Arming Cyberspace: Challenges in Militarizing a Virtual Realm

Viewed as a paramount national security concern in contemporary times, cyber security has gained prominence due to sophisticated and widely publicized cyber-attacks. These incidents have led to an increasing portrayal of cyber security as a strategic-military matter, with many states either possessing or expressing a desire to acquire offensive cyber "weapons."

Delving into the strategic-military facets of cyber security entails subjecting it to the dynamics of an antagonistic zero-sum game, where one party's gain translates into another party's loss. While the significant role of the cyber dimension in future conflicts is acknowledged, there is a consensus that threat representations must remain well-informed and balanced to prevent policy overreactions with unnecessary costs and uncertain benefits.

In recent years, the trajectory of cyber security issues has shifted in two directions: vertically, ascending from the expert level to executive decision-makers and politicians; and horizontally, expanding from primarily being a concern for the United States to becoming a top threat for an increasing number of countries.

The connection between information technology and national security was firmly established in military writings post-World War II. However, it was the Second Persian Gulf War of 1991 that marked a pivotal moment in US military thinking about cyber warfare. This conflict was viewed as the onset of a new generation of conflicts, where physical force alone was insufficient, necessitating the ability to dominate the information war. Consequently, American military thinkers produced numerous books and developed doctrines emphasizing the degradation or paralysis of an opponent's communication systems.

By the mid-1990s, the advantages of Information Communication Technology (ICT) in revolutionizing military affairs were not only seen as providing a national "information edge" but also recognized as posing a disproportionate vulnerability to malicious state and non-state actors. This perception was shaped by the evolving strategic context for the United States post-Cold War, characterized by dynamic geostrategic conditions, diverse adversaries, and global information networks enabling asymmetrical attacks on the US.

The difficulties in locating and identifying enemies led to a shift in security policies, redirecting focus from actors, capabilities, and motivations to vulnerabilities across the entire society. The borderless nature of cyberspace eliminated the need for large, specialized weapons systems or armies to launch asymmetrical attacks on the US. This prompted concerns that adversaries, unable to match American military power conventionally, would seek to undermine the US by targeting critical infrastructures fundamental to national security and the functioning of industrialized societies.

Simultaneously, the development of military doctrine for the information domain persisted during this period.

Initially, information warfare, as a novel form of conflict in the information age, was predominantly confined to military measures during times of crisis or war. A notable shift occurred in the mid-1990s when these activities were redefined as actions targeting the complete information infrastructure of an adversary, encompassing political, economic, and military aspects across the continuum of operations from peace to war (Brunner and Dunn Cavelty 2009). The 1999 NATO intervention in Yugoslavia marked the inaugural sustained use of a full spectrum of information warfare components in combat. This encompassed the utilization of propaganda and disinformation through the media (a crucial facet of information warfare), alongside website defacements, numerous Distributed Denial of Service (DDoS) attacks, and unsubstantiated rumours suggesting the hacking of Slobodan Milosevic's bank accounts by the US armed forces (Dunn 2002: 151). The escalating use of the Internet during this conflict earned it the distinction of being the 'first war on the Internet.'

Recent trends and developments have solidified the perception that cyber disturbances are becoming increasingly dangerous and aggressive, prompting governments to advocate for more forceful responses, particularly by bolstering their offensive capabilities. Firstly, there is a heightened concern regarding the growing professionalization coupled with the evident criminal or strategic intent behind attacks. Advanced malware, exemplified by Stuxnet (addressed below), is meticulously crafted, with hackers selecting a target, assessing defences, and designing malware to circumvent them (Symantec 2010). This development aligns with the growth of the cybercrime market, fueled by substantial sums of money available to criminal enterprises at low risk of prosecution (Panda Security 2010).

Secondly, a specific cyber 'enemy' has been identified, with mounting allegations that China is responsible for cyber espionage involving high-level infiltrations of government and business computer systems in Europe, North America, and Asia. China's authorities, asserting cyberspace as a strategic domain, aim to level the existing military imbalance with the US swiftly. Consequently, many US officials readily accuse the Chinese government of deliberate and targeted attacks or intelligence-gathering operations (Ball 2011).

Thirdly, there is a surge in sophisticated hacktivism activities. Notably, WikiLeaks has introduced a new dimension to the cyber espionage discourse by adhering to the hacker maxim 'all information should be free.' This form of activism deliberately challenges states' asserted power to keep information deemed potentially harmful to national security secret. Associated with this are the diverse activities of hacker collectives like Anonymous or LulzSec, engaging in actions such as DDoS attacks, break-ins, and the release of sensitive information. Additionally, conflicts of a political or economic nature increasingly involve a cyber component, often intertwined with hacktivism activities. The Estonian 'cyber war' case of 2007 serves as a prominent example in this regard (Deibert et al. 2012; Demchak 2010).

Fourthly, the identification of the computer worm Stuxnet in 2010 significantly altered the tone and intensity of the ongoing debate. Stuxnet, being an intricately designed program, likely required a considerable amount of time, advanced programming skills, and insider knowledge of industrial processes. Consequently, it stands out as perhaps the most costly malware ever discovered. Notably, it deviates from typical criminal malware behaviour by not stealing information or herding infected computers into botnets for launching additional attacks (Gross 2011). Instead, Stuxnet specifically targets Siemens' Supervisory Control and Data Acquisition (SCADA) systems, crucial for controlling and monitoring industrial processes. In August 2010, Symantec reported that 60% of the globally infected computers were in Iran, leading to allegations that the Iranian nuclear program suffered delays due to damaged centrifuges. The puzzle pieces suggest that one or multiple nation-states, with the 'cui bono' logic pointing to either the US or Israel, likely possessed the capability and interest to create and deploy Stuxnet with the intent of sabotaging the Iranian nuclear program.

This narrative, convincingly plausible, has transcended mere storytelling to become accepted as truth, despite the evidence for Stuxnet being a government-sponsored cyber weapon against Iran being purely circumstantial. It may never be conclusively determined who ordered the programming of Stuxnet, who executed it, and what the underlying intent was. However, such uncertainties are oddly irrelevant; what truly matters in this context is how states interpret and respond, as their actions and reactions shape political reality.

The ensuing reaction has seen an increasing number of states establishing or strengthening 'cyber commands,' specialized military units for cyber warfare activities. The mere possibility that one or more state actors were involved in creating the computer worm has raised concerns about the potential unchecked use of cyber weapons in both overt and covert military aggressions. While consolidated numbers are challenging to ascertain, there is a noticeable rise in expenditures on defence-related aspects of cyber security.

In line with strategic reasoning, several states have escalated their rhetoric. For instance, Iranian and Indian officials have publicly endorsed hackers working in the state's interest. The White House's 2011 International Strategy for Cyberspace asserts the United States' right to retaliate against hostile acts in cyberspace with military force. As cyber capabilities remain undisclosed through conventional intelligence-gathering activities, uncertainty and mistrust are on the upswing. The early indications of a 'cyber security dilemma' are evident, wherein most states primarily concentrate on cyber defence issues, yet measures taken by some nations are perceived by others as covert signs of aggression, likely fueling increased efforts to master 'cyber weapons.'

The foundation of cyberspace, the internet, was originally designed to be non-hierarchical, grounded in substantial trust, devoid of any privileged role for governments, and free from sovereignty or borders. Engineered into the very essence of this domain, these characteristics stand in stark contrast to the traditional, nationalistic military values advocated by Samuel Huntington in his classic work "The Soldier and the State." This misalignment is one of the reasons why the Department of Defense has encountered significant challenges in achieving success in cyberspace.

The dynamics of cyberspace and conflict are instigating fundamental shifts that both the military and society must overcome. The study of civil-military relations typically concentrates on the control or direction of the military by the highest civilian authorities in nation-states, a focus broad enough to encompass some of these changes but not all.

Distinct Challenges in the Cyberspace Domain

Firstly, cyber civil-military relations need to extend to encompass intelligence. Recent assessments depict cyber conflict as an intelligence contest, aligning with the historical and practical aspects of the U.S. military. Notably, the commander of U.S. Cyber Command holds a dual role as the director of the National Security Agency (NSA), functioning simultaneously as an intelligence professional and a manager of online military activities. The disclosure of NSA's electronic spying details by Edward Snowden exemplifies the explosive nature of political-military-intelligence tensions.

Secondly, senior military officers, historically reluctant to embrace new wars due to the perceived human cost, might favour cyber conflict over physical warfare, given its less hellish nature and the potential for situations to evolve beyond political control.

Thirdly, cyber conflict poses challenges to the military's preferences for civil-military relations. Some military leaders argue for less civilian oversight in operations, asserting that political leadership should determine the nation's enduring interests and when to engage the military, providing autonomy in implementing the strategy.

The U.S. military, engaged directly in cyberspace conflicts, has advocated quasi-wartime rules of engagement. With some viewing cyberspace as an active war zone, there is a push for fewer operational constraints to enable "defending forward" and "pursuing attackers across networks and systems."

However, the lack of clear boundaries between war and peace in cyber conflict poses a unique challenge. This perpetual engagement in a grey zone without a defined endpoint is articulated by Gen. Paul M. Nakasone, the commander of U.S. Cyber Command, who emphasizes the temporary nature of superiority in cyberspace.

In this environment, there is no exit strategy or definitive victory in cyberspace, leading to a continuous ebb and flow of operations and campaigns characterized by fluctuating national capabilities. Navigating the role of political control in an endless military conflict fought online, involving nuclear-armed rivals, adds an additional layer of complexity.

Fourthly, the culture within the U.S. military may downplay and misconstrue the significance of private-sector entities, which not only possess the majority of the domain but also wield considerable influence.

When Nakasone emphasizes that his cyber forces must "manoeuvre seamlessly across the interconnected battlespace, globally," he refers to systems that are typically owned by others, even though the Defense Department conceals this reality using the term "grey space" systems.

While the Defense Department possesses advanced capabilities, these are primarily focused on safeguarding government networks, conducting surveillance, or responding to cyber threats. These potent military tools lack the capacity to address internet-wide issues on a large scale (as companies like Microsoft or Google can), directly counter adversaries at scale (as done by companies like CrowdStrike or Mandiant), share intelligence at scale (as demonstrated by the Cyber Threat Alliance), or fortify essential infrastructure during attacks (as performed by companies like Cloudflare or Verizon).

These companies play a role akin to a supported command, not a supporting command. They possess the agility, subject matter expertise, and capability to directly shape cyberspace, swiftly resolving incidents decisively, often while the government is still deliberating on the appropriate course of action and agency authority.

In military strategies, the private sector is acknowledged not as the historically decisive force it has been but rather as a lower priority. This is evident in the strategic rankings, with the private sector placed fourth out of five in the 2011 strategy, and fifth out of five in both the 2015 and 2018 versions, as well as the U.S. Cyber Command Vision.