Crossing the Rubicon: When A Cyber Conflict Becomes A (Cyber) War
“Crossing the Rubicon: When A Cyber Conflict Becomes A (Cyber) War” featured:
- Dr Joseph Devanny, Lecturer in War Studies and Deputy Director of the Centre for Defence Studies, King's College London
- Mr Christian-Marc Lifländer, Head of the Cyber and Hybrid Policy Section (CHP), NATO
- Dr Monica Kaminska, Assistant Professor, Institute of Security and Global Affairs, Leiden University
- Mr Oleksandr Potii, Deputy Chairman, State Service of Special Communications and Information Protection of Ukraine
- Ms Andrea G. Rodríguez, Lead Digital Policy Analyst, European Policy Centre [Moderator]
Watch Crossing the Rubicon: When A Cyber Conflict Becomes A (Cyber) War
Rodríguez opened the panel reflecting on the past conversations on cyber security and emphasizing that definitions matter, as those help create limits, inform policy, and set the agenda for which priorities to address, with whom, and under what terms.
Potii gave an overview on what is happening in Ukraine with respect to cyber, and the border between cyber conflict and cyber war. With many cyber attacks every day, cities and public services are interrupted. In Potii’s opinion, the difference between cyber conflict and cyber war is when “the goal of cyber attacks become not material and financial goals, but social and political goals to destabilize the situation in countries and regions.” The political goals could be the disruption of local and national elections, while the social goals could be the creation of tensions. When hackers work toward political goals as often paid by the government, that is cyber war. When a government violates the publicly accepted norms - confidence building measures - in their behaviour in cyberspace, that is also cyber war.
Lifländer stressed the importance of starting with how to think about cyber, which will be important if one wants to do something about cyber, and the dichotomy between war and peace. “The closest that we have come to cyber war is strategic competition, where nations seek to gain an advantage…[with] profound implications for your capability development, for the kind of infrastructure structure you need, for the kind of training and education your people need,” he emphasized. With respect to what is then done about it, Lifländer highlighted Ukraine to show “it is possible to defend one’s self against an adversary as capable as the Russian Federation…the defender also has a role to play.” Resilience is important because a nation cannot “defend everything, everywhere, all of the time,” but you should be able to “suffer the blow and get back to action as quickly as possible,” said Lifländer. Lifländer closed with a discussion on the relationship with industry and the need to get out of one’s comfort zone: “we need to think through how we collaborate with industry…we will not be able to get it right without getting the modalities of the collaboration with industry right.”
Kaminska built on the Ukraine situation, “successful cyber defence is possible.” Continuing, “cyber capabilities are not all that useful tactically in war. Cyber Operations are more useful below that threshold of war for influencing political rather than military outcomes. The term strategic competition is particularly useful,” said Kaminska. Addressing the intentional psychological goals of cyber operations to create confusion, Kaminska warned how: “western governments find this a challenge to deal with. They try to assess the intent of these operations. that’s not always clear and then the responses to that are not always clear.”
Devanny suggested that “the point isn’t simply to understand conflict and competition in cyberspace, it’s to use that understanding to shape what happens next.” “There is a danger of the hyperbole - cyber armageddon, a hacking apocalypse, a digital Pearl Harbor…fixating on the catastrophic scenarios can undermine the extent to which you appreciate or recognize the debilitation effects, that the persistence of much lower level operations can have. The relationship between hyperbole and reality is something that is worth emphasizing or underlining. Improving EU cyber security, improving resilience, makes it harder for your adversaries to compete and to use cyber operations in conflict with you. It’s worth thinking about security and resilience alongside competition and conflict…and cyber diplomacy.” Devanny argued that “cyber diplomacy is arguably more difficult than it has ever been, but it’s also more important–even more important–than it has been.” Devanny then encouraged states to work together to identify and find those norms of responsible behaviour in cyberspace, while warning of the “dilemma of calibrating the effects of your operations,” including unintended, systemic, and second-order consequences of state-sponsored operations. Devanny closed by offering a conversation on what the building blocks of a responsible cyber power should be, recognizing systemic effects, consistency, and good faith.
Bringing together the various points made by the panel, Rodriguez summarized “cyberspace is an asymmetric domain in which capacities and capabilities play a role…what we are seeing is precisely this preparation and the work you do behind doors to ensure resilience.”
Rodríguez then asked the panel to address: “what can we do when it comes to international collaboration and cooperation? What can we learn from these lessons?”
Potii calls for a House of Cyber Resilience with a cyber culture ecosystem: “we need to build a really good cyber resilience civilian sector, cyber resilient private sector, and cyber resilient government sector.” Kaminska added: “the biggest lesson from this [Ukraine] war…is the power of information share and targeted intelligence disclosure. That’s been the real edge here.” Lifländer cautioned: “we need to get out of this ad-hockery. Collaboration is possible, partnerships are possible. We need to think it through. Everything we do left of the bang needs to become better. Going back to the strategic competition piece and how this domain is used, we need to do it all of the time. If cyberspace is always on, our collaboration needs to be always on.” “The key thing going forward…is the verb shaping. Shaping needs to take place at many different levels, including the political level, but also at the technical level with standards,” said Lifländer. He emphasized that NATO is “a bit late to the game - we need to think 10 to 20 years ahead about what kind of technology, products we want” and what incentives this provides to industry with the purchasing power of government. Devanny referenced the past: “we have learned that defenders are not defenceless, especially when they have very active partners.” He added that, “achieving effects in cyberspace is hard, it is difficult to coordinate delivering effects in cyber and non-cyber operations that are aligned. There are often better ways at achieving effects than cyber operations.” Looking at finite resources, Devanny touched upon the hard decisions being made about investments in cyber: “you can’t cyber your way across a river, but cyber is important and will be increasingly important.”
During the Q&A, Nikolas Ott, Microsoft, posed a question to the panel about mindsets vs. reality: “how much are we getting this narrative across to the ones who reconsider how we approach this environment?” Lifländer was reflective: “our thinking evolves together with the domain…there is hesitancy in coming up with the answer, with the silver bullet that we have it now.” Kaminska gave encouraging data: “these concepts are filtering through…these concepts are used, it is generally accepted. The reaction you get ‘this is obvious - below the threshold of war is where cyber matters most at the most basic level.’ There is that shared understanding.” Devanny touched on the role of academics in trying to achieve public policy impacts, while “on the practitioner side, the conversation about cyber strategy is a lot richer. There is a lot more of it than there was ten years ago.” Potii explored the motivation driving hackers, the stealing of personal information, and government attacks, as well as how to prevent this motivation through sanctions and other measures. Those in attendance then transitioned into their Break-Out Groups.
