Cyber struggles9 August 2023
As military investment in cyberwarfare explodes, some analysts and experts are fi nding that cyber may be of limited use when it comes to deterrence and coercion, even as bad actors like China and Russia seek make full use of it to push their objectives forward. Nicholas Kenny looks into recent reports that ask whether or not expectations have been set too high in this area.
The world grows more and more dependent on digital technologies every day. But, as it does, so too does it become increasingly vulnerable to bad actors. Over the past decade or so, militaries around the world have embraced the task of adapting to this new frontier, and recent conflicts – such as the Russian invasion of Ukraine – has seen the importance of this theatre of war blow up.
Nations around the world have taken up aggressive cyberattacks to help further their interests, but few have done so with as much vim and vigour as Russia. Gavin Wilde, senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, said in a December article that, in many ways, February 2022 was the culmination of “one of the most long-running and extensive information assaults by one state on another in history”, going as far to consider Ukraine as “Russia’s testing ground for offensive cyber and information operations – primarily to wage political warfare”.
Prior to that culmination, however, Moscow carried out a number of offensive cyber operations geared at weakening Ukraine and its allies throughout Europe. In 2016, Russia launched one of the most damaging cyberattacks in history, aimed primarily at Ukrainian companies to disrupt the nation’s financial system as it waged war against Russian-backed separatists.
This virus, NotPetya, took its name from its resemblance to the criminal ransomware Petya, which extorted victims by demanding they pay for a key to unlock their hacked files. While NotPetya also sent a ransom message, this was a misdirection – regardless of payment or not, no such key existed to unscramble the encryption. The goal of this malware, then, was purely destructive, irreversibly bricking its victims’ computers. Ultimately, the virus wreaked more than $10bn in total damages, according to former Homeland Security adviser Tom Bossert, who at the time of the attack served as President Trump’s most senior cybersecurity-focused official. NotPetya hit at least 300 companies in Ukraine, and one senior government official estimated that 10% of all computers in the country were wiped by the virus.
All of this goes to show that the danger that cyber poses the modern world is both present and tangible. The US’s March 2023 ‘National Cybersecurity Strategy’ report, authored by the Office of the National Cyber Director, highlighted the threat posed by malicious cyber activity encompassing everything from espionage and intellectual property theft; damaging attacks against critical infrastructure; and cyber-enabled influence campaigns designed to undermine public trust in the very foundation of democracy.
Previously, such abilities would only be available to a small number of well-resourced countries, but today these tools are widely accessible, empowering countries that in the past might have lacked the ability to harm US interests. The ‘National Cybersecurity Strategy’ report highlights the governments of China, Russia, Iran and North Korea and their “revisionist intent” as the greatest source of cyber threats to US national security and economic prosperity.
Of these nations, China undoubtedly represents the biggest challenge to US interests. With potential conflict looming with the US over Taiwan, the US intelligence community’s ‘2023 Annual Threat Assessment’ states that Beijing would “almost certainly consider undertaking aggressive cyber operations against US homeland critical infrastructure and military assets worldwide”, if they felt that war was “imminent”. Such a strike would be designed to deter US military action by impeding decision making, inducing societal panic and interfering with the deployment of US forces.
Europe, on the other hand, face a belligerent Russia on its doorstep, which is more likely to be of concern in the immediate future. With that said, Russia’s cyber activity surrounding the war fell short of the pace and impact expected, according to the US Department of Defense, though it conceded that Russia will remain a considerable cyber threat – noting that Russia “views cyber disruptions as a foreign policy lever to shape other countries’ decisions”.
Indeed, prior to the invasion of Ukraine, cybersecurity expert Jason Healey hypothesised in a January 2022 article in War on the Rocks that a cyberattack in Ukraine that wiped all the data on affected machines – as opposed to stealing data from them – could result in a “psychological shock to the public and to decision makers” that could successfully “coerce the US into backing down”. Other coverage run by War on the Rocks at the time warned of the potential for Russia to use cyber tools to cow Ukraine into submission.
Limitations of cyber coercion and deterrence
In the face of these bad actors, whether they be criminal efforts or those of foreign governments, militaries have moved to keep up, investing more and more money into developing their cyber capabilities. The US alone announced in June 2022 that it was allocating $15.6bn for cybersecurity over the fiscal year 2023. The UK, similarly, has made its intentions in this area clear. On 4 April 2023, its National Cyber Force published the report ‘Responsible Cyber Power in Practice’, where it stated that the UK government believed it “cannot leave cyberspace an uncontested space where adversaries operate with impunity”. Earlier, in the Integrated Review 2021, the UK announced its intention to possess cyber warfare capabilities for use in furthering its interests.
However, for all the danger that cyberwarfare poses to today’s society, its effectiveness for deterrence and coercion in military terms is up for debate. NotPetya was certainly an incredibly damaging piece of malware, but how successfully did it further Moscow’s objectives? The cyberwarfare it ran against Ukraine has gone on for nearly a decade, and yet Russia’s invasion could hardly have gone worse. Similarly, the unpredictable nature of cyber was shown in full effect through NotPetya, as it would eventually spread back to Russia – striking at Rosneft, the state oil company, as part of its global tour of chaos and disruption.
The amount allocated by the US government for cybersecurity over the fiscal year 2023.
With this in mind, some experts and analysts are beginning to voice notes of caution over cyber’s potential, pointing out that its coercive abilities – to force or convince other nations or bodies to concede to specific objectives – are hampered by a number of factors, such as its limitations in generating costly effects; its inherent unpredictability, which makes it difficult to cause a desired effect to take place in a specific place at a specific time; and that signalling intention to use cyber capabilities can undermine their effectiveness. What’s more, it’s becoming clear that cyber’s efficiency plummets in wartime, with target nations now prepared for and anticipating such attacks. “Even the most sophisticated cyber and information operations are simply more impactful and resonant in periods of relative peace than they appear to be amid the violence, destruction and ops tempo of a military campaign,” Wilde noted, speaking on the challenges Russia has faced since the start of the Ukraine invasion. “The most advanced military cyber forces are still wrestling with how to effectively integrate them.”
At the same time, this lack of effectiveness is often beside the point for many leaders, who turn to cyber specifically for some of the reasons that make it less impactful. For one, it can be used as a coercive tool without risking escalation – unlike a physical troop presence, for example. At the same time, leaders can point to it and say that action is taking place, without risking lives or much in the way of costs.
It’s worth noting that proponents of cyber’s coercive potential expect it to be more potent than conventional tools that commonly fail, which is rarely the case. Erica Lonergan, assistant professor in the Army Cyber Institute at West Point, and Michael Poznansky, associate professor in the Strategic and Operational Research Department, discuss this issue in a May 2023 article in War on the Rocks. They note that by “placing disproportionate faith in a fragile and ephemeral capability, [cyber supporters] overlook the fact that coercion of all kinds often fails”.
Should China choose to use its cyber capabilities to launch attacks on US military and civilian infrastructure to deter it from stepping in on any potential conflict with Taiwan, then, it’s hard to see it having the desired effect. Indeed, it may be more likely to rally the American public against China than to divide it – just as we’ve seen across Europe after the past decade of Russian cyber aggression. That’s not to say, however, that Beijing won’t choose to go down this road anyway – there aren’t many alternatives it can take to strike at the US directly without risking escalation.
Importance of pragmatism
As a result, even if cyber’s potential for successful coercion and deterrence is limited, the potential for widespread disruption still demands that nations in the West continue to invest in cyber defence resiliency. It’s clear, too, that the appetite for offensive use of cyber is still good and strong within the US – the 2023 National Cybersecurity Strategy called on the US to conduct “disruption campaigns” on an ongoing basis. Similarly, the concept of “integrated deterrence” formed a core aspect of the 2022 National Defense Strategy, which sees offensive cyber operations as one of many factors of intimidation against potential opponents.
For Lonergan and Poznansky, future US cyber strategies should be more explicit not only about the benefits of cyber but also its limitations. They cite the UK’s National Cyber Force ‘Responsible Cyber Power in Practice’ white paper regarding the challenges around offensive cyber operations – notably, the limited evidence that cyber can be a “primary contributor to deterrence” and the difficulties around measuring the effect of covert operations, noting “it can sometimes be difficult to say definitively that a particular outcome was the result of particular operations”.
Realism, then, is the goal for leaders looking to truly integrate cyber capabilities into their nation’s military toolbox. Cyber can still be an effective tool, over insights that can inform and enhance non-digital forms of coercion and deterrence. Some leaders will continue to use cyber as a coercive tool directly, though likely as just one option in a repertoire.
“There remain questions over the role of cyber operations as part of modern deterrence,” the ‘Responsible Cyber Power in Practice’ report states. Despite these queries, however, and the various challenges in place, even those most sceptical of the benefits of cyber for offensive operations accept that it will continue to play a role in some form or other. The key, then, is to engage with these issues while still offering a robust vision for the future of cyber – just make sure to reign in your expectations.