to prevent a potential outbreak of military conflict.
This should not discourage current efforts by governments and private institutions to establish norms for how states and non-state actors should behave in cyberspace. For example, the U.S.-based think tank, EastWest Institute, is working on a new advocacy forum promoting international cyber norms along with the Dutch government. (Full disclosure: I am a senior fellow with the EastWest Institute.) The UN Group of Government Experts has also done important work on the subject over the last few years.
Nevertheless, the above example illustrates that a diplomatic strategy of war avoidance and establishing norms for conducting cyber operations alone will not suffice in the near term. Neither will traditional alliance diplomacy work, since it is still unclear what constitutes an attack in cyberspace (for example to invoke mutual response under Article 5 of the NATO treaty); there is also the well-known difficulty of attribution in peacetime. (Although the U.S. government believes they have largely solved the attribution problem for action by states on which they have a detailed intelligence log for malicious cyber space activities.) This creates uncertainty whether a state under attack can rely on the support of an ally. As a result, small and medium-sized powers, despite part of an alliance bloc, will have to rely more on their capabilities to handle emergencies than in other traditional threat scenarios.
Cyber space clearly offers opportunity to small and middle powers to eliminate a slice of the superiority that a major power can wield in military terms, but it does not "equalize" their power in cyber space. At least two major powers are developing the capability to disable key strike components of the armed forces of adversary states. This would mean that naval ships and submarines might be disabled as the centrifuges in Natanz, Iran were disabled, or GPS feeds to weapons systems and navigation systems might be manipulated or interrupted.
Consequently, it is in the interest of small and medium powers in particular to strengthen the resilience of their national critical information infrastructure, while simultaneously deterring attacks from both state-sponsored non-state actors as well as nation states. Of course, this is easier said than done. “The dynamic threat is evolving faster than the cycle of measure and countermeasure, and faster than the evolution of policy,” an expert of the Idaho National Laboratory—arguably the world leader in civilian cyber defense—said in a 2015 testimony. Next to evolving threats and bureaucratic red tape, there is also a question of resources and how much many can be allocated towards cyber defense without neglecting other assets needed to guarantee the security of a country.
While militaries can field well-trained cyber warriors for offensive operations in cyberspace in times of war, they are--depending on the country--either legally prohibited or resource-wise incapable of conducting man-intensive defense operations to protect a country’s civilian critical information infrastructure in peacetime. Private sector chief information officers, responsible for protecting the networks of their respective companies, also do not have the means or the mandate to assume a wider responsibility for critical information infrastructure protection. Furthermore, Computer Emergency Response Teams (CERTs) and civilian intelligence agencies simply cannot cope with the sheer volume of attacks—2/3 of which are relatively unsophisticated attacks by cyber criminals, according to some statistics.
Cyberattacks lay bare the immense resource and coordination challenges that governments confronted with polymorphous cyber threats are confronted with. Taking all of this into account, what would then be an economic and structural solution that also takes into account the shifting nature of threats coming from cyberspace?
One possible solution may be that states follow the example of countries that have been subject to large-scale cyberattacks, such as Estonia in 2007, and support/prop-up so-called cyber militias ready to defend their country’s critical information infrastructure against both non-state actors (e.g., cyber criminals) and nation states. Members of the cyber militia, recruited among a pool of civilians with the requisite forensic and IT skills, would be deployed in both peace and wartime in protecting a country’s critical information infrastructure. However, only the militia’s leadership and a small cadre would be full-time stuff, the rest, after completion of a cyber boot camp, would serve a predetermined number of days per year akin to regular militias or national guards in some countries.
By rotating a large number of men and women through advanced cyber defense training, a state would not only create a large pool of experienced specialists for protecting critical information infrastructure, but it would also have significant spillover effects for the national economy by boosting innovation and entrepreneurship in the IT sector, as the example of Unit 8200 in Israel has shown.
Such a force would serve as both a best practice hub for cyber defense and a coordinating body for a(?) whole-of-nation approach to massive cyberattacks. A cyber militia can also help deter non-state actors and nation states from engaging in attacks. By employing a non-military "resistance" force, a country can suffer a decisive blow to its government and military systems but still wreak havoc on an adversary’s economy and military logistics and personnel.
In a draft paper obtained by The Diplomat and prepared by Greg Austin of the University-based Australian Center for Cyber Security, the author lists a number of capabilities of such a new force:
· Effective monitoring of business and economic threats and rapid response capabilities beyond the enterprise level
· Nation-wide preparedness for the unlikely but credible threat of a cyber emergency affecting the civil economy or national security interests (including international aspects)
· Capacity to articulate in a consistent, coherent and authoritative manner the different domains of cyber security (crime, harassment and bullying, espionage, warfare) of the many dimensions of cyber security (technical, human, social and legal) and how different sections of the society must bear differentiated responsibilities
· Capacity to articulate in a consistent, coherent and authoritative manner the emerging and future threat environment in each of those domains and variegated response options
· Capacity to develop a comprehensive suite of governmental, cross-sector, private-public, professional and civil society networks active in cyber security
· Capacity to consistently promote a national consensus on where to draw the line between sovereign capabilities and the global communities of practice (including R&D).
Austin also advocates for a secure and globally networked command, monitoring and operations center linked to relevant intelligence agencies and computer-emergency response teams. He is adamant that a large permanent cyber militia is not advisable. Indeed, he argues that threats from cyberspace are so unpredictable that the development of “overly rigid standing structures supported by full-time staff with pre-determined skill sets (…) would be the equivalent of building modern versions of the Maginot line.” Consequently, to create a large-scale permanent cyber force hierarchically structured like a military would be thus economically imprudent. Small and medium powers will need to start a public debate about how to tackle the growing threats from cyberspace sooner rather than later.