All posts by Julian Nettlefold

Inherent Instability: Cyber and Space as Deterrence Spoilers By Thomas Frear |Research Fellow









The ongoing NATO-Russia confrontation has brought about a renewed interest in deterrence, and a corresponding rediscovery of those concepts and ideas that helped keep the Cold War cold. However, the world has not stood still since 1989. Updating deterrence to account for the technologies of the 21st century remains an enormously difficult task.

The extension of deterrence concepts to include the domains of cyber and space presents a considerable challenge to the management of escalation, whether intended or otherwise. Whilst NATO has offered some clarity in its approach to these new cross domain relationships by adopting cyberspace as a formal operational domain and declaring that a cyber attack on an ally is cause for triggering the Alliance’s Article 5 collective defence clause (and thus possible retaliation by conventional or nuclear means), there has seemingly been no serious discussion within the alliance as to the threshold that would trigger such a response. This speaks to a significant problem inherent to modern deterrence; managing escalation across domains.

Whilst the Russian deterrence concept is holistic by design (encompassing not only the western concepts of deterrence, coercion, and containment, but also informational operations), it is not clear that Russian planners have taken into account misperception regarding their actions in the cyber or space domains and their effects on strategic or conventional escalation.

The perpetration of the most damaging cyber-attacks, those that aim to physically damage infrastructure or inflict lasting damage on digital systems as opposed to temporarily disabling them (known as Computer Network Attacks, or CNA), require a sustained infiltration of an adversaries’ computer network (known as Computer Network Exploitation, or CNE). Such breaches may go undetected for extended periods of time, either allowing the construction of bespoke malware tailored to the target (such as STUXNET) or remaining a dormant capability to be activated in times of conflict. Whilst the prevention and discovery of such activity is routine, and far from limited to action rebuffing state actors, the discovery of intense activity linked even tangentially to state-sponsored operatives during a period of international crisis would increase pressure for retaliation or a preventative attack.

The reliance of military and governmental computers on civilian programmes and operating systems only increases this vulnerability, as state actors stockpile ‘zero day’ weaknesses in commercial products to exploit in times of crisis. [1]

A particular difficulty arises when trying to distinguish between cyber espionage and information collection and preparation for a CNA, both of which require extensive CNE.

The secretive nature of these capabilities limits their use as a deterrent. The clarity upon which classical deterrence is based, a combination of public resolve and the demonstration of practical capability to back it up, is absent from the cyber domain. Capabilities that rely on flaws in the adversaries’ systems cannot be publicly admitted to; as such flaws can be quickly patched. This creates a pervasive opacity of purpose and capability, a fast moving environment in which actors are constantly probing for weaknesses whilst attempting to identify and address their own, and where the identity of one’s assailant is often ambiguous. In such circumstances it is relatively easy to misidentify intent and, in a period of confrontation, act on the worst case scenario.

It is also easy to misperceive one’s own strengths. A belief that the adversaries command and control network has been so thoroughly infiltrated that in the event of conflict aspects of it may be rendered inoperable, whilst believing one’s own network to be secure, imbues a false sense of security and may encourage escalatory measures that might otherwise be considered reckless.

In modern state-on-state warfare such cyber activities are an integral part of preparation of the battlefield, but by necessity they must be conducted on a continuous basis, irrespective of peacetime, wartime, or crisis. Such methodology is explicitly acknowledged in Russian doctrine and strategic thought (and increasingly through military recruitment and procurement), leading to ambiguity as to whether cyber activities constitute simply prudent preparatory, and thus defensive, measures, or the initial steps of a first strike. [2]

NATO and its member states have also begun to more readily acknowledge this process, but its escalatory potential is still poorly understood. Indeed, efforts by NATO member states to deter and counter such Russian activity have failed.

As with cyber programmes, much of the space architecture on which modern systems rely is dual (civilian and military) use. For example, a weather satellite that provides meteorological data for civilian weather channels also informs the targeting of ballistic and other missile systems. This creates an inherent linkage between interference with space assets, whether in orbit or on earth (such as satellite support facilities), and critical cyber systems that manage everything from nuclear command and control to precision farming, as well as to the conventional military domains.

The reliance of the US and its allies on network-centric methods of war following the revolution in military affairs (RMA) has created a reliance on space infrastructure unprecedented in history, a reliance that an increasingly technologically advanced Russia is emulating. Russia and the US are both aware of these new vulnerabilities, and are committed to planning for space warfare.

However, the dual use nature of space technology and the increasingly low barriers of entry to the usage of earth orbit may act to self-deter the physical destruction of satellites. Doing so runs the very real risk of not only damaging the constellations of the adversary but also one’s own assets and those of third parties. The latter threatens to escalate the conflict beyond the existing combatants to encompass potentially every state operator of satellites and satellite services, a paradigm that I tentatively term ‘cross-adversarial escalation’.

It is thus a more likely scenario that states in confrontation or conflict would instead attempt to blind, jam, or hijack the space assets of their adversary.

However, the difficulty of determining the origin of attackers remains. Differentiating the actions of non-state actors and those of a state that may be orchestrating operations to cover its own force movements is a critical blind spot that encourages escalation. Indeed, the often blurred line between state and non-state actors in cyberspace only exacerbates this problem.

Recognition of the escalatory potential of cyber and space activity is the first step towards minimising risk. Cyber espionage is a 21st century fact of life, and will remain an ongoing and largely ungovernable activity, but efforts must be made to address its destabilising potential.  As has been made clear in ongoing attempts to develop international norms in cyberspace, primarily through the UN Groups of Governmental Experts (GGEs) and Tallinn Manual process, it is incumbent on individual states to show restraint in their cyber activities. However, the difficulty of rapidly determining the origin of attacks, combined with the often opaque distinction between state and non-state actors, has to date undermined this proposed norm.

That said, recognition of the potential of mutually damaging escalation can result in agreements or arrangements that aim to manage cyber activity. The US and Russia reached a series of agreements in 2013 to just this effect, putting in place enhanced communication links between their computer emergency response teams and presidential administrations alongside an exchange of notifications system. Most of these mechanisms were subsequently shut down, alongside other cooperative projects, following the Russian invasion of Ukraine in 2014. Nevertheless the Trump administration has since declared itself willing to re-open a less structured dialogue with Russia on cyber issues. Whilst such a declaration has received justified criticism that it will be seen as a reward for Russian cyber interference, it needn’t result in any new formal agreements. A simple acknowledgement that limiting cyber espionage during periods of potential crisis, such as around large military exercises, would reduce the risk that such activity be mistaken for the beginnings of a cyber attack and would therefore be a net gain for euro-Atlantic security. The inherent offensive advantage of cyber weaponry is such that both sides face considerable pressure to strike first, running the risk of escalation spreading across military domains and triggering large scale conflict. It is thus imperative that both NATO member states and Russia seriously consider methods to better integrate cyber dimensions into existing crisis management mechanisms. The importance of cyber as a cross domain issue was only reinforced by the March 2018 Russian cancellation of US-Russia talks on strategic stability following the US cancellation of cyber security consultations.

Similarly, recognition that any interference with space assets (not just their physical destruction) carries cross-domain escalatory potential is necessary to reduce risk in times of crisis. The jamming or blinding of key adversary satellites designed to inhibit terrestrial operations would likely draw retaliation, inviting a cascading escalation. International norms restricting the militarisation of space have thus far held, but a reaffirmation of this principle, and its possible extension to state-sponsored satellite interference, would be a valuable de-escalatory measure.

[1] A zero day vulnerability is a flaw in a software programme that is unknown to the software vendor, and thus open to exploitation by hackers with knowledge of its existence.
[2] See Jen Weedon, Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine, in Kenneth Geers (ed.) Cyber War in Perspective: Russian Aggression Against Ukraine, NATO Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia, 2015, pp.73-74

The opinions articulated above represent the views of the author(s), and do not necessarily reflect the position of the European Leadership Network or any of its members. The ELN’s aim is to encourage debates that will help develop Europe’s capacity to address pressing foreign, defence, and security challenges.