This week, the EU’s defence ministers took part in EU CYBRID 2017, a 1.5-hour table-top exercise of strategic level responses to cyberattacks against EU’s missions.
While a detailed scenario of the exercise has not been disclosed, according to media reports ministers answered multiple-choice questions on an online platform. Why? The purpose of the exercise, according to an Estonian government official, was to raise awareness of the possible repercussions of cyberattacks for EU military structures, and to train the coordination of crisis response measures, including strategic communication messages.
ICDS director Sven Sakkov underlined that the EU should “be much more worried” about the integrity of operational command and control systems. Indeed, if commanders lose confidence in these systems, what are their response options? What decisions are needed at the strategic political and military levels, and what should be the public message to citizens? Even if mission support systems are under cyberattacks commander must have a degree of confidence in them, and they must trust that dependencies on commercial critical infrastructure (e.g. electricity and energy supply, data communication, and transport systems) or on partners’ networks do not hamper the achievement of mission goals and objectives.
In June the EU developed options for political responses to cyberattacks, its so-called cyber diplomacy toolbox; and the Commission will soon propose an increase of investment in the cybersecurity industry (including quantum computing-based encryption), as well as improvements to its technical attribution capabilities regarding cyberattacks and at expanding cross-border law enforcement cooperation, among other measures aimed at strengthening EU’s cyber resilience. According to NATO Secretary General Jens Stoltenberg, NATO and the EU must further bolster cooperation in cyber security. Such cooperation is already improving, as demonstrated by the fact that this year the EU will participate in NATO Cyber Coalition exercise as a full-fledged player, or that the two organisations will hold a joint cyber defence seminar on 2-3 November in Tallinn.
Given that NATO is preparing to fight in cyberspace just as it is in other military domains such as air, land, and sea, and that the membership of two organisations largely overlap, the militaries of the EU and NATO countries would benefit from jointly planning to defend themselves in and through cyberspace. However, this is challenging. There have been few publicly reported cyberattacks against militaries; commanders lack real-life experience in responding to cyberattacks. Realistic strategic level decision-making and technical cyber defence execrcises would help to attain needed experience. In addition, militaries are still determining answers to conceptual questions on how cyberspace differs from traditional warfighting domains and operational planning concepts such as “area of responsibility”, “joint operations area”, etc. Morover, it is difficult to ascertain all of the effects of cyberattacks on a given military mission, or the extent to which such a mission depends on embedded information technology and cyber assets. As the outcomes of cyberattacks remain uncertain and unpredictable, how is it possible to plan military operations based on uncertain effects?
Even though cyberattacks in modern conflicts will continue to be only one of many other military and non-military facets to address, military and political decision-makers in the EU and NATO countries need to understand better the complexities surrounding possible cyberattack scenarios when it cannot be ascertained with high confidence who is attacking, what is the effect of the attack, and what are the legal, technical, and political consequences of the courses of action that they need to evaluate and decide upon within a relatively short timeframe. What if a given response will increase the risk of escalating the conflict into a kinetic attack from an opponent? As the Estonian organisers of CYBRID 2017 explain it, there were no right or wrong answers in the exercise; however, after personally participating in this exercise, hopefully defence ministers at least now have a better understanding of the various challenges related to responding to cyberattacks against the military structures and operations.