1. Executive Summary:
- Cyber operations are a staple of international politics and are a tool which is constantly used by every actor. They are a sub-unit of information operations.
- Cyber operations are not usually used on their own, but as part of a broader strategy to improve the position of an actor in the international system, or to degrade the status of another.
- Cyber operations take place in cyberspace which consists of infrastructure, which is necessary for the internet to work, the services used through the internet, the devices connected to the network, and the users of those devices. The purpose of cyber operations is to cause damage (including physical) to either the targeted network, or associated externals.
- The primary types of cyber operations are espionage, propaganda, denial-of-service, data modification, and infrastructure manipulation. They are most commonly carried out by the use of malware and denial of service attacks.
- While cyber operations represent a significant threat, particularly to democratic states, it is important to acknowledge that Western liberal democracies also engage in such operations.
- The most important actors threatening European security through the use of cyber operations are: Russia, China, US, North Korea, Iran, Extremist organisations, NGOs and MNCs, and hacking groups and classified information distributors.
2. What are cyber operations and how do they work?
Cyber operations, or cyber warfare, are a relative novelty amongst the modern concepts of international politics and warfare. There is no widely agreed-upon definition of cyber operations which makes its detection, prevention, and even employment sometimes difficult. It is a reflection of the increased importance of information technology, primarily various forms of computers, in modern life. The more widespread information technology becomes, the more actors want to exploit it, either through friendly or unfriendly means.
It is important to note that Cyber operations and Information operations are often conflated and used interchangeably, particularly in the media. While there are many similarities between them, they are not synonymous with one another. Cyber operations are a narrower, technology focused, sub-section of information operations. This distinction is particularly important for formulating policies aimed at defending from cyber and information threats. For example, while information operations can still take place without any electronic devices, cyber operations cannot.
As the name suggests, cyber operations, in their broadest meaning, are simply any political or military operations which take place in cyberspace. Cyberspace is usually viewed as the infrastructure, which is necessary for the internet to work, the services used through the internet, the devices connected to the network, and the users of those devices. In a narrower sense, however, cyber operations are actions taken by states, or non-state actors (including international organisations, businesses, private individuals etc.) in order to attack the cyber and information networks of another state or other actor. The purpose of the attack is to cause damage (including physical) to either the targeted network, or associated externals.
3. Cyber strategies
Cyber operations, much like the overarching Information operations, are usually not considered as a stand-alone instrument. Normally they are used as part of a broader strategy of an actor in order to confuse, threaten, or destabilise a target so that it becomes more vulnerable to other instruments, such as military intervention, or political pressure. Cyber operations hold great appeal to actors, because they are relatively inexpensive, when compared to conventional military capabilities, and they offer a certain degree of deniability and anonymity. Thus, as part of a broader strategy they act as a force multiplier which is both quick-acting and financially efficient.
The reason for this limitation of cyber operations is that at present they do not represent a significant enough threat to endanger state survival. However, with increased reliance on information technology in both civilian and military affairs, this could change, and cyber operations have the potential to become existential threats even to states.
With the rise of cyber operations, a strategically vital question has arisen – can cyber operations, or an individual cyber-attack, be considered an act of war? On the face of it, the most likely answer would be negative. However, as noted above, should cyber attacks become more disruptive then it would be more difficult to argue against an affirmative response. The UK, for example, has stated that cyberattacks, particularly ones involving physical consequences such as downed planes, or disrupted hospitals, could be considered acts of war under international law. Conversely, in the US, such attacks are considered on a case by case basis and require congressional evaluation. Considering that one of the greatest advantages of cyber operations is their rapidity, it is unlikely that any decision-maker could react sufficiently quickly, especially if critical infrastructure is disabled in the cyberattack.
4. Use of cyber operations
There are many varied ways of employing cyber operations. Broadly speaking, the tactics normally associated with cyber operations include espionage, propaganda, denial-of-service, data modification, and infrastructure manipulation. More specific instruments used in such activities are malware (various types of malicious software such as bots, viruses, and worms), botnets (infiltrating chains of computers with a view of taking over control of them), distributed denial of service attacks (floods of various requests which are designed to overwhelm the network’s bandwidth or server traffic capacity), and automated defence systems (automatic responses to breaches which respond by breaching the point of origin).
The most prominent methods of cyber operations are the use of computer viruses or hacking attacks (denial of service attacks). Cyber operations are a sub-unit of information operations as the primary targets are usually components of the information network. However, unlike information operations which do not normally have a direct physical effect on the target, cyber operations can cause physical damage under specific circumstances. One example of such is the Stuxnet virus, which was implanted into Iranian uranium centrifuges with the purpose of causing them to malfunction.
Another aspect of cyber operations is also cyberterrorism. Because the means of cyber operations (i.e. computers) are so widely available, many non-state actors such as criminal networks and terrorists rely heavily upon them. Similarly to “normal” terrorists, cyberterrorists are either state-sponsored or non-state actors which engage in cyber operations to pursue their objectives. Such activities include planning attacks, radicalisation and recruitment, propaganda distribution, secure communications, disruption, etc. The most prominent user, in recent times, of cyberterrorism in all of its forms has been the Islamic State.
A related instrument is also so-called hacktivism. Unlike most other cyber operations, hacktivism is defined as the use of computer hacking to express political or sociological beliefs. While on the face of it, hacktivism is not as disruptive as other forms of cyber operations it has become increasingly problematic. In the early days of the internet it was merely used to raise awareness or present a view which did not get traction in the mainstream media sources, or as a disruptive, but non-destructive, way of protesting. However, as with all other forms of cyber operations, hacktivism now has the potential to be more and more disruptive. As cyber vulnerabilities increase groups like Anonymous have the potential to both disrupt and destroy targets as part of their hacktivism. This blurs the line between a disruptive, but ultimately benign, form of cyber protest and a cyberattack.
5. Opportunities and threats for European actors
Cyber operations have become imbedded in the ethos of both the military and the civilian spheres of politics, as well as the private lives of people. As such, they present a significant number of threats to European actors, as well as many opportunities.
The greatest threat stemming from cyber operations, much like for information operations, is that they have increasingly become a threat to an open liberal society. Not in an ideological sense, but because they can disrupt or disable some of the foundations that such a society is based upon. Limiting the flow of information, or even replacing it with an alternative flow, and the ability to shut down critical infrastructure is a potent combination of coercive instruments. Furthermore, cyber operations are usually conducted behind a veil of secrecy which is difficult to lift making cyberattacks incredibly hard to attribute. Even when attacks are traced to a certain state, for example, it can be impossible to prove whether the attack was state-sponsored or merely a private undertaking by an individual hacker. This creates mistrusts between actors, even friendly ones, which leads to a loss of confidence, and raises suspicions. The secretive nature of cyber operations means that such suspicions are difficult to overcome because actors are not willing to share information on cyber defence, as such disclosures would also highlight their vulnerabilities.
A critical threat for most actors dealing with cyber operations is an insufficient non-technological comprehension of cyberspace. It might seem an obvious point that not every person is an IT expert or a computer programmer, however, in the case of cyber operations, the problem is that the non-technological comprehension is lagging behind the technological debates on it. Cyber operations are a fast-evolving instrument and governments across the world are struggling to keep up with the pace, largely because it is tied to the frantic pace of overall technological development, but also partially because bureaucratic apparatuses are not prone to rapid changes. With lack of strategic understanding and non-technological political solutions, it is very difficult for decision-makers to adequately address threats from cyber operations.
The most obvious opportunity from cyber operations is that they can be a useful tool for strengthening alliances and cooperation between friendly actors. Notwithstanding the above-mentioned issues of the erosion of trust, if handled properly cyber operations can be a tool for enhancing operations. Some obvious benefits include greater interoperability, and cooperation on pinpointing cyberattacks. Exchanging views also aids in overall understanding and the sharing of good practices when it comes to cyber defence. This applies to both state-to-state relations as well as state-to-non state relations, such as private companies or hacker groups.
Connected to the issue of cyber cooperation is the concept of cyber deterrence. While classical deterrence is based on conventional power capabilities (nuclear deterrence, conventional military capabilities, political and economic power), these instruments are difficult to transfer directly into the cyber domain. A hacker group cannot be deterred by nuclear weapons, and political power can rapidly become irrelevant if an actor possesses the cyber capabilities to seriously disrupt information flows which would paralyse political decision-making. Classical deterrence is aimed at preventing physical attacks and therefore cannot be applied to an instrument which does not necessarily cause physical damage, but is also difficult to attribute and its results might not be visible until much later after the actual attack takes place. With timing being crucial to deterrence, this delay can render it ineffective.
One very important aspect of cyber operations, which is usually overlooked, is that they are not only practiced by non-Western states or actors. Particularly in Europe, the debate surrounding cyber operations tends to only see such actions as instruments of authoritarian regimes, extremist organisations, or, more generally, as being used by those who do not share Europe’s values and ideas. However, the political motivation behind cyber operations is not relevant to their conduct. Russian cyber meddling in the US presidential elections is as much of an example of cyber operations as the EU and US meddling in Russian or Ukrainian elections.
6. Actors using cyber operations
Every actor, either state or non-state, in international politics employs information operations to a certain degree. Such actions are neither new nor significantly different from the everyday conduct of international relations. However, more recently there has been an apparent increase in their perceived effectiveness with correspondingly greater concerns over their influence on security. As a result of this, it is worth examining which are the most threatening actors, from a European perspective, in order to better understand how information operation will be used in the future and by whom.
The most significant information operations threats to Europe stem from the following eight actors:
- United States
- North Korea
- Extremist (terrorist) organisations
- NGOs & MNCs
- Hacking groups and classified information distributors
For state actors like Russia, China, and Iran, the use of cyber operations is largely a matter of disrupting the decision-making processes of their opponents and gathering intelligence through cyber espionage. North Korea is a more interesting example because its cyber activities are also a way to obtain funds through state-sponsored hacking which has reportedly netted hundreds of millions of dollars for the regime.
7. Strategy options
Based on the above analysis of the instrument of cyber operations, the following four strategic recommendations can be made for decision-makers in Europe.
- Cyber operations are a relatively novel occurrence in international politics and actors are still unsure of the best ways of employing them or defending against them. Expanding on the non-technological aspects of cyber operations is crucial to this process so European actors should encourage debate between policy and strategy experts with the goal of evaluating cyber operations in a strategic way rather than merely as a technology problem.
- Europe, and in particular the EU, should honestly acknowledge that it actively engages in cyber operations and should not claim that it is merely a victim of, for example, Russian aggression in this area. Such incredulity only strengthens the cyber operations of actors using it against Europe because it creates a situation in which the European population is not sufficiently aware of what such operations are and how they are conducted. De-emphasising cyber operations as primarily a technological problem would also aid in this endeavour.
- Increase awareness of cyber operations within domestic populations by including technology and information courses into educational programmes for both children and adults. The general public is often unaware how interconnected information systems are and how all-pervasive they are for the conduct of their daily lives. As with the other recommendations this must extend to the socio-economic and political aspects of cyber, not merely to how to use information technology in a safer way – although basic information on how to reduce the risk of hacking should still be included.
- European security strategies, both national and supra-national, should avoid the over-securitisation of cyber operations on their own, but should put greater emphasis on hybrid threats which include an cyber operations component. Creating cyber-specific security strategies, which is the current trend, should be avoided, rather they should be subsumed under the wider information operations aspects of security.