by Ed Stacey
On 29 January 2020, the International Institute for Strategic Studies (IISS) hosted an event on its upcoming Measuring Coercive Cyber Power Project (available to watch here). Ed Stacey sat down with Greg Austin, Senior Fellow for the Cyber, Space, and Future Conflict Programme at the IISS, the day after the event, for a discussion on this new project, cyber power and offensive cyber operations.
For more information on the IISS and the latest analysis of international security, strategy and defence issues, visit them here or follow them on Facebook, Twitter (@IISS_org) and Instagram (@iissorg).
ES: What is the Measuring Coercive Cyber Power project?
GA: This is a project that began at the IISS before I joined and has been run by a couple of very experienced professionals. Its purpose is to understand the basic fundamentals of cyber power. In other words: what are its economic, scientific, technological, and organisational underpinnings?
ES: What are your main findings?
GA: The main findings are a little obvious in one sense, but also a bit surprising. We have done thirteen country studies which include a review of the United States (US), China, Russia, Iran and North Korea – fairly obvious countries, perhaps – and then other states like Indonesia, India, Malaysia, Japan, and Canada. What we have found is that the US’ cyber power is miles ahead of any other country in the world; that the economic, scientific, and indeed, social underpinnings of cyber power are more powerful in the case of the US than any other country. That lead really revolves around the Information Communications Technology (ICT) industry – the fact that technologies like the Internet were devised in the US and that a very unusual relationship exists between its defence sector, industry, and universities. This relationship really does not exist anywhere else in the world. And the US has also been in the ICT industry longer than any other country – at the higher levels at least.
Whilst China is often regarded as a peer competitor of the US, it was in a political mess between 1966-76 (the Cultural Revolution), which has hindered its development of cyber power. During this period, they closed down their universities and persecuted scientists and researchers, calling them ‘stinking weeds’ – and that was only about 45 years ago. It is very hard for China, which was already a poor and developing country back in 1966, to overcome this negative legacy – one of ten years of persecution of its scientists and researchers, and ten years of closed universities.
ES: Were there any results which you found surprising?
GA: What I did not fully appreciate because there is so much public media coverage of countries like Iran and North Korea, is that these countries really are bit-players. By this I mean that, whilst they can certainly cause a lot of damage in cyberspace, they only do so every couple of years. And so, what we have seen over about the last ten years is that whilst countries like Iran and North Korea get a lot of headlines with their cyber attacks, they carry out these attacks very infrequently. Yes, they cause great damage and great disruption, but they do not seem to have a strong pattern to their non-espionage cyber activity.
ES: If you completed this study in another ten or twenty years time, what changes would you expect to see in your results?
GA: I think the most likely change is for the US and its allies to increase their lead over these disrupter countries, like North Korea, Iran and Russia; and for China to still be sort of struggling somewhere in-between. I think there will be political reversals in China which will undermine the strong push that we are currently seeing towards ICT improvements and the thrust towards China’s ambition to become a dominate player in cyberspace.
ES: What do you mean by cyber attacks or offensive cyber capabilities? Does this include, for example, information warfare?
GA: It certainly includes information warfare. Offensive cyber capabilities have a dualistic character. On the one hand, we can think of them as cyber attacks on cyber systems. On the other, certainly in American, Russian, and Chinese military thinking, information warfare effects (psychological effects as commonly understood) can also be delivered through cyberspace, in ways that we could not imagine thirty to forty years ago. And so, we are in a situation today where, as we struggle with the security of Information Technology (IT) systems, and ways of attacking and defending these systems, it is now also the case that politics is being played out in cyberspace.
ES: Is it problematic to call these capabilities weapons – to attach that label to them and the connotations that come with it?
GA: In an academic sense, it probably is. But I think the common person would understand a weapon as something that you can use to damage other people or things with. A hammer is a tool – it can be used for making things. But a hammer can also kill people. And code is the same: it can be a tool for making things and it can be a weapon that kills people. You can use code to turn off electric power stations and create negative health outcomes in hospitals. You can create negative health outcomes in hospitals by interfering with their basic computerised information. So, we are in an environment where IT, software and all the things around them can be seen as both tools for good and weapons for bad. I appreciate fully that arguments exist about the nature of violence and war; but I think, at the end of the day, the average person in the street – and certainly the average politician – would understand that the malicious things that are happening in cyberspace are weapons.
ES: Taking forward your example of a hammer: if I took a hammer and threatened you with it – that would deter you. Would this be the same in cyberspace, i.e. if a state has a ‘cyber-hammer’, does that deter other states?
GA: The interesting thing about the hammer example is that you could hold up the hammer and appear to be threatening me, but there would have to be a lot of circumstances in place before I would see that as any sort of threat and actually take it seriously. For instance, I would have to understand what your record is of actually carrying out those sorts of threats, and I would have to make a calculation about how afraid you would be of my retaliation. What we are seeing in cyberspace – for example, with the American’s ‘Cyber Deterrence Initiative’ (which is, in a sense, not only raising the hammer but actually attacking countries like Russia and China to try and undermine their offensive malicious cyber activity) – is that it is difficult to tell whether they are actually working as deterrence policies.
That initiative involves what the Americans call ‘defending forward’ – attacking into the Russian and Chinese systems. It has been going on for over a year (around eighteen months) but we do not have enough information in the public domain – we do not have enough evidence – to determine whether the Russians or the Chinese are actually being deterred. So, it is a good place to start the argument: ‘If I raise a hammer, do I deter you?’. But we have to study what happens next.
ES: What potential is there for cyber to disrupt established practices of deterrence? I have in mind, particularly, nuclear deterrence, which was discussed during the event – the idea of a nuclear missile being in flight and then hacked and potentially redirected.
GA: I have actually written an article on this subject with a Russian scholar where we tried to understand how Russian military leaders actually think about this. There is very little evidence in the public domain, but we found enough to believe that some Russian military leaders think that cyber capability shifts the balance between offence and defence, and encourages states with nuclear weapons to strike pre-emptively before losing their command and control, or guidance systems. Now, the evidence is far from comprehensive – these are, in a sense, fragmentary thoughts. But from the US government’s point of view, we have to believe that they are using every technological lever they have to devise attack packages that could cripple the Russian government’s command and control of their nuclear weapons.
ES: Given the uncertain nature of cyberspace – as a highly complex, interconnected and evolving domain – is it possible to wield offensive cyber capabilities strategically?
GA: I certainly believe that it is possible to do that – but that is one of the big debates in the academic community. After last night’s seminar, for example, we received an email from a retired senior military officer in the UK who made the proposition that it is not possible to use cyberweapons strategically – that they are really just some sort of tactical, disruptive asset. But, in fact, the US government and the Chinse government are on the record as saying, planning and doing things which demonstrate their belief that cyber military capability is a game-changer. And that is very well captured in the Chinese statement in 2015 that outer space and cyberspace are the commanding heights of all international security competition. That was a statement in their official 2015 military strategy, and it was not on page 33 in a footnote – it was right at the beginning.
ES: How likely if at all is cyber war?
GA: According to the US government, cyber war is already happening. They believe that Russia and China have already launched open conflict with the US in cyberspace. Mind you, China and Russia believe exactly the same thing about the US. Whether or not we call that war, or some other form of conflict, is a point of debate. To go back to Thomas Rid’s book: even though Thomas’ arguments were valid as he constructed them, there is a whole realm of strategic thought and activity which he did not fully take account of, and that we are now seeing much more in the open. States believe that they can use these tools, as weapons, in a way that does not provoke an armed response. But, as we see in the American case, this is provoking some sort of retaliation in cyberspace through cyber attacks. As we experience year after year of this sort of interaction – of heightening tension and conflict in cyberspace – I think we are going to reach the point where one or other of these great powers decides that enough is enough in cyberspace and starts to take some non-cyber retaliatory measures. And you could argue that we are already seeing that in the case of the US’ policy on the ‘tech war’ with China.
ES: You spoke yesterday about cyber operations in the 1998-99 Kosovo conflict as being the first act of cyber war, which is interesting because Stuxnet is frequently cited as the first. Is there a certain threshold in cyberspace that you could identify, perhaps in terms of effect, where a cyber operation becomes an act of cyberwar?
GA: There are a number of international lawyers, more than a handful, who believe that the US’ use of Stuxnet against Iran was a breach of International Law. It was an act by one state against another causing damage in the second state. If you are not causing physical damage, then most states do not appear to regard that as aggression – it is something else. But where the US actually causes physical damage – sabotage of what was ostensibly a civil undertaking: the enrichment of nuclear fuel – that in International Law is plainly and simply a breach. Yet to find a level of escalation above that which would provoke an armed response is another question.
When security agents of the French government sank Greenpeace’s ship, Rainbow Warrior, in a New Zealand harbour in the 1980s, the French were held responsible for that in an international arbitration and paid damages – it was a breach of international law. That is really the same sort of act that the US perpetrated against Iran – creating physical damage, sabotage, and in the New Zealand case, they killed a couple of people – a similar sort of international tort. But we have not got to the point where any state has committed a cyber attack on the level that the receiving state has judged it to be a justification for an armed military response.
ES: Do you think that current international law is fit for purpose with regards to cyber conflict?
GA: Yes, I think it is – and I think the Tallinn Manual 1.0 proved that fairly conclusively. A whole range of international discussions suggest it is fit for purpose. But international law is not a perfect institution. And as in the Law of the Sea where there is lots of room for interpretation, and as in International Humanitarian Law where there is lots of room for interpretation, there is equally lots of room for interpretation in law applicable to hostile activities in cyberspace.
ES: Is there room to develop norms or specific agreements on activities in cyberspace?
GA: I think the conversation about norms has been productive and useful; but states signing up to new black letter international legal norms seems highly unlikely. There are several meanings of the word norm. One is that a norm, in a sense, sets a moral tenor for conduct. Another meaning of the word, of course, is a norm as enshrined in black letter law. I think that the future of the normative conservation in cyberspace will be about setting the moral tenor of action, rather than coming up with new black letter law.
ES: Marcus [Willet] spoke yesterday about the potential for distinguishing between discriminate [e.g. Stuxnet] and indiscriminate capabilities [e.g. WannaCry], which I think would be a good place to start.
GA: Yes, I think that is an excellent point.
ES: Are the US pre-eminent in cyberspace and, if so, do you think this will last?
GA: One of the reasons why it should last is that the US currently sits at the top of the most powerful intelligence alliance human history has ever seen – and that does not look like weakening anytime soon. Moreover, major adversaries, Russia and China, do not appear to be interested in crafting an intelligence alliance – in fact, the Russian government is very explicit that it does not see its military relations with China as an alliance. So, I think that as long as the US can maintain that very powerful intelligence alliance – and all of the signs are that it will – then Russia and China do not have a hope.
Just to clarify why that is important: the foundation of all effective operations in cyberspace is high-quality intelligence about the enemy’s information systems, their vulnerabilities, and how those vulnerabilities exist at any specific point in time. It is no good collecting intelligence about, say, the Iranian nuclear centrifuges on one day in 2006 and then arriving back in 2009 with the attack package because they might have changed the software configurations. You have got to keep assessing and reassessing, almost on a daily basis: ‘How is the offensive environment looking?’, so that any attack package that you do develop can be used at a later date. That requires a huge intelligence effort, and it is that intelligence effort that the US and its allies can deliver far better than any single country in the world – even one that looks as powerful as China.
ES: Is it the case at the moment, particularly in the context of the tech war, that cyberspace is just a two-horse race between the US and China?
GA: I think that China sees it as a two-horse race and many people in the US see it as a two-horse race – but it is really not. Modern technology and ICT represent globalised knowledge. And what we see with the US and its allies is that they are far better at exploiting that globally available knowledge. Almost everything around modern ICT science is equally available to China, Russia, Iran, North Korea, and the US. The difference is that the US has sixty to seventy years of excellent performance in exploiting that knowledge and putting it into practice. What we have seen is that countries like South Korea, Malaysia, and Taiwan can come along and pick off pieces of that ICT pie and become world-class in that space. So, that is the phenomenon we are seeing: this sort of multi-horse race; or many horses in the race, all excelling in different parts of it.
We put together some information based on the 2019 Fortune Global 500 companies which shows that, out of the Fortune Global 500, the US has fourteen companies in the tech and telecoms sectors whereas China only has eight. And what is interesting about the other 28 companies in those sectors is that all but two of them belong to very close US allies – so, European, Japanese, South Korean or Taiwanese. Also really interesting about that data is that while mainland China has eight companies in the tech or telecoms sectors, Taiwan has seven… little Taiwan has seven! How many millions of people are there in little Taiwan versus big China with its massive financial resources? And it has only got eight. So, if it is a two-horse race then Taiwan could be considered to be in the race as well.
ES: How does the UK compare to other states at the top of the table?
GA: The UK is one of the top-ten countries in the world in, what you might call, the national security aspects of cyberspace. And it may well be in the top-ten countries in the world in other aspects of ICT development. But, rather interestingly, there are only two tech and telecoms companies in the Fortune Global 500 which are UK companies – I think one was BT and the other Vodafone – when, as I mentioned, you have got little Taiwan with seven. So, the UK is not that well positioned in some of the commercial aspects. That being said, we have got to be careful because the Fortune Global 500 reflects revenue from selling things and services. And, really, what is happening with companies in Taiwan is that they are selling many more expensive things than Britain.
While Britain sells a lot of good ICT services, they are just not sold on the scale that countries like South Korea and entities like Taiwan are. And then there is the question of, well, even if the UK’s not earning as much money from what it is doing in cyberspace, maybe what the UK’s doing is of much higher value. UK interventions are happening at a strategic level and it is no coincidence that companies like BAE Systems, BT and Vodafone are global brands that have a role in the economic, strategic, and scientific development of a very large number of countries around the world. So, Britain is a presence that cannot easily be summed up in gross statistics such as the Fortune Global 500.
ES: And finally, what role do you expect cyber to play in the UK’s upcoming Strategic Defence and Security Review?
GA: As I suggested last night, a lot really depends on leadership choices. You can have the objective reality of the technology but there is no revolution in military affairs unless you have got a military leader who recognises the military potential and exploits it. And it is a bit the same with economic policy. Australia provides an interesting case in point. Malcolm Turnbull, who was very briefly the Prime Minister of Australia, represented a level of technological awareness that no preceding prime minister or his successor have in any way, shape, or form. Malcolm Turnbull was probably the only member of his government, at cabinet level, who had any appreciation of technology. So, unless you have got that sort of leadership then it is going to be very tough.
Additionally, I am afraid to say that the Brexit decision was a repudiation not only of the concept of the EU but of the value of globally integrated science and technology. Just ask the people in the universities what they think of it, and the research community. People who backed the Brexit decision really represent the same sort of mentality as ministers in the Australian government who do not have a full appreciation of what is involved in modern science and technology – how it is an integrated, globalised activity. When you put up your national boundaries, you are really not equipping yourself or positioning yourself well for the future. Now, that does not mean that the British defence establishment cannot do that because the British defence establishment has a very different position as a part of the Five Eyes community. And that scientific and technical community – represented by the close military alliance – may deliver outcomes for Britain, and imperatives in a strategic and defence review, that go counter to the Brexit mentality. But I really think that the people who currently dominate the UK government are not the right people to lead Britain into a brighter technological future and are not the people to lead the British national security establishment to a brighter technological future – I am afraid to say.
Ed Stacey is a BA International Relations student at King’s College London and a Student Ambassador for the International Institute for Strategic Studies (IISS). The #IISStudent Ambassador programme connects students interested in global security, political risk and military conflict with the Institute’s work and researchers.
Greg Austin is a Senior Fellow for the Cyber, Space and Future Conflict Programme at the IISS. Prior to joining the IISS, Greg worked at the University of New South Wales Canberra, as Professor and Deputy Director of its multi-disciplinary centre for cyber security research. He was a Senior Visiting Fellow in the Department of War Studies at King’s College London from 2012 to 2014.