Cyberwar and Strategy

A global cyberwar is under way. Such a cold war—or cold peace—has never happened in history.

A great war is always preceded by a long process of increasing international tension, an arms race, limited wars or proxy wars. Such warning signals do not mean that the probability of an outbreak of a world war or regional war is 100 percent, but they do mean that the probability is rising.

International groups and networks of hackers are replaced increasingly often by new, specialized sections of the armed forces and intelligence agencies of particular countries.

You can see many warning signals in 2018. Political-military signals include the war in Syria—where a thin line separates the armed forces of Russia and the United States—and the testing of NATO’s air defense by Russia. They also include the building of military bases by China on internationally disputed islands in the South China Sea, where a thin line divides Chinese and American forces. An arms race—embracing weapons systems aimed at projecting force and strategic deterrence—develops between the US and the whole NATO on the one hand and Russia, China and other countries on the other. Regional arms races are under way in the Far East and Middle East. A political-economic warning sign is the trade war of the US against the rest of the world, even its closest allies in Europe, East Asia, and North America.

Beyond these clearly visible signals reminiscent of the past—especially the 20th century—other signals appear in a new, mostly concealed, and often underestimated strategic space: in cyberspace. This is where the tensions are the greatest. A global cyberwar is under way, with a limited, but not negligible intensity. International groups and networks of hackers sometimes serve as proxies, but they are increasingly often replaced by new, specialized sections of the armed forces—units and commands—and intelligence agencies of particular countries.

The time has come for another great debate about strategies—about cybernetic strategies, cyberwar, and cyberpeace. You may not be interested in cyberwar, but cyberwar is already interested in you.

The least known publicly are probably the details of the arms race in cyber-weapons—but we know that such an arms race is going on. Publicly known and debated are strategic options and especially cyber-deterrence— based on the ability of cyber-retaliation—and cyber-resilience. Such a cold war—or cold peace—has never happened in history.

The last broad-ranging debate on military strategy regarded anti-terrorist strategies, especially since 2001. Previously, during the Cold War since 1940s through the 1980s, nuclear strategies were the subject of a long debate—the largest in the history of strategic practice and theory since the 20th century until today. The time has come for another great debate about strategies—about cybernetic strategies, cyberwar, and cyberpeace. You may not be interested in cyberwar, but cyberwar is already interested in you.

A Moderate Intensity World War

Despite its moderate intensity, the current cyberwar has large-scope targets: controlling global cyberspace and more generally global information space, and through it controlling the world, like in the Cold War and the hot world wars. In the direct experience of NATO, these wars started in 2007 with a massive cyber-attack on the smallest state of the eastern ank—Estonia, probably treated by Russia as a testing ground. Soon after, in 2008, there was the first massive cyber-attack on the largest state of the North Atlantic Alliance—the United States.

But cyberwar is so different from all earlier wars in that its outbreak, and later development and escalation, remain widely underestimated. The parties of the global cyberwar include at present the strongest powers of the 21st century: the US with NATO and the European Union, China, and Russia. Also US allies from outside Europe and North America take part, especially Israel. North Korea attempts to join the group of cyber-powers, just like it enters the elite league of possessors of nuclear weapons and intercontinental ballistic missiles.

The parties of the global cyberwar include at present the strongest powers of the 21st century: the US with NATO and the European Union, China, and Russia.

The escalation of the global cyberwar accelerated in 2014—the same year when NATO recognized cyber-attacks as armed attacks, for the first time adapting its strategy to the challenges of cyberspace. The great Chinese cyber-attacks are the most systematic and intended at long-term effects; their aim is to gradually accumulate a massive amount of information about the world as one of the pillars of controlling it.

A Cybernetic Pearl Harbor

In 2014, cyber-attacks allowed China to acquire protected personal data of almost all among more than 20 million current and former officials, employees, soldiers, officers, agents of American federal authorities, and people attempting to enter such work or service. They also acquired data of employees working for companies providing the US authorities with products—for example arms and military equipment—or services, including research and consulting. So along with information about Americans, China probably also has information about citizens of other countries—especially allies and partners of America.

The intercepted data have not appeared in the media or on the market, which proves they were taken over by the Chinese state. They regard ethnicity and race, family and social life, education, economics, lifestyle, and law, they are biometric, medical, and so on. They make it possible to predict the behavior of people, communities, and institutions, steal identities, manipulate people, and destroy troublemakers. The takeover of this data by China has been called a cybernetic Pearl Harbor and a cybernetic 9/11.

Then, in 2015 and 2016, China launched the first comprehensive cyber-attack on the foundations of the Internet infrastructure—the basic servers, on the logical level located mostly (but not exclusively) in the US and on the physical level dispersed across the world. The aim of the attack was to test the resilience of the whole Internet and the method used was overfill, that is blocking access channels with the use of thousands or millions of computers and other devices (the method known as Distributed Denial of Service Attack, DDoS). The cyber-attack was not aimed at direct destruction, but at preparing for such an option, which need not but may be used in the future. It set off all the defenses, so it made it possible to discover or review their number, location, quality, and capabilities. This is a strategically invaluable knowledge about cyberspace—just as strategically invaluable is the knowledge about people acquired through controlling the cyberspace.

The intercepted data make it possible to predict the behavior of people, communities, and institutions, steal identities, manipulate people, and destroy troublemakers.

The Next Potential Decisive Strategic Sphere

The largest Russian cyber-attacks—and comprehensive cyber-campaigns—were intended at a direct and rapid effect. In 2016, Russia launched cyber-attacks with the most wide-ranging political aim in history: the takeover of power in other countries through influencing the democratic process of electing their authorities. The most important here were cyber-attacks against the elections of the US president—the most powerful political position in the world—and the elections to the American Congress. One of the methods revealed was stealing documents and other secret or classified information in cyberspace and then their selective publication, sometimes in a distorted version. So cyberspace made it possible to greatly increase the scale and effectiveness of a method originating from pre-computer era. In 2017, Russia attacked the electoral process in a number of European NATO countries, including France and Holland, which proved more resilient to cyberwar, also because they had learned from American mistakes. The cyber-campaign striking at elections in NATO countries was of an unequivocally belligerent and military nature—it was conducted mostly by the Russian military intelligence GRU, an integral element of Russian armed forces, specialized, among other things, in disinformation.

The cyber-campaign striking at elections in NATO countries was of an unequivocally belligerent and military nature—it was conducted mostly by the Russian military intelligence GRU.

Cyberspace has become the next potential decisive strategic sphere— after land, sea, and airspace including outer space. The theory of a decisive strategic sphere, at that time the global ocean, was created in the 19th century by the American admiral and strategist Alfred Thayer Mahan in his book The Influence of Sea Power Upon History, 1660-1783. He proclaimed that who controlled the global ocean controlled the world. Technological and cultural changes gradually replaced the global ocean with the global Internet and other computer networks. The claim about the central and key role of information in war is not new but renewed—it was emphasized by the Chinese general and strategist Sun Zi in his Art of War as long as 2500 years ago. Cyberwar is the return to the origins of war.

Cyberwar and Nuclear War

Cyber-weapons have the characteristics of weapons of mass destruction. The effectiveness of cyber-weapons if not their physical destructive power, is in all probability already higher than the effectiveness of the three classic WMDs: nuclear, chemical, and biological. But there are also profound differences. In every physical space there is a high divide separating conventional weapons—using only kinetic and thermal energy—from all weapons of mass destruction. This divide makes for the uniqueness of nuclear deterrence and increases its effectiveness. Conventional deterrence is an important but secondary and always weaker supplement of the nuclear one. In cyberspace no clear divide exists—there is a continuity between small, moderate, and large cyber-attacks. This makes an unlimited escalation of cyberwar easy.

New technologies generate new concepts and new strategies. Nevertheless, the majority of currently developed strategies of cyberwar are modified continuations of older concepts, connected above all with the strategy of nuclear war. The concept of cyber-deterrence, modelled on the basic concept of nuclear strategy, attracts most attention and breeds most controversy today. There is another concept of nuclear provenience—less controversial and more frequently used in practice: the resilience to cyber-attacks, to use NATO terminology. Absolute cyber-resilience would be a counterpart of an absolutely impenetrable anti-missile and anti-airstrike shield—the unrealized American Strategic Defense Initiative from the 1980s, meant to provide the United States and its allies with a resilience against carriers of nuclear weapons. The strategic shield project expressed a belief in the superiority of static defense over dynamic attack, contrary to the theory and history of wars.

The effectiveness of cyber-weapons, if not their physical destructive power, is in all probability already higher than the effectiveness of the three classic WMDs: nuclear, chemical, and biological.

In fact, the strategy of deterring the enemy with a retaliation threat in cyberspace is reluctantly and rarely accepted. What prevails is the fear that an exchange and especially escalation of retaliatory strikes—probably many in close alternation, without any certainty that one of them would be decisive—would cause unpredictable destruction and chaos all over the world, including victorious states and alliances.

Offensive Cyber-Weapons Already Exist

The unpredictability of the effects of cyber-retaliation—much bigger than for nuclear retaliation—makes it difficult to introduce cybernetic counterparts of such nuclear strategies as the American Mutual Assured Destruction, MAD, stabilizing the nuclear relations of the US and the whole NATO with Russia (formerly with the Soviet Union and the Warsaw Pact), and the French strategy of proportional deterrence, also used by some other countries whose potential is unequal to the potential of their adversaries. Since NATO regards cyber-attacks as armed attacks, it can respond with any measures and in all strategic spheres and operational domains, also outside cyberspace. The North Atlantic Alliance reacted to the emergence of large cyber-threats with classic strategies of nuclear and conventional deterrence, but has not created a separate, new strategy of cyber-deterrence. It chose a strategy of defense, especially through cyber-resilience.

The majority of currently developed strategies of cyberwar are modified continuations of older concepts, connected above all with the strategy of nuclear war.

Offensive cyber-weapons already exist, and may be used for attacking first or retaliating. In 2007-2010, the United States and Israel used the Stuxnet program against Iranian nuclear facilities; the program is the first revealed cybernetic weapon in history capable of an autonomous search for targets in the global cyberspace and causing major physical destruction outside cyberspace. America is gradually becoming offensive in cyberspace—it increasingly often uses cybernetic counter-attack in response to a cyber-attack, in accordance with its strategic culture. It is more ready to take risks than the North Atlantic Alliance as a whole. Good and universal strategies of cyberwar for North Atlantic countries have not yet emerged.

A Challenge for NATO and the European Union

The North Atlantic Alliance is adapting to the new reality increasingly fast. Recognizing—at the Newport Summit in the United Kingdom in 2014—cyber-attacks as a form of armed attacks covered by Article 5 of the North Atlantic Treaty was the first major step. It was also the first-ever change of the official interpretation of this key article about collective defense. The second step was taken at the Warsaw Summit in 2016—NATO added cyberspace to its operational domains besides the land, the sea, and airspace (practically continuous with cosmic space). The agreement about strengthening cooperation in cyber-defense—as well as in many other areas—between NATO and the European Union was also signed during the Warsaw Summit. The third step was made by the North Atlantic Council and the ministerial meeting in the autumn of 2017: it was decided to establish the Cyber Operations Centre as part of the NATO command structure.

A continuation is needed. A strategy of cyberwar should be developed and include NATO’s next Strategic Concept. The current document, announced in 2010, needs updating not only because of cyberwar but also because of Russia’s new policy and strategy and many other changes in the world. Likewise, a strategy of cyberwar should be included in the future military strategy of the European Union. The current one, the EU strategy of foreign and security policy adopted in 2016, says a lot about cyber-threats and cyber-security, but nothing about cyberwar.

The European Union may not be interested in cyberwar, but cyberwar is already interested in the European Union. In the spring of 2019, there will be elections to the European Parliament, which approves or rejects the composition of the European Commission: it is yet another democratic process of choosing the rulers that is sensitive to cyber-attacks.