Targeted cyber strikes are faster, cleaner, cheaper, less risky, and more stealthy than conventional military and intelligence operations. Who can conduct such technologically advanced attacks? What are the targets? Is there a legal framework for using them, and how significantly do they really affect the larger debates on regional and global peace and security? What are the parallels that can be drawn to other fields, such as nuclear proliferation? These and many other questions provided the context for conversations between cyber security analysts and policymakers at this year’s 9th annual Lennart Meri Conference (LMC) held in Tallinn, Estonia on 24-26 April and entitled “The Limits of Order.”
States on every continent have been building up their offensive cyber capabilities in the shadows for many years. Recently, some have become more open about the means and methods at their disposal. Already in 2012, the Netherlands Ministry of Defense published a cyber strategy in which it declared that it is “developing the military capability to conduct [offensive] cyber operations.” This year, China officially confirmed long-standing suspicions and allegations about its own offensive cyber capabilities. The United States’ Director of National Intelligence, James Clapper, has identified cyber as one of the nation’s top risks and named Russia, China, Iran, North Korea, and terrorists as the threat actors with the greatest existing and potential capabilities.
In cyberspace, however, states are just one part of the equation. In his LMC panel discussion with ICANN vice president Jean-Jacques Sahel, Estonian president Toomas Hendrik Ilves drew attention to the rather “unique public-private partnership” between certain states and organized criminal groups for conducting offensive cyber operations. There is also an increasingly active marketplace for previously undiscovered and unused (“zero-day”) vulnerabilities and exploits that is of interest to corporations, hackers, and nation-states alike. Various private companies, such as Crowdstrike, Mandiant, and others, are delving into the lucrative emerging market of cyber threat intelligence. Furthermore, low-level denial of service and defacement attacks are perpetrated daily by a dizzying array of hacktivists, terrorists, and other individuals & groups. These, as President Ilves rightly points out, are nothing but cyber vandalism; indeed, they are often used to distract defenders from the real danger, which lies with the confidentiality and integrity of data. However, how does all of this affect overall security, both globally and in the Nordic-Baltic region?
At LMC, several experts participated in a breakfast session entitled “Offensive Cyber: Necessary Evil or Pandora’s Box?” They drew attention to, among other factors, the dangers associated with an ongoing global cyber arms race, the low entry barriers to developing offensive cyber capabilities, the (decreasing, yet still considerable) challenge of accurate attribution, and the dangers of miscalculation & escalation in cyberspace. According to one participant, there is also an emerging trend of “offense-as-defense”, where passive, technical methods of cyber security are considered insufficient, and where some states have begun to conduct offensive operations for the purpose of attribution as soon as they identify attacks on their own systems. Another panelist pointed to the increasing integration of cyber tools and expertise with conventional capabilities for the purpose of information warfare. The example that was used in this context was the occupation and annexation of Crimea, where units of so-called “little green men” with embedded tech experts assaulted the headquarters and infrastructure of Internet service providers (ISPs), skillfully cutting off communication channels with Kyiv. Another dramatic example of using offensive cyber operations for propaganda and information warfare purposes took place during the 2014 Ukrainian presidential elections. In that case, malware implanted in Ukrainian government servers nearly caused electoral systems to announce incorrect results depicting the victory of the far-right presidential candidate. Interestingly, the malware was identified and removed less than an hour before the announcements but the state-run media channels of a certain neighbor carried news of the exact same results that the malware was programmed to convey.
Clearly, cyber capabilities and the doctrines for using them have been developed for many years, largely outside of the public eye. Attacks are continuing to grow in terms of both sophistication and frequency. However, with increasing knowledge and transparency, is there also a greater chance for peace and stability in cyberspace? In the spirit of the title of this year’s Lennart Meri Conference, “The Limits of Order,” panelists also discussed the potential of norms of responsible state behavior to avoid escalation and improve trust among state actors in cyberspace. The state of play in this domain appears to be in the beginning stages, much like nuclear policy discussions were in the 1950s. Despite the efforts of Estonia and many others interested in self-restraint, rule of law, and stability in cyberspace, many states currently seem unwilling to compromise in terms of applicable international law or to refrain from developing and using these capabilities. In other words, while discussions on imposing legally binding limits to the use of offensive capabilities will continue, most likely so will the leveraging of these capabilities for political and strategic advantage in international relations. Those actors that are hoping to be successful in the cyber era will need to devote their strategic resources not just to perimeter defenses and international law but also to resilience and deterrence.