CYBERSPACE: THE FIFTH DIMENSION OF WARFARE - PART II
Sections
Introduction
Cyberwar – No Longer “Hype”
Cyberwarfare – Offensive Strategies
Cyberwarfare – Legal Implications
References
Introduction
The dimensions of warfare have evolved over the centuries from Land and Sea to encompass Air and Outer Space in the 20th Century. While land is integral to a nation, occupied and defended, sea and air are common pool resources that are sought to be dominated even beyond own territory. The decade of the sixties saw the emergence of space as the new arena of competition, with the proliferation of satellites and missiles driving the cold war. Technological developments have driven lethality, range and speed in all four domains to their maximum limits. With the heavy dependence on networks in the 21st Century, Cyberspace has emerged as the fifth dimension of warfare, with critical importance for the projection of military force.
In the previous part of this two-piece write-up, the emergence of Cyberspace as an operational domain of warfare, as well as the types and classifications of cyber-attacks/ cyberwar were discussed. In this follow-up part, some real-world examples of cyberwar over the past decade will be described, and certain doctrinal aspects related to offensive cyberwar strategies as well as some legal implications of conducting cyberwar will be dwelt upon.
Cyberwar – No Longer “Hype”
Thousands of cyber-attacks occur per day, suggesting great difficulty in distinguishing serious threats from minor ones. However, there appears to exist a fairly clear distinction between day to day cyber-crime events and an act of cyberwar. If an adversarial nation launches a sophisticated, targeted cyber-attack that takes down significant parts of a nation’s critical infrastructure, the consequences would constitute what we might call a cyberwar. For all practical purposes, cyberwar engages the nation’s intelligence agencies and active-duty military in the aggressive defense of its territory, citizens, and resources. Several notable examples exist of widely accepted instances of cyberwar, which are briefly described in succeeding paragraphs [1].
Estonian War (2007)
In Apr 2007, the Estonian Government decided to move a Soviet-era war memorial to a location outside Talinn, its capital. Estonia is considered as one of the most technologically advanced nations, with a ranking of 24 in the United Nation’s Network Readiness Index, indicating its e-Governance status as very advanced and Internet dependent. On 20 Apr, this tiny Country was swamped with cyber-attacks, quickly escalating into a cyberwar like scenario, wherein its banks, newspapers, news agencies and all government sites were attacked and brought down. The Distributed Denial of Service (DDoS) attacks using ping floods and botnets, spamming of news portals commentaries and defacements of government web-sites, left the Country crippled for the next three weeks or so. Despite being a NATO ally, Estonia could not invoke Article 5 (“attack one of us, and it’s the same as attacking all of us”), due to lack of definition of “under attack” in this case and the difficulty in identifying and proving that it was a Kremlin-sponsored attack. In a strategic sense, the impact of the attacks was significant. They demonstrated the utility of cyber blockade as a means of coercion, especially when employed in concert with other political, economic, and information tools. They also served as a wake-up call for NATO, which subsequently established the Cooperative Cyber Defense Centre for Excellence (CCDCOE) in Tallinn.
Georgian War (2008)
The Russo-Georgian War of Aug 2008 was a four day long armed conflict between Georgia and the Russian Federation, resulting in the breakaway of South Ossetia and Abkhazia from Georgia. Weeks before the physical attacks on Georgia, attacks against Georgia’s Internet infrastructure began as early as July 2008, with coordinated DDoS attacks that overloaded and effectively shut down Georgian servers. Although the Russian Government denied the allegations that it was behind the attacks, stating that it was possible that “individuals in Russia or elsewhere had taken it upon themselves to start the attacks”, it was established that the Saint Petersburg-based group known as the Russian Business Network (RBN) was behind many of these cyber-attacks. While the overall impact of the cyberattacks was minimal – Georgia’s IT infrastructure was limited in 2008, and the Georgian government was eventually able to reroute most of its traffic through servers in other countries, including the United States, Estonia, and Poland – it was the first known instance of wide-scale offensive cyber operations being mounted in conjunction with conventional military operations.
Stuxnet (2010)
In 2010, the Stuxnet computer worm may have accomplished what five years of United Nations Security Council resolutions could not: disrupt Iran’s pursuit of a nuclear bomb. Stuxnet is essentially considered the world’s first digital weapon. It was developed by the American and Israeli governments and used to wreak havoc on an Iranian nuclear facility called Natanz. It targeted the computer systems used to control the centrifuges used to enrich uranium, and instructed them to spin the machines out of control. Eventually that force broke the centrifuges. Over a few years, about 20 percent of Iran’s centrifuges spun out of control and were destroyed. Stuxnet was the first malware that actually physically destroyed something. In just a few years since the Stuxnet attack came to light, a lot has changed in the cyber warfare realm, and there have been other similar attacks that target critical infrastructure of adversary countries [2, 3].
Ukraine (2015)
Through its cyber campaign in 2015, Russia was able to quietly and persistently compromise the Ukrainian government and military’s ability to communicate and operate, thereby undermining the legitimacy and authority of Ukrainian political and military institutions. In late December, 2015, however, Russia appeared to signal its capability and a willingness to expand its use of offensive cyber operations to achieve kinetic effects by damaging Ukrainian critical infrastructure. Pro-Russian cyber actors departed from what were basically nuisance attacks and perpetrated what is believed to be the first cyberattack on another country’s electric power grid. In an attack that has been widely attributed to Russia, coordinated and synchronized cyberattacks targeted three separate distribution centres of a Ukrainian power company in Western Ukraine. Using remote access to control and operate breakers, the attackers took the distribution centres offline, causing power outages that affected more than 220,000 Ukrainian residents. The attack would seem to fall under the rubric of information warfare principles, in that its impact was mainly psychological. It emphasized the ramifications of Kiev’s anti-Russian policies while undermining the confidence of Ukraine’s citizens in their government.
Cyberwarfare – Offensive Strategies
Armed Forces across the world are undergoing transformation with emerging cross domain dynamics overlapping with cyberspace. The increasing dependence of the operational environment on Information and Communication Technologies (ICT) and networks has led to creation of a complex battlefield in which cyber warfare has a significant role to play. Cyberspace provides the Armed Forces with unprecedented situational awareness, operational and organizational agility, influence and the capability to engage the target population from anywhere on earth. Hence, acquiring and maintaining superiority in cyberspace is of paramount importance. Offensive cyber operations provide an asymmetric and powerful capability to strike at the core of a previously uncontested advantage in time and space across a range of military operations. The need for developing offensive cyber capabilities has, therefore, become an imperative for any major military power. Possession of such capabilities would enable the development of cyberspace strategies based on the operational concepts of cyber-deterrence, offensive defence and offensive cyber operations in a state-level multi-domain military conflict.
Cyber Deterrence
It is often said that, in defence strategies, deterrence precedes protection, resilience and response. Nuclear deterrence has largely been responsible for a reduction in large-scale conventional conflicts after World War II. Conventional military capabilities also have significant deterrence value. Given the ‘non-attributable’ as well as ‘asymmetric’ characteristics of cyber-attacks, the concept of deterrence in the cyber domain takes on a different flavour, making it a subject of study by the major players in cyberspace. However, it is fairly evident that there can be no effective cyber defence strategy based purely on a protection/ resilience/ response paradigm. In this regard, the connotations and inter-se importance of Deterrence-by-Denial vis-à-vis Deterrence-by-Retaliation in the cyber domain assumes importance. Clearly, a pre-requisite for achieving deterrence-by-retaliation is the possession of offensive cyber capabilities [4].
Offensive Defence
Sometimes termed “Active Defence,” in military operations it is often stated that offence is the best form of defence. Although both “Deterrence” as well as “Active Defence” need offensive capabilities, there is a difference in the two concepts, in that the former implies a “force in being” while the latter involves the actual employment of offensive capabilities. Both involve the possession and employment of offensive cyber capabilities, which therefore need to be developed and used to advantage towards protecting our national cyberspace [5].
Offensive Cyber Operations
It has been amply brought out in the preceding discussion that actions taken within cyberspace can have significant military effects within cyberspace as well as on the other four domains of conflict as well. With this as a basis, major global powers have already come up with doctrines enunciating use of offensive cyber capabilities in a multi-domain conflict as a declared national strategy. Capabilities in tune with these doctrines are being developed at a frenetic pace. The US Cyber Command achieved initial operational capability in 2010. It is mandated to have 133 Cyber Mission Teams with a total strength of 6200 personnel, over 5000 of which were already on staff last year and the balance are expected to be made up by next year. A good proportion of these teams are distributed amongst the geographical commands to be deployed at operational and tactical levels. In Aug this year, the Cyber Command has been upgraded to a unified combatant command by the Trump administration. China’s PLA Strategic Support Force, as per one report, is estimated to have over a lakh personnel. Russia too is known to be very active on the cyber operations front, under the aegis of FSB. The UK, in its National Cyber Security Strategy 2016-21, has clearly enunciated the need to develop offensive cyber capabilities. Thus, the development of doctrines and capabilities for offensive operations in cyberspace is no longer an option but a necessity.
Cyberwarfare – Legal Implications
There are no clear criteria yet for determining whether a cyberattack is criminal, an act of hactivism, terrorism, or a nation-state’s use of force equivalent to an armed attack. Likewise, no international, legally binding instruments have yet been drafted explicitly to regulate inter-state relations in cyberspace. In September 2012, the US State Department took a public position on whether cyber activities could constitute a use of force under Article 2(4) of the UN Charter and customary international law. According to State’s then-legal advisor, Harold Koh, “Cyber activities that result in death, injury, or significant destruction would likely be viewed as a use of force.” Examples offered in Koh’s remarks included triggering a meltdown at a nuclear plant, opening a dam and causing flood damage, and causing airplanes to crash by interfering with air traffic control. By focusing on the ends achieved rather than the means with which they are carried out, this definition of cyberwar fits easily within existing international legal frameworks. If an actor employs a cyber-weapon to produce kinetic effects that might warrant fire power under other circumstances, then the use of that cyber-weapon rises to the level of the use of force.
However, there is also a considered view that cyberattacks without kinetic effects are also an element of armed conflict under certain circumstances. For instance, cyberattacks on information networks in the course of an ongoing armed conflict would be governed by the same principles of proportionality that apply to other actions under the law of armed conflict. These principles include retaliation in response to a cyberattack with a proportional use of kinetic force. In addition, “computer network activities that amount to an armed attack or imminent threat thereof” may trigger a nation’s right to self-defense under Article 51 of the UN Charter. In its 2011 International Strategy for Cyberspace, the US affirms that “when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” The International Strategy goes on to say that the US reserves the right to use all means necessary—diplomatic, informational, military, and economic—as appropriate and consistent with applicable law, and exhausting all options before military force whenever possible.
Conclusion
In this write-up, it has been brought out that Cyberspace has emerged as the fifth dimension of warfare in addition to land, sea, air and space. While the latter four are physical domains, Cyberspace lies in the Information domain. In order to prevent our information infrastructure from being adversely affected during any future conflict, there is an urgent requirement to have comprehensive organizations not only at national level but at tri-services and individual services levels as well. Failure to adapt to this new domain of warfare will tilt the balance in favour of adversaries in future wars.
References
(1) Michael Connell and Sarah Vogel, Russia’s Approach to Cyber Warfare, CNA Occasional Paper, Mar 2017, pp. 13, 17, 19.
(2) Jo Lauder, Stuxnet: The Real Life Sci-Fi Story of ‘the World’s First Digital Weapon, http://www.abc.net.au/triplej/programs/hack/the-worlds-first-digital-weapon-stuxnet/7926298, posted 12 Oct 2016.
(3) Kenneth Geers, Strategic Cyber Security, NATO Cooperative Cyber Defence Centre of Excellence, 2011, pp. 13.
(4) Martin C Libicki, Cyberdeterrence and Cyberwar, RAND – Project Air Force, 2009.
(5) Lt Gen (Dr) R S Panwar, Strategic Thinking for Security, Panel Discussion, NASSCOM-DSCI AISS 2017 Summit, 14 Dec 2017.
0 Comments
Trackbacks/Pingbacks