By Andreas Haggman
In recent years, traditional military capabilities have been supplemented by the development of offensive cyber capabilities. Examples of cyber capabilities have proved that effects can be achieved in both the kinetic (e.g. Stuxnet, Black Energy) and information spheres (e.g. Crimea, TV5 Monde). However, discussions in this area are often predictable in the actors that are considered. When commentators, both in the media and academia, talk about offensive cyber capabilities it is usually in reference to a list of usual suspects: the US, Russia, China, North Korea, and Iran are the primary state antagonists, with the UK, Israel, and sometimes France being cast in supporting roles. Anonymous and amorphous organised crime groups are often referenced as non-state actors, though the role of Anonymous seems to have subsided in the past couple of years.
This article seeks to highlight how offensive cyber capabilities augment the traditional capabilities of two lesser-mentioned state actors: Australia and Sweden. Although geographically distinct, both these countries can be classified as ‘medium powers’ who, in the words of Richard Hill, are ‘likely to have few resources to spare for the exercise of power beyond what is necessary to safeguard and, where possible, further its vital interest of territorial integrity, political independence and betterment.’ Importantly, in the context of cyber capabilities, both countries have declared either operational deployment of such capabilities or intent to develop them. This article discusses how cyber capabilities form part of both countries’ official policies and how these might be deployed for operational effect in their geopolitical contexts.
Australia published its first Cyber Security Strategy in 2016, which formally acknowledged the existence of Australian offensive cyber capabilities. In November 2016, Australian Prime Minister Malcolm Turnbull announced that the country had been conducting offensive cyber operations against ISIS targets. Australia therefore has a pedigree in the offensive cyber capability space and it also has a formulated policy on how these capabilities should be used: despite misplaced notions of deterrence expressed in the Cyber Security Strategy, later policy documents have stated that offensive cyber capabilities would be used to target cyber criminals.
Australia’s geopolitical situation means this approach of deprioritising state-based threats to instead focus on non-state actors (even if some these may have state-backing) is likely the best use of its offensive cyber capabilities. Geographically, politically, and economically, Australia’s most pressing concern is China: it’s attempted dominance of south east Asian sea routes, it’s influence in Australian politics, and its large investments in Australian industry, particularly the mining sector. However, deployment of offensive cyber capabilities against Chinese targets would not address any of these issues and they must instead be tackled with diplomatic, legal, and economic means.
A better use of offensive cyber capabilities is therefore to target non-state actors and criminal groups. For these targets, capabilities which cause disruption or enable better information gathering by law enforcement are more appropriate than capabilities which cause physical destruction. As an example, an extension of the Australian patrol boat scheme can be envisaged where Australia provides support to anti-piracy and anti-people smuggling operations in the south Pacific and Indian oceans. Capabilities that stain dark web traffic, allowing it to be tracked, can help identify the criminal actors which perpetrate these activities. Such capabilities may not be at the behest of the island nations which inhabit the south Pacific and Australia is well-placed to meaningfully contribute with its own capabilities.
Sweden published a national cyber security strategy in 2016 which contains provisions for ‘a robust capability to conduct active operations in the cyber environment.’ However, as early as 2013 a report on long-term strategic planning had advocated for Sweden to develop offensive cyber capabilities. This view was backed by several people in the Government, who assessed that Sweden had to keep pace with technological developments – if everyone else were acquiring offensive cyber capabilities, so should Sweden.
Similar to Australia, Sweden has an obvious adversary in its immediate geographical locale: Russia. In this case, contemporary concerns about Russian behaviour (military manoeuvres, disinformation campaigns) are backed by a history of conflict between the countries – Russia is very much the old enemy. But since the 20th century Sweden has also positioned itself as a paragon of neutrality and all operational military activity has been strictly limited to UN peacekeeping missions. The utility of offensive cyber capabilities is less obvious in these missions because the critical component is a physical presence on the ground which serves a securing and deterring effect. This presence cannot be achieved with cyber capabilities.
Instead, Sweden may find a peacetime outlet for its offensive cyber capabilities if used as signalling devices. Russia regularly runs military flights provocatively close to, sometimes within, Swedish airspace. It could be envisaged that targeting one of these flights in a non-lethal capacity (for example by displaying a message on the pilot’s heads-up display) would send a message about the maturity of Swedish offensive cyber capabilities and their intent to use them. A key caveat here, however, is that the benefits of the operation must be carefully weighed against the cost, particularly if zero-day vulnerabilities need to be burned to achieve the desired effect.
Offensive cyber capabilities are not just the remit of great powers and rogue actors. Some states, such as Australia and Sweden discussed above, are technologically sophisticated yet perhaps do not have the remit to deploy cyber capabilities in the sort of arenas that make headlines. However, as suggested in the postulated deployment scenarios, these capabilities should not be discounted as means for achieving tactical and strategic effects in a limited context. The geopolitical situation of each country shapes these deployments and it is important to establish the desired effects before cyber capabilities are considered – they are not necessarily the most appropriate solution for every problem. Therefore, with careful deliberation, offensive cyber capabilities can be made to fit the imperatives of medium powers.
Andreas Haggman is a PhD researcher in the Centre for Doctoral Training in Cyber Security at Royal Holloway University of London. His thesis is a practical exploration of wargaming for cyber security education and awareness training. Andreas’ additional research interests span a wide spectrum of non-technical cyber security topics. He can be followed on Twitter @Andreas_Haggman.