Last week I attended the third International Cyber Operations Symposium (ICOS) in Amsterdam. The symposium was organised by the Dutch Ministry of Defence, with a mix of military and civilian delegates. The symposium was held under the Chatham House Rule, so I am free to speak about what was said, but cannot attribute it to who said it. The symposium offered an interesting insight into how the military thinks about cyberspace.
The symposium kicked-off with a welcome speech by Lieutenant Admiral Rob Bauer, Chief of Defence of the Armed Forces of the Netherlands. (As the text of his speech is put online by the ministry I am actually able to attribute to him whatever he said.)
Cyberspace is recognised as the fifth operational domain, alongside land, sea, air and space. Cyberops, i.e. military operations in cyberspace using cyberweapons (they do love the word cyber...), should be an integral part of normal militry operations. Otherwise cyberops are less effective.
Two things in his speech stood out.
First, Admiral Bauer pointed out that cyber operations have significant drawbacks. In fact he called them a "too good to be true" scenario. Yes, they are fast, do not require boots on the ground, and have limited risk of repercussions. Yet they do require extensive preparations, and are tailored at a specific target, at a specific time, under specific circumstances. This makes them difficult to repeat. Conventional weapons can be used for years. Cyber weapons (e.g. malware) on the other hand have a limited shelf life as the vulnerabilities they depend on will be patched.
Notice how this is different form 'civilian' cyber security. There an attacker has a distinct advantage over the defender because he does not need to attack a specific target (he can try many targets at once and settle for the weakest one), and typically has no deadline within which the attack must be successful. In a 'civilian' cyberattack periods of activity are separated by sometimes long periods of inactivity, because after a successful move the attacker stumbles upon a further line of defence that must be investigated.
Cyber operations do not have that flexibility, especially because they must form an integral part of existing military capabilities. The timing of a cyber operation thus depends critically on other, conventional, operations. (As someone later explained to me, if the commander of a military operation inquires whether the cyber team can hack say a bridge, the answer "probably yes, but we do not know how long it will take us" is not very useful.)
A second thing that stood out in the speech of Admiral Bauer was the acknowledgement that in cyberspace, the difference between cyber security and national security becomes fuzzy. Whereas defending the latter is clearly a task of the military, their role in protecting the former is less clear. As Admiral Bauer put it: "the Armed Forces are not the national firewall". Yet it is clear that by developing cyber weapons and cyber defences, their impact (both positively and negatively) on cyber security increases. This requires closer cooperation with the government, law enforcement, the private sector and research institutes. Admiral Bauer would like to invite people from cyber industry to work directly with or for the Armed Forces.
But this latter suggestion creates an immediate problem. Cyber industry is a global market, not a national market. So the people form cyber industry you invite to work for you, may work for a global company that also works for your enemies...
What struck me most during the symposium is the old-fashioned way the military appears to think about cyberspace in general and cyber security in particular. The military sees the threats in cyberspace as a threat to territorial integrity. But does that really make sense if an attack is mounted on a global service provider like, say, Google, or a critical infrastructure provider like an energy grid operator that services several countries? Whose territory is really targeted in that case?
Also, when thinking about cyber defence, a strong distinction between being inside and being outside was made. There still was a clear sense of a security perimeter, a bastion, separating the evil outside world from the secure interior. This line of thinking was abandoned ages ago in 'civilian' cyber security, where the conventional wisdom these days is to assume you are infiltrated anyway.
A core issue (within cyber security in general), is the question of how to determine the source of an attack. This is called attribution. For cyber warfare, lack of attribution is beneficial if you want to perform a stealth attack. Yet it is a problem if you want to retaliate and deter an opponent (as the opponent needs to know it is really you who responded, so he knows you are not a party to be messed with). In these cases you need 'loud' cyber weapons that can easily be attributed you (i.e. to the party that 'fired' them).
This is a desirable option even though most experts believe cyber weapons cannot be used for deterrence, like nuclear weapons. Such loud cyber weapons can be used for "coersive diplomacy", a kind of diplomacy supported by force, that holds a middle ground between strict deterrence and using brutal power. You punish your opponent as soon as he crosses a line. This only works, however, if you can respond quickly, and when it is clear the response comes from you.
Some people also discussed the issue of cyber sovereignty: the fact that certain governments are pushing for more control over 'their' cyberspace, e.g. Russia requiring data of Russian citizens to be processed in Russia. (And the EU doing essentially the same through the General Data Protection Regulation, for privacy reasons.)
From a defensive point of view this appears to make sense: more control means you have more opportunities to protect and hence secure your part of cyberspace. But thinking this way about cyberspace, dividing it up into isolated, national cyber silos immensely reduces its value. We see a dilemma here: openness of infrastructure creates economic value but also avenues for abuse or attack. This is similar to the older "privacy and security are a zero sum game" point of view, that has been extensively criticised before.
The interesting question is thus whether this choice between either openness or security is really an either/or, exclusive, choice at all...
NATO is still busy formulating a cyber doctrine (i.e. its' guidelines on how to act in cyberwarfare). One fundamental change in recent thinking is to also allow offensive cyber operations, instead of only defensive cyber operations. Until a year or so ago, that thought was heresy within NATO, apparently.
This change will have a huge impact on policy making, even beyond the military. For example when considering what (military) intelligence services are allowed to do, which is significant in the Netherlands given the upcoming referendum on the law on the intelligence services. Or when considering the offensive (or at least preemptive) strategies available to law enforcement.
Because IT infrastructure is vulnerable, military operations should limit their dependence on it. Infrastructure developed specifically for military use is 'probably' secure enough. This is most certainly not the case for ordinary, consumer grade, IT. The military does depend on ordinary IT too though, for instance for logistics.
There is limited information sharing between NATO battlegroups during missions.
The structure and functioning of cyber command centres of NATO member states varies significantly, and that each have their own definition of 'cyberspace'.
It is a challenge to find the skilled people needed to develop cyber capabilities, and to deploy them during cyber operations.
Influence operations (e.g. propaganda, fake news) were also mentioned several times. Someone said that during some military operation the smart phones of all soldiers were obviously hacked. The military is worried about operations that are aimed at influencing political and administrative decision making, like the Russian influence on the last presidential elections in the US. They have not seen that yet in the Netherlands.
The "weaponisation of social media" was perceived as an existential threat to Europe. It was said that western society cannot spin media. To be honest, I don't really believe that... President Trump is a master in spinning the media and using social media for his own benefit. The United States have used the media to broadcast their message for ages. And Europe is catching up. We spin all the time...