When asked what his goal was for the 1815 Waterloo Campaign, the Duke of Wellington famously answered “Why, to beat the French”. By French he meant Napoleon, and by beating him he meant defeating him for good, so that Napoleon could not pose a threat to European states any longer. A violent, physical conflict (kinetic conflict) was the most effective means to achieve this goal. Fast-forward two hundred years, now it’s China vs USA, and the domain is cyberspace, where China has been launching attacks against the USA for at least four years, attempting to acquire information from American companies and governmental offices. The USA would of course like to stop the cyber attacks, and the best response in this case is not conflict but a diplomatic move: the American and Chinese presidents meet and define bilateral agreements to stop state-run cyber attacks between their two countries. Neither of the actors wins or loses this conflict, both solve it.
The Waterloo example highlights the relation between political power and conflict. Historically, the capability of a state actor to win a conflict has been equated with its ability to gain or maintain political power. This equation can be read minimally – the capability to win a conflict is a necessary condition to gain or maintain power – or maximally – the capability to win a conflict is a necessary and sufficient condition to gain or maintain power. When considering cyber conflicts and the dynamics of cyberspace, this equation, even the minimalist reading, no longer holds true. There is, indeed, a strong relation between cyber conflicts and political power, but it differs from the one linking kinetic conflicts and political power.
As the China vs USA cases indicates, in cyberspace powerful political actors are those able to resolve, more than win, conflicts. In cyberspace, one may defend against a cyber opponent, or even disrupt its attack, but very rarely it is possible win a cyber conflict in the way the Duke of Wellington won the Waterloo Campaign. For one thing, the opponent may remain unknown. And even when attribution is not a problem, winning a cyber conflict may not mean crippling the opponent’s resources to make sure that it would not come back again. Victories in cyberspace are tactical. They are about blocking this attack or that threat, more than achieving long-term, strategic goals. For this reason winning a cyber conflict does not result in the winner gaining political power, nor does losing a cyber conflict really compromise the authority of an already powerful actor in cyberspace.
This is not tantamount to saying that cyber conflicts do not pose serious threats, quite the contrary. Indeed, cyber conflicts pose serious risks of escalation, which may undermine national security and jeopardise international stability as stressed, for example, by NATO, the G7 countries, the UN Institute for Disarmament Research, the UK Government, and the US State Department.
Escalation is already happening. In 2016, cyber attacks increased from 480 million to 1.6 billion, a massive increase in frequency. It is reasonable to expect these numbers to continue to grow given the progressive weaponization and militarisation of cyberspace, as well as the reliance on malware for state-run cyber operations (like Titan Rain, Red October, and Stuxnet). State-run cyber attacks have been launched for the purposes of espionage and sabotage since 2003. Well-known examples include Titan Rain (2003), the Russian attack against Estonia (2006) and Georgia (2008), Red October targeting mostly Russia and Eastern European Countries (2007), Stuxnet and Operation Olympic Game against Iran (2006-2012). Over the last twelve months, a new wave of state-run (or state-sponsored) cyber attacks ranged from the Russian cyber attack against a Ukrainian power plant, the Chinese and Russian infiltrations US Federal Offices, and the Shamoon/Greenbag cyber-attacks on government infrastructures in Saudi Arabia, to the cyber attacks against the Qatar national press agency.
The escalating trend will continue. In a recent report, MarketsandMarkets indicated that the cyber security market will grow to $170 billion by 2020. This risks the progressive militarisation of the cyber domain, a cyber arms race and competition for digital supremacy, which increases the possibility of new conflicts. The relatively low entry-cost and the high chances of success mean that states will keep developing, relying on, and deploying cyber attacks. At the same time, the ever more likely AI leap of cyber capabilities – the use of AI and Machine Learning techniques for cyber offence and defence – suggests that cyber attacks will escalate in frequency, impact, and sophistication.
Escalation follows from the nature of cyber attacks and the dynamics of cyberspace. Non-kinetic cyber attacks – aggressive attacks that do not cause destruction or casualties – cost little in terms of resources and risks to the attackers, but they have a high chance of success. This makes even the most sophisticated cyber defence mechanisms ephemeral and, thus, limits their potential to deter new attacks. Cyber defence is porous by its own nature: every system has mistakes or bugs (vulnerabilities),and identifying and exploiting them is just a matter of time and determination. As Harknett and Goldman stressed in The Search for Cyber Fundamentals, the low-costs of attacks and the ephemeral nature of defence create an environment of persistent offence, where attacking is tactically and strategically more advantageous than defending.
It’s a vicious cycle: cyber attacks and the cyber arms race feed one each other. Together, they foster an environment of persistent offence, and pose serious threats to the stability of cyberspace and, in turn, to the security and the peace of information societies. Where offensive strategies have failed to break this cycle, political solutions must succeed. To this end, coercive (military and non-military) means, technical solutions, alongside to diplomatic inducements, all need to be put in place to solve the underlying frictions and define new equilibriums that can guarantee international stability and avert the risks of more dramatic conflicts. This will be one of the marks of political power in information societies.
Powerful political actors will be those able to solve cyber conflicts and, by doing so, shape the international arena. Cyber conflicts will continue to be waged, because they cost so little and have good chances for success. For this reason, the ability to win a cyber conflict doesn’t say much about the political power of the defender or the attacker. Instead, real power lies in the ability to shape the international arena by creating a political agenda, super partes institutions, norms, and treaties that make engaging cyber conflicts more hazardous in political, economic, and strategic terms – all that will distinguish powerful political actors from non-powerful actors in information societies.
Translating this into practical guidance, powerful actors in information societies will be those able to (i) convene agreement about international norms, (ii) verify states’ compliance with the norms at an international level, (iii) launch investigations into suspected state-run (or state-sponsored) cyber attacks to determine responsibility, (iv) expose breaches of the norms and the sources of illegitimate cyber attacks, and (v) impose adequate sanctions and punishments. Achieving (i)-(v) necessitates the coordination of intelligence, political, and diplomatic capabilities, and extremely advanced technical skills, as well as the authority and apparatus to enforce sanctions and punishment. These five capacities define a politically-loaded mandate for an authority that will have a deep impact on international relations and geo-political equilibriums.
Such an authority is not a utopian fantasy. For example, (i)-(v) resonate perfectly well with Article 26 of the UN Charter, which defines the mission of the Security Council:
“… to promote the establishment and maintenance of international peace and security with the least diversion for armaments of the world’s human and economic resources, the Security Council shall be responsible for formulating, with the assistance of the Military Staff Committee … plans for the establishment of a system for the regulation of armaments.”
Indeed, the UN Security Council has the necessary resources, the political and coercive power to successfully deliver (i)-(v). The time has come to embrace this power to consolidate and enforce an international regime of norms to deter cyber attacks and limit a cyber arm race, while fostering peace. Problems, mistakes, and even failures – like the recent failure of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications to agree on norms, rules, and principles for a responsible state’s conduct in cyberspace – are to be expected, but they must not hinder the process. The alternative is a militarised cyberspace, threatening rather than fostering the flourishing of our societies.