Strife

The Academic Blog of the Department of War Studies, King's College London

You are here: Home / Archives for Ed Stacey

Ed Stacey

Offensive Cyber Series: Dr Daniel Moore on Cyber Operations, Part I

by

Photo Credit: dustball, licensed with CC BY-NC 2.0

On Wednesday 10th March, Strife Interviewer Ed Stacey sat down with Dr Daniel Moore to discuss the operational side of offensive cyber. For part two of Strife’s Offensive Cyber Series, Dr Moore expands on his thinking about presence-based and event-based offensive cyber operations and discusses related topics such as the emergence of new organisational cyber structures, allied operations on networks and his upcoming book Offensive Cyber Operations: Understanding Intangible Warfare, slated for release in October 2021.

Ed Stacey: Danny, you have written in the past about distinguishing between presence-based and event-based offensive cyber operations. What are the key differences between the two?

Danny Moore: I came up with the distinction between presence-based and event-based operations as a commentary on the lack of distinction in most of the publicly accessible cyber doctrine documentation. Mostly what we see are offensive cyber operations treated as a uniform spectrum of possibilities that have the same considerations, the same set of staff associated with them and the same set of circumstances under which you would want to use them. But that is not the case.

A lot of the literature you see focusses on the technical deployment of offensive cyber operations – the malicious software involved in the process, the intended effect, what it means to pivot within a network – but that really only encompasses a fraction of the activity itself when we are talking about military-scale or even intelligence agency-scale of operations, at least where it counts. So I came up with this distinction to differentiate between what I think are two supercategories of operation that are so different in the circumstance, and so unique in how they would be utilised, that they are worth examining separately because they have distinct sets of advantages and disadvantages.

Presence-based operations are like the classic intelligence operation that has an offensive finisher. So you have everything that you normally would with an intelligence operation, including compromising the adversary’s network, establishing a foothold, pivoting within and gathering relevant information. But then there are additional offensive layers too, such as looking for the appropriate targets within the network that would yield the intended impact and weaponizing your access in a way that would facilitate achieving the objective. For example, would you need dedicated tooling in order to have an effect on the target? Or say you are looking to have a real-world, physical impact or even adversely degrade specific types of software and hardware, which would require significant capabilities. But crucially, the operation is managed over the period of at least many weeks, if not months and sometimes even years. And it can be a strategic set of capabilities that you would use possibly even just once, when needed, because once exposed it is likely to be counteracted, at least in the medium-term.

Event-based operations are completely different in that sense. They are the most robust equivalent that you could have to a proper weapon, in the military sense of the word. It is intended to be something that you can bundle, package up and deploy in multiple circumstances. Imagine – and I think this is the most helpful analogy – it is almost an evolution of electronic warfare, something that you can deploy on a ship or with a squad or even within an existing air defence grid. What it does is, instead of just communicating in electromagnetic signal, it also attempts to facilitate a software attack on the other side. And that sequence involves a completely different set of circumstances. You do not need to have an extended period of intelligence penetration of the network that you are targeting – that contact is likely to be minimal. Instead, what you have is an extensive research and development process where you collect the right technical intelligence in order to understand the target, craft the actual tool and then make it much more robust so that it can be used multiple times against the same or equivalent targets and not be as brittle to detection, so stealth is not really a component.

So that distinction is just a high-level way of saying that the circumstances are different, the types of manpower associated are different, but also that there are unique advantages and disadvantages when using each.

ES: What sort of benefits do states and their militaries and intelligence agencies gain by making this distinction?

DM: If you acknowledge these differences at a strategic and doctrinal level, it facilities much better planning and integration of cyber capabilities into military operations. As you know, there is a constant tension between intelligence agencies and their equivalents in the conventional military around how offensive cyber capabilities are used. The question here is: how close is the relationship between the intelligence agency – which is the natural owner of offensive cyber capabilities, for historical reasons and usually a strong link to signals intelligence – and the military, which wants to incorporate these capabilities and to have a level of predictability, repeatability and dependability from these activities for planning purposes? That tension is always there and it is not going away entirely, but how this distinction helps is to group capabilities in a way that facilitates better planning.

If you have a supercategory of operation that relies heavily on intelligence-led penetration, pivoting and analysis, for example, that comfortably lives with the extreme assistance of an intelligence agency, if not actual ownership – and that will vary between countries. Whereas the more packageable type of capability is easier to hand-off to a military commander or even specific units operating in the field. It is something that you can sign off and say: this will not compromise my capabilities in a significant way if it is used in the field incorrectly, or even correctly, and gets exposed in some way, shape or form. So it is about different levels of sensitivities, it is about facilitating planning and I think it takes the conversation around what offensive cyber operations actually look like to a more realistic place that supports the conversation, rather than limits it.

ES: Focussing on the organisational tensions that you mentioned, new structures like the UK’s National Cyber Force (NCF) are emerging around the world. What are the operational implications of these efforts?

DM: The short answer is that the NCF is an acknowledgement of a process that has been happening for many years. That is, the acknowledgement that you need to build a bridge between the intelligence agency, which is the natural owner of these capabilities, and the military, that wants to use them in a predictable and effective way. So you are seeing outfits like this come up in multiple countries. It allows for more transparent planning and for better doctrinal literature around how cyber capabilities integrate into military planning. That is not to say it will fix everything, but it decouples the almost symbiotic relationship between intelligence agencies and offensive cyber operations.

Intelligence agencies will always play a significant part because, as I said and have written about as well, they have an important role to play in these types of operations. But we have matured enough in our understanding to be able to have a distinct, separate conversation about them that includes other elements in military planning that do not just draw from intelligence agencies. So the NCF and other equivalent entities are an acknowledgement of the distinctness of the field.

ES: This next question is from Dr Tim Stevens, who I spoke to last week for part one of this series. Will NATO allies follow the US’ lead and adopt a posture of persistent engagement in cyberspace? And just to add to that, if they did, what sort of operational challenges and opportunities would they face in doing so?

DM: The conversation around the US’ persistent engagement and defend forward mentality for cyber operations is one that is ambivalent and a little contentious, even within the US itself – whether or not it is working, whether or not it is the best approach and, even, what it is actually trying to achieve. If you read the literature on this, you will find many different interpretations for what it is actually meant to do. So will NATO or specific member states choose to adopt elements of this? Possibly. But it is unlikely to manifest in the same way.

The perception from the US that they are in constant competition with their adversaries in and against networks is accurate. We have increased friction as a result of how the internet is structured and how sensitive networks are structured. You consistently have to fend off adversaries and seek to engage them, ideally outside your own networks – a good concept to have and a good operational model to keep in mind. And I think it is a great way to educate military leaders and planners around the unique circumstances of operating against networks. That said, I do not know if NATO is going to adopt wholesale persistent engagement and defend forward or rather just incorporate elements of that constant friction into their own models, which I think is a necessary by-product of engaging networks.

Some of the countries within NATO are more prolific than others when it comes to such activities – the UK, for example, or even France. Obviously, countries run offensive cyber operations of their own: they consistently need to fend off adversaries from their critical infrastructure and they prefer not to do this by directly mitigating incidents within their own network. So the step of persistent engagement and defend forward does make sense, but I do not know if that is an adoption of the same doctrine or just some of the principles that it looks to embody.

Part II of this interview will be published tomorrow on Friday 11th June 2021.

Offensive Cyber Series: Dr Tim Stevens on Offensive Cyber in the 2020s, Part II

by

Photo Credit: UK Ministry of Defence, Crown Copyright.

This is part II of Ed Stacey’s interview with Dr Tim Stevens on offensive cyber in the 2020s for Strife’s Offensive Cyber Series. You can find Part I here.

ES: Thinking about the relationship between offensive cyber and international law and ethics, how far have debates gone around when and how it is right to use these capabilities and how confident are we in their conclusions?

TS: Depending on who you ask, this issue is either settled or it is not. Now the point about the discussion around these capabilities is that, actually, when we think about international law and ethics, whether from a liberal democratic standpoint or otherwise, the conversation is not about the capabilities themselves, generally speaking – it is not about cyber weapons as such – but tends to be more about the targets of those capabilities and the effects.

In 2015, the United Nations (UN) Group of Governmental Experts (GGE) on information security, which is led by the permanent five – the UK, Russia, France, China and the US – but also involved twenty or so other countries, agreed that international law applies to this domain in its entirety. That includes the UN Charter, they found a couple of years later. There is also a big NATO process which says that international humanitarian law (IHL), which governs the use of force in war, also applies to this environment. And what comes out of that is an understanding of several things.

Firstly, that the use of any capabilities that you might describe as offensive – or indeed defensive, hypothetically – has to abide by the laws of war. So they have to be necessary, proportionate and they have to have distinction, in the sense that they cannot target civilians under normal circumstances. The 2015 GGE said that you could not target civilian infrastructure through cyber means and so on.

But the problem is that, as we look at the world around us, for all of those international legal constraints and associated ethical arguments about not targeting civilians, for example, what we see is the significant use by states and other actors of exactly these types of capabilities, targeting exactly these types of targets. We have seen civilian infrastructure being targeted by the Russians, for example in Kiev on a couple of occasions in winter, where they have essentially turned the electricity off. That is exactly the opposite of what they signed up to: they signed up to say that that was not legal under international law, yet they do it anyway.

So the question really is not whether international law applies. It is slightly an issue about the details of how it applies and then if someone is in breach of that, what do you then do, which throws you back into diplomacy and geopolitics. So already you have gone beyond the conversation about small bits of malicious software that are being used as offensive cyber capabilities and elevating it to levels of global diplomacy and geopolitics. And essentially, there is a split in the world between liberal democracies, who at least adhere for the most part to international law, and a small set of other countries who very clearly do not.

ES: Given that context, what are the prospects for regulating offensive cyber activity? Is there the potential for formal treaties and agreements or are we talking more about the gradual development of norms of responsible state behaviour?

TS: This is the live question. Although we have an emerging understanding of the potential tools with which we might regulate these capabilities – including IHL and norms of responsible state behaviour – we have not got to the point of saying, for example, that we are going to have a global treaty. But there are multi-stakeholder efforts to do something that look a little like global agreements on, for example, the use of capabilities for targeting civilian infrastructure. There is something called the Cybersecurity Tech Accord, another is the Paris Call for Trust and Security in Cyberspace and there are half a dozen others that even if not explicitly focussed on offensive cyber, it is part of a suite of behaviours that they wish to develop norms around and potentially even regulation.

But it is incredibly difficult. The capabilities themselves are made of code: they are 1s and 0s, they zip around global networks, they are very difficult to interdict, they multiply, they distribute and they can attack a thousand different systems at once if they are done in a very distributed fashion. How do you tell where they come from? They do not come with a return address as the cliché goes. How do you tell who is responsible? Because no-one is going to own up to them. How do you tell if they are being developed? Well you cannot because they are done in secret. You can have a military parade in the streets of Washington DC, Pyongyang or Moscow, but you cannot do the same with cyber capabilities.

So it is very difficult to monitor both their use and their retention and development. And if nobody does own up to them, which is commonly the case, how do you punish anyone for breaching emerging norms or established international law? It is incredibly difficult. So the prospect for formal regulation anytime soon is remote.

ES: So far we have talked about some quite complex issues. Given the risks involved in developing and deploying these types of capabilities, what do you think needs to happen to improve public understanding of offensive cyber to the point that we can have a proper discussion about those risks?

TS: Public understanding of offensive cyber is not good and that is not the fault of the public. There are great journalists out there who take care in communicating these issues, and then there are others who have just been put on a story by their sub-editor and expected to come up to speed in the next half hour to put some copy out. It is really difficult to generate nuanced public understanding of things when the media environment is what it is.

Now I am not blaming the media here; I am just saying that that is one of the factors that plays into it. Because we have a role as academics as well and, ultimately, a lot of this falls to governments to communicate, which has conventionally not been great. Partly this is because a lot of the use and development of these capabilities comes from behind the classification barriers of national security, defence and intelligence. We have heard bits about their use in the battlespace against Islamic State in Iraq and Syria that has leaked out in interviews with senior decision-makers in the US and the UK, but generally not a lot else.

What we tend to get is policy statements saying: we have a sovereign offensive cyber capability and we are going to use it at a time and place of our choosing against this set of adversaries, which are always hostile states, terrorist groups, serious organised criminals and so on. But it does not encourage much public debate if everything that comes out in policy then gets called a cyber war capability because actions to stop child sexual exploitation by serious organised crime groups are not a war-like activity – they fall in a different space and yet they are covered by this cyber war moniker.

Now there is an emerging debate around offensive cyber. Germany has had a conversation about it, constitutionally quite constrained when it comes to offensive capabilities. There is a discussion in the Netherlands, also in the US about their new cyber posture – which is much more forward leaning than previous ones – and we are beginning to have a conversation in the UK as well. But a lot of that has fallen to academics to do and, I guess, I am part of that group who are looking at this issue and trying to generate more of a pubic conversation.

But it is difficult and the response you will sometimes get from government is: we do not need to have a conversation because we have already declared that everything we do is in accordance with our obligations under international law – we will do this against a set of adversaries that are clearly causing the nation harm and so on. That is fine. We are not doubting that that is their statement; we would just like to know a little bit more about the circumstances in which you would use these capabilities.

What, for example, is the new National Cyber Force going to do? How is it going to be structured? What are the lines of responsibility? Because one of the weird things about joint military-intelligence offensive cyber operations is that, in a country like the UK, you have the defence secretary signing off on one side and the foreign secretary signing off on the other because you are involving both the military and GCHQ, which have different lines of authority. So where does responsibility lie? Accountability? What happens if something goes wrong? What is your exact interpretation of international law? To be fair to the UK, they have set that interpretation out very clearly.

But there is more than just an academic interest here. If this is the future of conflict in some fashion and it has societal effects, then we need to have a conversation about whether these are the capabilities that we want to possess and deploy. Not least if the possession and deployment of those capabilities generates norms of state behaviour that include the use of cyber conflict. Is that something that we want to do in societies of the 21st century that are hugely dependent upon computer networks and deeply interconnected with other countries?

Those are the types of questions that we need to raise and we also need to raise the quality of public understanding. That is partly the job of academia and partly the job of media, but certainly the job of government.

The next interview in Strife’s Offensive Cyber Series is with Dr Daniel Moore on cyber operations. It will be released in two parts on Thursday 10th and Friday 11th June 2021.

Offensive Cyber Series: Dr Tim Stevens on Offensive Cyber in the 2020s, Part I

by

Photo Credit: AirmanMagazine, licensed under CC BY-NC 2.0

On Wednesday 3rd March, Strife Interviewer Ed Stacey sat down with Dr Tim Stevens to discuss the state of play in offensive cyber in the 2020s. As part one of Strife’s Offensive Cyber Series, Dr Stevens introduces the topic and offers his thoughts on a range of topical debates, from the utility of offensive cyber capabilities to questions around international law and ethics and the UK’s recently avowed National Cyber Force.

Ed Stacey: Tim, as you know, this interview series is all about offensive cyber. This is quite a slippery term, so could you perhaps kick us off with a working definition?

Tim Stevens: You will be unsurprised to hear that there is no working definition, or at least no consensus on definition, about what offensive cyber is. Obviously, it is a term that attempts to draw some kind of analogy from other capabilities that can be used for offensive purposes – one of which is obviously weapons, another would be munition. But actually, offensive cyber is a lot more difficult to pin down because it is not kinetic in any conventional sense: it is not something that you can throw, shoot or drop on someone to cause damage.

But what offensive cyber tries to get at is the idea that through computer code, so little packets of software that can be sent through computer networks, you are going to attempt to deny, degrade, disrupt or even destroy something that your enemy holds to be of value. This principally could be data itself or it could be the computer systems and computer networks that data is held on.

Now offensive cyber is also being used not just in a military context but an intelligence context too, so it has some relationships with espionage or at least the covert activities of intelligence agencies. It could conceivably be used not in the kind of military break things sense but in the more inflected activities of intelligence, like subversion or sabotage, that occupy a slightly weird space and do not look like acts of war, for example.

ES: Terms such as cyber war, cyber attack and cyber weapons are used quite loosely in public discourse. Do you think we need to be more precise with our language when we are talking about offensive cyber?

TS: I think it would help if we had in common discourse some understanding that perhaps we are overhyping some of the phenomena that were describing, and using heavily militarised language like cyber war really does not help. Cyber attacks are usually nothing of the sort and cyber weapons usually cannot be classed as weapons, for example.

To take the cyber war example. When we think about cyber war, these days it usually means some kind of state of hostilities operating between two states, in which they are battering each other with cyber weapons of some description or another. Now apart from the fact that we have not seen this, it is also unlikely that we will see it. I think if two states are to be in a declared or actual state of cyber hostilities, there will be other issues – other types of operations in other domains – that are going to be just as relevant. So this idea of a standalone cyber war is not helpful.

Cyber warfare, on the other hand, is helpful because that is what militaries and intelligence agencies arguably are involved in at present – they are fighting, conflicting and contesting cyberspace as an operational domain. And they are doing that through offensive cyber, in part, but also through other activities that they can bring to bear on that domain. So cyber warfare has some utility; it is a form of warfighting or conflict through cyber means.

Cyber attacks, well that is just used to denote anything that you do not like. Whether it is an attack in any kind of conventional or attenuated sense is really irrelevant. If your adversary – whether they are a criminal, terrorist, state or proxy – has done something to your networks that you do not like, you call it a cyber attack, even though it might be nothing of the sort. It might be one of billions of automated pings or bots that confront your networks everyday as a matter of course. Or it could be a cunning, socially-engineered and sophisticated cyber operation against something that you hold of value. The two are clearly not the same, but they are all being called cyber attacks in popular discourse, and the media are just as guilty of this as politicians and occasionally academics and civil society too. So I do think it is important to make these distinctions.

The issue with cyber weapons is whether these types of capabilities can actually be described as weapons, and again there is no consensus. Conventionally weapons have to have the capacity to hurt by virtue of, say, ballistics. If you think about discussions around chemical and biological weapons, people are sometimes unconformable calling them weapons in any conventional sense too. And the thing about cyber weapons is that, as of yet, no direct physical harm has been caused by any of those capabilities. Instead, what happens is that there is attenuated secondary harm that would be caused when, for example, you change the 1s and 0s in an incubator in an intensive care unit and as a result of that someone dies, but it does not directly harm that person. So that is the kind of debate that is being had about whether these capabilities are weapons or not.

ES: Thinking about the utility of offensive cyber, why are states developing these types of capabilities and what do they offer that other capabilities do not?

TC: To think about the broader utility or the framing of these capabilities is, I think, to return to the [revolution in military affairs] of the late 1980s and early 1990s, then going on in subsequent decades in western military affairs. So the suggestion that we are shifting towards informationalised, precision strike, stand-off warfare that prioritises our own force protection and the ability to cause effects hundreds, if not thousands, of miles away.

Clearly, if you are sitting at a computer in one part of the world and you wish to attack another computer on the other side of the world, it is much easier to do that through computer networks than it is through conventional means: the mode of operation, the platform and the technology is much easier to get hold of. And if you can create the same effects remotely than if you were standing a hundred yards or half a mile away, then why would you not? You do not have to put your troops, or indeed your intelligence agents, in harm’s way. If you do not have to put a human asset into a foreign country to achieve an effect, why would you? These are the kind of attractions that states are finding in these sorts of capabilities.

Another one, of course, is that it is relatively cheap. It is much easier to hire people to develop these kinds of capabilities than it is to develop a new weapon system. Essentially, if the weapon system you need is, if not quite an off the shelf computer system but something existing that can be adapted, it is much cheaper than trying to develop a new line of fighter jet, precision guided munition, helicopter or battleship of any description. So that is attraction there.

Another thing is this idea of effects. As I mentioned previously, if you can create some kind of effect that generates, mainly operational or strategic but also tactical, advantage over your adversary through the use of computer networks, that has to be attractive. If it is cheaper, if it does not put your troops in harm’s way and, importantly, does not immediately escalate to something that looks like a conventional shooting war. Because if people are not being directly harmed, but yet you are causing your adversary to change their mind or behaviour in some fashion, that is incredibly seductive for a commander or state that is looking to improve, enhance or extend their operational and strategic toolbox. So that is the general idea behind why these capabilities are attractive.

ES: Looking at the other side of things, what are the limits of offensive cyber?

TC: That is a good question and an open one too. These kinds of capabilities may be attractive to countries and their militaries and intelligence agencies, but the jury is out on how effective they actually are. Because it turns out, for various reasons, that it is actually quite difficult to get your adversary to do what you want through cyber means. Partly this is because they are not as easy to control as we might think, and partly it is because, as I mentioned earlier, causing kinetic effects to actually change someone’s mind in a visceral sense is very difficult.

It is also difficult because you cannot keep doing it with the same capabilities. Once you have developed an advanced offensive cyber capability, essentially you can only use it once because then your enemy will see the code, understand the vulnerability that has been exploited, patch their systems and then that vulnerability disappears. So you cannot keep holding your enemy’s assets at risk, which means that even if something happens once – and given that no computer system is demonstrably secure, it is going to happen at some point – you know that it is a one-off attack. Because you know, or at least you hope, that your adversary has not got the capability to keep punishing you in that way. So that means that if you can roll with the punches if you get attacked or exploited, you are not expecting a follow-up that is really going to double down and force you to change your mind or your behaviour.

So for all the attraction of these capabilities, there are limits. Now that is not to say that there are limits to the imagination of people who wish to develop and deploy these things, and I am not saying for a second that, with this realisation that there are limits to their utility, states are going to stop developing them, because they are not. In fact, what I think is going to happen is what you are seeing at the moment, which is that states and other actors are going to continue to experiment with them until they find some way of generating the higher-level effects that they wish.

To bring that round to a conclusion: tactically, they can be very useful; operationally, they can generate some really interesting effects; strategically, it looks very difficult to generate the effects that you want.

Part II of this interview will be published tomorrow on Friday 4th June 2021.

Future Warfighting in the 2030s: An Interview with Franz-Stefan Gady

by

by Ed Stacey

British Royal Marines 45 Commando testing the Black Hornet 2 Unmanned Air System at the Army Warfighting Experiment 2017 (Image credit: Crown Copyright)

On 15 July 2020, Ed Stacey sat down with Franz-Stefan Gady to discuss the International Institute for Strategic Studies’ (IISS) upcoming future warfighting project. After introducing this new piece of work, Franz-Stefan offers some thoughts on the changing nature of warfare, the roles that emerging technologies and the nascent domains of space and cyber might play in future conflicts, and the need to move away from purely technological discussions about future warfighting.

For more information on the IISS and the latest analysis of international security, strategy, and defence issues, visit them here or follow them on Facebook, Twitter (@IISS_org), and Instagram (@iissorg).

 

ES: What is the IISS future warfighting project?

FG: The future warfighting project has just recently kicked off and looks at how great and medium-sized powers would fight high-intensity wars amongst peer and near-peer adversaries in the 2030s. So, what sort of capabilities will militaries need to develop over the next couple of decades in order to deal with specific operational problems in future warfighting scenarios? And how will these powers integrate emerging cyber and space strategies into existing, more classically conceived, options for kinetic and cognitive warfare?

The project explores future warfighting through three dimensions: space and cyber, kinetic and cognitive. Space and cyber refer to the application of primarily offensive cyber capabilities, supported by space assets, in cyberspace (including electronic warfare operations). Kinetic pertains to the use of conventional and nuclear weapons systems and the ‘traditional’ domains of air, land and sea. While the cognitive dimension includes an examination, not only of the use of information warfare but also the integration of artificial intelligence (AI) and machine learning into military hardware to gain information dominance at the strategic level and to influence decision-making at both the civilian and military level.

It is a fairly broad topic, and notably, we take technology as a starting point. By this, I am referring to the fact that a lot of future warfare discussions focus mostly on technological capabilities and their impact on warfighting. Yet I believe that such capabilities in themselves are fairly agnostic when it comes to triggering change. You can only really trigger change when you merge technological capabilities with new tactics, the right operational concepts and the right organisational structure.

So, the project takes technology as the starting point of a much deeper analysis of these new ideas. In doing so, we are trying to fill a gap that not many other institutions talking about future warfighting are looking at.

ES: What is your methodology for the project?

FG: As I mentioned, we are principally looking at future warfighting through three dimensions: space and cyber, kinetic and cognitive. We use these three dimensions to conduct comparative case studies on how various countries are thinking about future warfighting; and to divide up the literature, all the documents and interviews, and the military capabilities.

The first part of the project looks mostly at how China, Russia and the US would fight a high-intensity war after a breakdown of conventional deterrence. So not really grey-zone scenarios or hybrid warfare (though these are relevant) but rather high-intensity combat between great powers, which we have not really seen for many decades.

ES: What are your main findings so far?

FG: It is very early on, and I am hesitant to draw firm conclusions. But one of my hypotheses is that these three dimensions will increasingly merge into one over the next decade, and simultaneously, we will see a rebalance of conventional kinetic operations vis-à-vis cyber, space and information operations in any high-intensity great power war scenario. At the operational level, this is a result of the presumptive Chinese emphasis on system destruction warfare, the US attempt to move towards decision-centric manoeuvre warfare and the Russian push towards new-generation warfare.

All three forms of warfare attempt to move away from an attrition-centric approach, that emphasises the kinetic annihilation of an adversary’s forces, in favour of an evolving model of dislocation and disruption, that entails undermining an adversary’s battle network in all three dimensions. In this new form of network-centric warfare, you do not try to destroy your enemy and its main force; instead, you try to disable its networks and compromise its ability to fight.

A second hypothesis is that all three great powers will be increasingly capable of fielding precision-strike capabilities in all three dimensions in the 2030s. This will culminate in the establishment of a multi-dimension precision-strike regime, defined by the ability of a great power to conduct precision-strikes in the kinetic, cyber, space and cognitive dimensions against platforms, networks and humans at all ranges and in all warfighting domains.

And these two hypotheses draw attention to a third, which is that armed forces have a cultural problem in being overly focused on kinetic capabilities. My question would be, is this going to be a disadvantage for militaries in the future, as we move from a platform-centric approach to a more network-centric approach? (By platforms I mean tanks, ships, missiles and so on, or how we usually assess the military capabilities of a country – and I think these sorts of assessments are going to become less relevant in the future.)

There is a lot of resistance to this shift. For example, I have just spent some time looking at what is happening in the US, and the US Congress, interest groups and people within the Department of Defense are hesitant to give up certain capabilities that might no longer work in future warfighting scenarios, so-called legacy platforms. It is a huge problem. How exactly can you phase out legacy platforms and what are you going to replace those platforms with?

For instance, are we really going to have manned aircraft in 20 to 30 years from now? The answer is yes, but maybe we need to have a new role for manned aircraft. And maybe we are going to have more autonomous systems operating in the battlespace. What is the role of these new armed platforms? Are they going to be flying command and control centres, controlling autonomous swarms in the air or on the ground or in the oceans?

This question of integration is going to be crucial. You are still going to have legacy platforms 20 years down the road: you are still going to have the F-35 and maybe the F-15; you are still going to have most of the ships that you see in navies today – the aircraft carriers, the destroyers and manned submarines. But how do you integrate these capabilities with new platforms that are being developed? And by integrating, I mean how do you come up with a good operational concept to conduct a successful campaign in the future against a potential peer or near-peer adversary?

You cannot really talk about future warfighting unless you start off with a problem statement. Essentially, what is the operational environment you are envisioning in the future? And from there you try to come up with the kind of force structure you need, the kind of operational concepts you need and then also doctrine (how you train your force to fight in these future conflicts). And, of course, you need the resources and the strategy that comes along with all of this. So, it is a long, long process – and that is what we are trying to shed some light on.

It is a huge problem. How exactly can you phase out legacy platforms and what are you going to replace those platforms with?

ES: Which domain, if any, will be the most important in future warfighting? And does any domain have revolutionary potential?

FG: As I said, I think a key question behind modernisation efforts in China, the US and Russia (and we will also look at medium-sized powers, such as the UK, Germany and Japan – states that have strong military capabilities and relatively high defence budgets) is how they integrate these different capabilities. Ultimately, there are going to be trade-offs. And countries like China, Russia and the US – mostly China and the US, but its partially true for Russia – can handle these trade-offs better than smaller powers because they have the resources to invest in both legacy platforms and new capabilities and create a better force structure. Most other militaries will not have the money to do both, so they have to be very careful about where and what they spend their money on.

This makes your question a pertinent one, in the sense that states do need to prioritise funding when it comes to these capabilities. You can have all the operational concepts in the world and the doctrine, but if you do not have the capability then it just does not work – it is impossible to become an effective warfighting force.

So, when we talk about a new age of network-centric warfare, we are really talking about the creation of what you would call a military Internet of Things (IoT). That is a virtual and kinetic kill chain that creates networks that link the sensor to the shooter in a triangular relationship, or a ‘system of systems’. The sensor identifies the target and then through a network relays that information to the shooter, whether a manned aircraft, a missile or an offensive cyber capability. And the idea behind this is that a military commander would much faster be able to identify a target on a sensor and then through the military IoT direct fire, whether virtual or kinetic strikes, to degrade the target or destroy it.

Obviously, this opens up new attack vectors in cyberspace. And so, you cannot really implement any of these concepts properly unless you have extremely strong cyber defences, and cyber defence almost always entails offensive cyber capabilities.

I think an important technological capability to develop and hone in the future will be AI-enabled cyber defensive and offensive capabilities. When we think about the first officially AI-enabled weapons platform, it is probably going to be an offensive cyber weapon because they are easier to deploy than, let us say, a lethal autonomous weapon system like an autonomous tank or missile. This is because of all the risks that are still involved and the fundamental lack of trust in these platforms unless you test them at great length.

So, to a certain degree, the foundational element of network-centric warfare will be strong cyber defences and, ultimately, AI-enabled cyber defence capabilities. This will entail advances in AI and cyber defence. But if you do not have these, your network is going to be immensely vulnerable and attacks from the electromagnetic spectrum could turn the lights off, so to speak, of any of your networks. At the same time, however, you cannot of course neglect any other capabilities or domains.

In terms of revolutionary new capabilities that are going to fundamentally change the future of warfare, I do not think you will find these in hypersonics, for instance, because they just improve existing capabilities – they will be evolutionary. But when it comes to AI-enabled cyber capabilities, I think these have revolutionary potential.

I have to caveat this, though, by noting that it is very difficult to assess these capabilities because we have not seen high-intensity combat between great powers in which they have been deployed. And this is true of even strategic offensive cyber weapons, let alone AI-enabled cyber weapons. One scholar once called it the ‘fog of peace’, and we really do operate in a fog of peace when it comes to deliberations about future warfighting.

In terms of historical context, we are very much like where we were in the 1920s and 30s when it came to airpower. Because in the First World War you had airpower capabilities but by no means did airpower reach its full potential. It took the Second World War and the aerial campaigns of the Allies and the Axis powers to see whether some of those propositions in the 1920s and 30s turned out to be true.

A lot people said that airpower was going to be the only necessary military capability in future wars; that you could essentially win any future conflict with bombers and fighter aircraft, and that you would not need land forces or sea forces anymore – that airpower makes everything obsolete. That turned out to be untrue. And then there were the others who said: ‘Oh, well, airpower is completely useless; you do not really need strategic bombing capabilities; we only use aircraft for tactical purposes, like reconnaissance and tactical strikes’. And that also turned out to be untrue. At the end of the day, airpower had a big impact but it was, I think, by no means the decisive factor in the Allies’ victory.

So, we are in a similar situation in the sense that there will be extreme positions when it comes to network-centric warfare and all of these new capabilities, particularly cyber capabilities. At the end of the day, the truth will also probably be somewhere in-between the two extremes: one side saying that cyber is not going to be that important, that it is really just an auxiliary to other capabilities, and then the other, saying that cyber is going to be a revolutionary capability.

The difference, though – and I think why cyber has the potential to be more important than airpower, for example, or even nuclear weapons – is that cyber permeates all other dimensions and warfighting domains. It really is a foundational element of warfighting. Without strong cyber capabilities today, you cannot conduct conventional military operations because every system that is in a tank or an aircraft or a ship – all command and control systems – are immensely vulnerable to cyber-attacks. Any idea of new warfighting has to take that into account.

So, I would say cyber and AI-enabled cyber capabilities probably have the biggest potential to revolutionise future warfighting. Of course, there are other capabilities of note as well. But cyber is slightly underestimated by a lot of military planners and defence departments, despite probably having the biggest potential.

ES: You note the revolutionary potential of AI-enabled cyber capabilities. More generally, do you think AI as a technology is a game-changer or is it overhyped? And is an AI arms race inevitable or perhaps already even happening?

FG: I generally do not like the idea that there is an arms race in AI happening. Firstly, AI is not a weapon system or a military capability per se: it is a general-purpose technology, as some scholars have pointed out. And so, we should not consider AI in isolation but instead how this technology might be combined with weapon systems.

In the short term, I do not foresee revolutionary changes when it comes to AI-enabled capabilities. But in the long-term, it is definitely possible.

In the short-term, what we are going to see is an accelerated pace of military operations from AI first arriving in non-lethal roles. And this is already underway when it comes to intelligence collection and analysis, support elements for command and control, decision-making support, and Intelligence, Surveillance and Reconnaissance (ISR) capabilities – where I see huge potential for AI, such as in AI-enabled satellites.

It is a hugely important field, and AI does have the potential – just like the combustion engine 100 years ago – to revolutionise warfare. But I would not look at it in isolation, and that is an important point to note about discussions around future military technological capabilities in general. What people usually get wrong is not so much predicting a particular technology but rather how that technology will combine with the wider defence architecture to field an effective weapon system.

If you think about the Second World War, for example, you had radio communications, the combustion engine, advances in armour protection, as well as in the ballistics and mechanics of high-velocity guns. But it was only through merging all of these new capabilities that we created the tank – in other words, only in combination did they create a ‘revolutionary’ weapons platform. Yet even that alone did not do that much. All of the Western militaries had tanks and fairly advanced tanks that were relatively equal in terms of technical capabilities. The true change came when the Germans devised a revolutionary operational concept that later on was adapted to doctrine (operational concepts being the precursors to doctrine). By combing all of these technological developments with a revolutionary approach to warfighting, the Germans enabled not a revolution in military affairs but a decisive victory in the battlespace.

In the short-term, what we are going to see is an accelerated pace of military operations from AI first arriving in non-lethal roles.

So, I guess the major point here is that technology alone is not going to determine the character of future wars. It is really as much, and if not more, about how you change your organisational structures, adopt doctrine and so on. And within this, there is the key question of how you integrate all of these new platforms and approaches into an overall force structure that gives you the most capabilities to meet future operational problems.

To return to your question, I guess we have to ask: firstly, what are the most important technologies that AI could be combined with? Secondly, what would be the best operational concepts and doctrine to exploit the full potential of these newly combined technological capabilities? And thirdly, what sort of organisational structure and force posture does your military need to execute missions that exploit the full potential of these new capabilities?

ES: Thinking about other technologies, how significant is it that China is overtaking, or perceived to be overtaking, the US in various areas of research on quantum technology? In the context of the tech war too, is it significant that China is making ground in this space?

FG: Yes, I think so. Quantum technology is an interesting one because we are still probably many years away from fielding military capabilities when it comes to quantum radars or quantum sonar. There is also a debate over whether it will have any impact at all in the military domain. And so, I am hesitant to make any predictions about quantum technological capabilities and their impact.

To answer your point about competition between the US and China, as I mentioned earlier with regards to AI, I just do not see all of these tech races as really being tech races. Firstly, there is a lot of cooperation between the US and China in many fields, and there is more collaboration than you would think in developing these emerging technologies. Secondly, you have to question whether these technologies will actually have a significant impact on the modern battlespace and to what degree they will revolutionise future warfighting.

Just to illustrate why I always try to move away from strictly technological discussions when we talk about future conflict. My approach to military power is based on what the defence analyst Stephen Biddle called the ‘modern system’ of force employment. That is, military power is based, on the one hand, on combined arms operations that increase the effects of precision-guided munitions (what I call the multi-dimension precision-strike regime), whilst on the other, cover and concealment and the dispersion of your forces, for example through stealth technology or the suppression of ISR capabilities, simultaneously offer protection from an adversary’s precision-strike capability.

The aim of combined arms operations is to integrate different services, capabilities and platforms to achieve a decisive effect in the battlespace. In the modern battlespace, the emergence of precision-guided munitions requires militaries to conceal their forces because, in order to conduct these operations successfully, usually you need to be able to mass your forces to achieve a breakthrough on the frontline.

And combined arms operations are really difficult to pull off. Combining and coordinating capabilities and strikes from land forces, naval forces and air forces to achieve some sort of effect and a breakthrough in the battlespace is immensely difficult – and something only a few militaries have been capable of achieving.

To take the example of the first Gulf War, there was a decisive victory by the US and her allies, but this was not just down to superior technologies: it was technology integrated with combined arms operations, and the ability to hide forces and conceal movements, that achieved this one-sided victory. The other side, Saddam Hussain, also had a powerful military and fairly advanced technological capabilities (although not as powerful or advanced as the US). But it was impossible for him to achieve meaningful effects in the battlespace because, on the one hand, he failed to hide his forces from precision strikes, and on the other, to conduct combined arms operations to counter the US and her allies.

Saddam probably could have conducted some form of combined arms operations against elements of US ground forces, by using artillery strikes in combination with tanks, infantry and air strikes. But he failed to coordinate his attacks and successfully manoeuvre his forces. These are the key tenants of any military these days, and the ability of a military to execute these operations is currently the decisive factor in warfighting.

Revolutionary change in the future battlespace is most likely to happen if these warfighting methods are made ineffective by new technological capabilities. Ones that make cover, concealment and dispersion through camouflage or stealth technology, as well as combined arms operations in general, obsolete. That, in essence, are capable of detecting every move on the battlefield and provide complete situational awareness. To date, no such technological capability exists – but I accept that may change in the coming decades.

When it comes to stuff like AI-enabled ISR capabilities or quantum radar and quantum sonar, if these capabilities can facilitate that sort of situational awareness then you might have a revolutionary technology on your hands. Until such a technology exists, however, combined arms operations, or multi-domain operations, will remain the most important factor when it comes to military power.

ES: And finally, how important is space going to be as a future warfighting domain?

FG: New space-based capabilities are crucial to how all major military powers exercise command and control over their forces. They also directly link to the ability to conduct offensive cyber operations and campaigns, which will be a – and if not the – crucial component in any future military campaign. For one thing, space and cyber permeate all other war-fighting domains and so are the new centre of gravity for high-intensity military operations.

Whoever dominates space will have massive advantages in the cyber domain, and without space capabilities, you are essentially not capable of conducting modern military operations. So, all major military powers have been working to deny potential adversaries the use of these capabilities, which until recently basically meant GPS type satellites.

China and Russia have recognised the US is particularly vulnerable when it comes to space.

No longer in the future, however, are you going to have just a handful of GPS satellites you depend on for ISR capabilities, targeting, early warning detection systems and so on. A lot of current discussions in the US are about making ISR architecture less reliant on space capabilities and a desire to diversify and build more resilient space architecture. As a result, we will see a proliferation of smaller, cheaper, low Earth orbit (LEO) satellites in order to create more redundancy in capabilities and to increase the resilience of space architecture and battle networks.

Networks of hundreds to thousands of smaller, more expendable LEO satellites are much harder to disrupt than larger GPS-type satellites. LEO satellites, such as the ones to be developed by OneWeb in the UK, can increase situational awareness in the battlespace, for example by transmitting high-resolution, real-time video directly into the cockpit of military aircraft, such as the F-35, and decrease the reliance on GPS for these tasks. They could also be used to monitor the activities of adversaries and in developments in areas such as optical clocks, which are necessary for accurate positioning and enable high-precision, reliable navigation (and as a result precision-strikes) without the limitations of GPS systems.

China and Russia have recognised the US is particularly vulnerable when it comes to space. They have tested anti-satellite weapons and have been developing cyber capabilities to degrade and disrupt and manipulate satellites. Having said that, the US will continue to dominate the space domain for the foreseeable future.

So, it is going to be a hugely important warfighting domain because it links to other key capabilities: it is very difficult to pull off precision-strikes without space assets, and it is very difficult to conduct offensive cyber operations without space-based capabilities. And it is already a very important domain, which is why countries are working to build more resilient space architectures and, at the same time, looking at alternatives to existing platforms.

It is extremely difficult, though, to achieve uncontested superiority in space because of the nature of the domain – which makes assets immensely vulnerable to all sorts military operations, whether kinetic strikes, such as anti-satellite weapons, cyber-attacks or electronic warfare. And there is a ‘nuclear’ option in space too: a series of kinetic strikes against satellites causing massive debris, which would knock out a large percentage of existing space-satellite architecture.

Ed Stacey is an MA Intelligence and International Security student at King’s College London and a Student Ambassador for the International Institute for Strategic Studies (IISS). The #IISStudent Ambassador programme connects students interested in global security, political risk and military conflict with the Institute’s work and researchers.

Franz-Stefan Gady is a Research Fellow at the IISS focused on future conflict and the future of war. Prior to joining the IISS, he held various positions at the EastWest Institute, the Project on National Security Reform and the National Defense University, conducting field research in Afghanistan and Iraq, and also reported from a wide range of countries and conflict zones as a journalist.

Cyber Security in the Age of COVID-19: An Interview with Marcus Willett

by

by Ed Stacey

The World Health Organisation has reported a fivefold increase in cyber attacks during COVID-19 (Image credit: Getty Images)

On 22 April 2020, Ed Stacey sat down with Marcus Willett to discuss his recent article for the International Institute for Strategic Studies (IISS). Marcus’ analysis draws parallels between the current coronavirus crisis and global cybersecurity challenges and warns against the Balkanisation of either response. In this exclusive interview, he expands on his thinking.

For more information on the IISS and the latest analysis of international security, strategy, and defence issues, visit them here or follow them on Facebook, Twitter (@IISS_org), and Instagram (@iissorg).

ES: In your article, you explore the idea of a global cyber ‘pandemic’ – what do you mean by this?

Marcus Willett: What the article tries to show is that we like to take a lot of language in the world of cybersecurity from the world of dealing with medical crises – like the horrible one we are currently facing. For example, terms like virus and infection. However, what we have not started doing is using words like endemic and pandemic. The article was merely trying to go that extra step and consider the applicability of these words to what is happening in cyberspace. If you just look at cyber-criminality, for instance, techniques that were developed by people in the most advanced and connected nations have now spread, and are being used, all over the globe, by individuals, hacktivist groups, criminals and, of course, states.

Sitting here at the moment, if a cybercriminal was to try and defraud us, that criminal is as likely to be in Eastern Europe, or Nigeria, or Vietnam, as anywhere else. So what I was trying to show is that the use of cyber has spread globally and that you can get infected – through your network or your device – from anywhere around the globe. ‘Pandemic’ feels like quite a good word to describe that phenomenon, particularly since we are all using it at the moment.

ES: Is there a cure for the cyber pandemic?

Marcus Willett: I do not think there is a silver bullet-like vaccine; a cure is more about how nations might approach the problem. The trouble with people who have worked in my sort of background is the thinking that there is always, waiting for you, some technical silver-bullet – a wonderful technical solution that will solve the world’s problems when it comes to cyber. I do not think that is right.

If you think about offensive cyber, for example, the incentives are not great for states to talk about their most sensitive capabilities. This is because the most advanced states still think they have got such an advantage in terms of cyber that it does not make sense to reveal what they have developed to the world. But I believe states need to start a dialogue about the risks involved in some of these cyber capabilities, building on stuff that is already being done around developing norms of behaviour, to think about how we might better manage them.

So, I think a cure is more in the territory of better understanding the risks and better managing those risks than pursuing technical solutions. And the only way we are going to get to that is to recreate the sort of cooperation we see with the response to the current health pandemic. Additionally, I think that the best way of having those sorts of conversations is not to start at the most difficult end, which is, say, to try and work out some big deterrence theory and proliferation control treaty around offensive cyber capabilities. Because that is going to get silence from some of the big actors from the very beginning.

Instead, it is better to pick an area like cybercrime, where all states have a vested interest in trying to combat the defrauding of their economies and use that as a way to start the dialogue between states about how we can better manage these risks. Always, however, with the goal of an internationally agreed regime over what is a responsible use of cyber capabilities. The same way we have ended up with the understanding that it is generally unacceptable that people use barrel bombs and cluster bombs – that a guided missile is more acceptable.

ES: Is the United Nations (UN) the best space for this dialogue to take place?

Marcus Willett: Whilst it needs to be under the auspices of the UN, I cannot help but feel there is a certain group of nations that need to start the conversation. I would love to see, particularly, the Americans and the Chinese talking about cybercrime. That would start a dialogue that might help bring some of the conversations they are having around technologies – take Huawei, for example – into a better place – and where they need to be. If we carry on with this sort of competitive conversation around the future of cyberspace, I think we will end up with results that are not very good for likeminded nations like ourselves and our allies.

ES: Russia has been quite active at the UN on cybercrime. Do you see their recent proposal as a viable alternative to the Budapest Convention?

Marcus Willett: One of the reasons I suggested the US and the Chinese are to draw that distinction with the Russians, who are quite fond of coming to the UN with grand proposals that are, frankly, a little bit transparent. I did a conference in Berlin last year on a panel around cyber and question number one from the audience came from the Russian cyber representative to the UN Group of Governmental Experts (GGE). She laid out, not a question, but a statement about how the Russians were the good guys around cyber, claiming that they had been arguing for all sorts of things – like the cybercrime treaty you just mentioned – and for the outlawing of any military use of cyber capabilities. This was just after the Skripal incident and when that GRU unit was exposed at the Hague. So you can imagine how the Dutchman to my right reacted; it was an ‘actions speak louder than words’ situation.

A more realistic conversation with the Russians, since a lot of cyber-criminality emanates from bits of their territory, would be around legal jurisdictions and Mutual Legal Assistance in Criminal Matters (MLAC) arrangements – to try and get their assistance in pursuing some of this criminal activity. As you know, they are very unlikely to agree to that. And these are difficult conversations because they are likely to end up in accusation and counter-accusation.

I like the idea of the Americans and the Chinese talking about it; both with a vested interest, both without the past of being connected to cybercriminal gangs. That has got a higher chance of success. Yes, the Russians need to be brought into those sorts of conversations, but I would not start there because, again, it feels like too difficult territory. Cybercrime between the US and China: easier territory. Cybercrime with Russia: very difficult territory. Offensive cyber and military capabilities: very difficult with everybody. It is about trying to find those baby steps.

ES: Is cooperation between the US and China on cybercrime possible in the current context of the ‘tech war’?

Marcus Willett: What I am trying to argue is that there is more potential for a conversation around cybercrime than there is for a conversation on anything else, given the context of the tech war. It would be the best way of starting a dialogue because it is a rare area of mutual interest. Of course, you would have to start the conversation with a very clear definition of what you meant by a ‘cybercriminal’. But there are millions being defrauded from the Chinese economy by cybercrime, just as there is from the US economy; they are both targets of cybercriminals. So, you have got a better chance of starting a conversation there than anywhere else.

Does that feel overly idealistic given what is going on? I would have thought there was a chance if you just had the tech war or even just the trade war. However, if this escalates into finger-pointing around COVID-19 and an inquiry turns into making China some sort of a pariah state, it would be less likely. And you can see already how some of the stuff coming out of the White House is only going to antagonise the US’ relationship with China even more. So, no – perhaps the prospects are not as good as they were a few months back, but it is about more than just the tech war.

ES: Why do states such as Russia and North Korea use cyber organised criminal groups (OCGs) – either by shielding or cooperating with, and perhaps even masquerading as, them – to augment their cyber capability?

Marcus Willett: Something you said earlier resonated with me. When you alluded to the issue of defining cyber-criminality and the Russians perhaps having a slightly different idea. I remember the same sort of trouble around early attempts to talk with the Chinese about counterterrorism. You had to be very careful to define what you meant by terrorism for them not to think that that was an excuse to go after Uighurs in their own country. For the Russians, unless you are very careful about defining cyber-criminality, for them, people that we might call cybercriminals are patriotic hackers – an extension of the Russian state. That definitional point is a problem.

Another thing to note is the sophistication of some of the capabilities that have been developed by the organised criminal fraternity. In a good, realpolitik way, a state like Russia can see an advantage in these sorts of capabilities being developed by people sitting on its own soil. As you know, beyond cyber, plenty of corruption goes on between criminal gangs and the Russian state – and has done for centuries.

I lived in Moscow in 1983-84 as a student, during the height of the Cold War. And even though you could not read about it in the press, every Russian you spoke to knew that all sorts of arrangements were going on between the Soviet government and people they called mafia bosses – the mafia boss in Leningrad, as it was then, or the mafia boss in Moscow. There was the official world and then there was what really happened. So, I cannot help feeling – as so often in cyber – what you see being played out in cyberspace is actually a reflection of what has been going on for a long time in the real world. Sorry to use this phrase and be the first one to use it, but cyber is just a new domain for old age stuff. It is an accident of history and culture, going back through Tsarist times, that some slightly shady stuff goes on between the Russian state and parts of its population. Why should we be surprised to see that being playing out in cyberspace?

In terms of the other point you are making, which is that some states pick up a modus operandi that makes them look like cyber OCGs – and I think you are mainly referring to North Korea there. Well, I wonder if that is out of choice or whether it is simply the case that the level of sophistication that they are able to attain is that of a cybercriminal group.

North Korea is a very interesting example. Everybody knows that they were behind WannaCry and the hack on Sony Pictures, and that they have been trying to defraud the global banking system – Swift and so on. I put it to you that North Korea is not able to do much more than that given its own massive vulnerabilities. For example, the number of connections that come out of North Korea to the global internet is extremely few, and so, for that reason, it often deploys its operatives overseas. It would certainly need to do that if it got involved in any sort of conflict, as it would have no chance of running offensive cyber operations from within its own territory if it was up against a capable cyber actor.

In other words, North Korea has had to develop these more distributed, low-level capabilities. I do not think they are deliberately trying to make themselves look like cybercriminals, it is just that is the sort of capability they know they can use and have access to.

Countries like North Korea and Iran have learnt from what other countries have done in cyberspace, which is perhaps not the lesson that was intended; it certainly was not the lesson intended for Iran around Stuxnet. They saw this activity and thought: ‘Oh, that is interesting. What could we do in cyberspace? And would that give us a reach beyond our own region that we have no chance of achieving with any of our other capabilities? Does it give us a reach even into the great Satan – the US?’. And low and behold, it does. Their attacks are not going to be of the level of sophistication that can bring down the US’ Critical National Infrastructure (CNI), but they can have strategic effect. Whether that is propaganda effect or just being an annoyance, it nevertheless can be used to say to their citizens: ‘Look, we can do harm to the US’.

It is the famous point about cyber, that what can look like unsophisticated capabilities can proliferate and be picked up easily by states, from groups like cybercriminals, and then utilised to have a strategic effect in the mainland of a superpower, in a way that they previously could not. So, North Korea, and I would add Iran, are very interesting studies in some of the risks associated with the proliferation of cyber capabilities.

Sitting in the back of our minds, always – and this is the other thing big, cyber-capable states need to talk about – is the proliferation of some of those more destructive capabilities to terrorist organisations, and what that could mean. Everybody always assesses international terrorist groups when they look at threat actors in cyberspace. And the answer for years has been: ‘They know about the potential; they are interested and looking for it, but they do not have it’. And so, every assessment ends with: ‘So there is no need to worry about them at the moment’. Well, that picture could change. If ever terrorists work out a means of delivering the same sorts of physical destruction that they can through the use of a bomb, with cyber means, that is a bad day for everybody.

ES: How real is the threat of a catastrophic cyber event?

Marcus Willett: Having talked about cyber-criminality, terrorism, and states realising the asymmetric advantages they can gain through cyber capabilities, nevertheless, these are not where I see the greatest risk of a cyber catastrophe. The greatest risk of a cyber catastrophe, in my mind, is what is happening every second of every day, with the reconnaissance and prepositioning by states against their potential adversaries’ CNI – infrastructure like power, transport, communications – the bringing down of which would have catastrophic humanitarian consequences, as well as technical dimensions. And, while I am sure no state short of a conflict situation would intend to do that, my worry is that – as has already been proven in WannaCry and NotPetya – states, in trying to either reconnoitre a network or preposition for a conflict scenario, may accidentally make a mistake.

Prepositioning is necessary because, to have an effect in a conflict situation, you cannot go from a standing start: you either have that presence in the network or you have not. In other words, you need to establish a presence in the network in peacetime to be able to have that capability should a conflict occur. So, states are not only doing reconnaissance, they are doing pre-positioning. And the chances of something going horribly wrong, I would say, are fairly high.

What worries me most about that is, even just the detection of that sort of activity – what some may define as a cyber attack – could cause escalation. And how states try and deescalate in a cyber catastrophe is still something we have not properly thought through. How a prime minister or a president would be brought into the discussions around such a technical subject, that had spilled out into real-world loss of life and escalation, in a way that could deescalate the situation, is an issue at the heart of where we need to get to around international conversations, under the auspices of the UN, for cyber.

My argument is that, although this is the biggest risk, you cannot start with this conversation amongst states. But you have to start the conversation somewhere, so have it about cyber-criminality. Do not be deceived, however, in forgetting that the biggest risk is the one I have just been through: a mistake by a state in cyberspace that is interpreted as a potential act of war. That is the biggest risk in cyberspace.

How likely is that sort of catastrophe? The sad thing is that we do not really know, except to say that it is probably more likely than we should be comfortable with. The problem is we still do not properly understand what is happening in cyberspace. But there is lots of reconnaissance and prepositioning going on, all the time, by states, against each other’s CNI. Do not be deceived as to what is reported in the press about there having been 200 cyber attacks in the last ten years, or whatever the figure is. It all depends on what you mean by a cyber attack.

ES: Your comment on translating technical information to world leaders really resonates with President Trump in the White House. With a lack of precedent for escalation in cyberspace, there is no knowing if and how he might act.

Marcus Willett: Unfortunately, if you are an official in the US administration at the moment, you know you dare not mention the word cyber to President Trump. Because – and this is a massive generalisation – to him, all he can equate cyber with is: ‘The hacking into of our electoral processes and people saying that cyber is the reason I got elected’. Whilst he has made statements about the use of cyber in the past, I know from private conversations with ex-colleagues who are in those positions, that cyber is a subject you have to handle very carefully. Otherwise, you press the wrong button with the President, and it ends up not being a conversation, but the receipt of an earful. So, it is a huge challenge.

ES: And finally, in the context of the coronavirus crisis – and discussions around sovereign capability, national tech companies, supply chains, and so on – is the Balkanisation of the internet preventable?

Marcus Willett: This is a very interesting question. Balkanisation, or even bifurcation of the internet, which is the other phrase that is thrown around, is the concept of two internets. One model is what we have at the moment: multi-stakeholder governance, free, with a balance between states, NGOs, the private sector and techy-coders; and then how that internet is developed and run, with a balance between the rights of individual citizens, the private sector and governments. And the second model, which is being pushed by the Chinese and the Russians, which entails greater state control over sovereign cyberspace. This can sound like just a technical issue, but the implications for how the global economy works, for example, are massive.

Why would states not want more control over the threats to them and their own sovereign bit of cyberspace? Well, the net result may be, instead of having a conversation about how you can achieve control with a single internet and a single global economy, you end up with two separate versions, then three, or four, and so on. And do not forget what the word Balkanisation means: it is the disintegration into individual components that compete, or even conflict. And if there were two separate internets, one Chinese and one US, broadly speaking (although there is talk of a RU.net and the Iranians have invested quite a lot of money into trying to develop their own intranet) the current risks around cyber that I described earlier, between states, become even greater.

Imagine if you had no vested interest in that other internet: it is not connected to your economy; none of your CNI is dependent upon it. What would the incentive then be for states to restrain themselves around their use of cyber capabilities?

That is my worry about Balkanisation and why I fear a tech war, to which the only solution is to ban bits of tech from your own networks, ends up being self-defeating. Not only immediately, as you can see with all the US tech providers, for example, going to the White House saying: ‘Do you not realise what that does to our own economy and our ability to export into those markets?’. That is almost putting an Iron Curtain down that virtual world of the internet. And if you think about how dependent we are all becoming – with the Internet of Things, smart cities, and smart homes, and so on – that virtual curtain could only be followed by a real-world equivalent. I think it is incredibly short-cited, and it can only lead to increased risk geostrategically.

Having said all that, if you are sitting here in a place like the UK you speak with two different voices. You certainly support the idea of a single, multi-stakeholder, free internet. But Ministers also worry about the UK’s ability to deal with terrorists and cybercriminals in its own bit of cyberspace because of issues such as the spread of ubiquitous encryption by big US tech companies. So, the UK also has a sovereign problem around understanding some of the biggest threats in cyberspace. It is a difficult question to answer, which becomes especially challenging for a middle-ranking country like the UK: one that instinctively does not want to see Balkanisation and cyber sovereignty, but also wants a bit more sovereign ability for national security reasons, over its little bit of cyberspace. It is a fascinating subject that is, I think, just going to roll. But I do not like the idea of banning tech from your own network; it is unrealistic and just not the way to go.

In some ways, the US has hit the strategic thing that is going on: a global competition about how the internet in the future will be developed, between itself and China – its main rival in this space. That is the big strategic point. And though the UK may not have woken up to that issue, the US tactic feels wrong. The UK tactic, ironically, perhaps not having recognised the strategic issue, feels better. And for those who love their deterrence theory, this is the idea of deterrence through entanglement – which everybody debates whether it really works or not. The notion that a potential adversary entangled with the global economy and in global cyberspace, is far easier to deter from bringing down that economy and that cyberspace than it would otherwise be.

And one more thing: look at this from China’s perspective. China is desperately dependent on eight US companies for how it runs its own networks. You could list them: Microsoft, Qualcomm, IBM, Intel, Cisco, and so on. They call them the eight guardian warriors. Yes, China does talk about having its own internet and ‘the Great Firewall’, and all that sort of stuff. But interestingly, two of those eight companies – Microsoft and Cisco, I believe – sit on China’s cybersecurity internal standards-setting body. IBM and the Bank of China develop technology supporting trillions of dollars of financial transactions around the globe. The People’s Liberation Army (PLA) uses Microsoft. I mean, that is just how it is – they are thoroughly entwined. Why would you try and persuade the Chinese that the better solution is for them to start developing everything indigenously; to not use anything American and wipe out half of the world’s population from your markets? I mean, why would you do that?

Ed Stacey is a BA International Relations student at King’s College London and a Student Ambassador for the International Institute for Strategic Studies (IISS). The #IISStudent Ambassador programme connects students interested in global security, political risk and military conflict with the Institute’s work and researchers.

Marcus Willett CB OBE is a Senior Adviser at the IISS. He helps to develop and deliver a programme at the IISS that researches the use of cyber and related technologies as levers of national power, including their role in future conflict. His initial focus is on developing a methodology for measuring cyber power to assist national-level decision-making.