Tag Archives: NATO

Cyber Conflict and International Relations: Where to get started

Cyber conflict seems to have become necessary, and normal. Nearly every day cyber attacks occupy the headlines of mainstream media. A diverse group of governments across the world state that they are exploring options to (further) develop a capacity to conduct offensive cyber operations. Non-state actors also continue to rely on cyber means whilst pursuing a diverse set of motives.  

Yet, the dynamics of cyber conflict are complex, understudied, and constantly changing.  In 2012, when Gen. Keith Alexander was still heading the NSA and US Cyber Command, he stated that there is “much uncharted territory in the world of cyber-policy, law and doctrine”. Gen. Alexander’s statement still holds today. There is still much uncertainty about a broad set of related issues, such as the potential normative restraints on cyber conflict, fourth party intelligence collection, the strategic value of offensive cyber operations, and how state and non-state actors (can) work together in cyberspace – both from offensive and defensive perspective. Researchers have tried to answer these questions whilst the conceptual and empirical underpinnings of the field are fluid. New ‘data points’, like the cyber-enabled information operations during the US Presidential Elections, have (re)shifted the focus of the field and changed our understanding of what cyber conflict entails. New interpretations of old ‘data points’, like the re-study on the 1990s Moonlight Maze campaign, have equally altered our understanding of the field.

So where to get started if you’re a political science student (or diplomat, congressional staffer, etc.) new to the field of cyber conflict? Below you can find a very, very short reading list. It’s based on my teaching at Stanford University for the Master in International Policy (MIP), analysis of 25+ cyber conflict syllabi, and review of cyber conflict articles in top 50 Poli Sci journals. 

  1. Conceptualizing Cyberspace and Cyber Conflict

2. Types of Threat Actors and forms of Activity

3. Policy Dilemmas

(Public) Attribution

  • Rid, Thomas & Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies, 38:1-2 2015, http://www.tandfonline.com/doi/abs/10.1080/01402390.2014.977382
  • Florian Egloff, “Public Attribution of Cyber Incidents,” (2019, May),  CSS Analyses in Security Policy, http://www.css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/CSSAnalyse244-EN.pdf

VEP / Capability Build up

Organizational Integration

  • Michael Hayden, Playing the Edge: American Intelligence in the Age of Terror 
  • Michael Sulmeyer, “Much Ado About Nothing? Cyber Command and the NSA,” WarontheRocks, (2017, July 19) https://warontherocks.com/2017/07/much-ado-about-nothing-cyber-command-and-the-nsa/ 
  • Smeets, Max, “Organisational Integration of Offensive Cyber Capabilities: A Primer on the Benefits and Risks,” NATO CCD COE Publications, 2017, http://maxsmeets.com/wp-content/uploads/2018/09/Art-02-Organisational-Integration-of-Offensive-Cyber-Capabilities-2.pdf

Cybersecurity Dilemma

  • Buchanan, Ben, Cybersecurity Dilemma, 2017, Oxford University Press

Collateral Damage

4th Party Collection

  • Juan Andres Guerrero-Saade & Costing Raiu, “Waling in our enemy’s shadow: When Fourth-Party Collection Becomes Attribution Hell”, Virus Bulletin Conference, (2017, October): https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf
  • GReAT, Animals in the APT Farm, Kaspersky Lab (2015, March 6): https://securelist.com/animals-in-the-apt-farm/69114/

Dealing and Responding to Proxy Activity

  • Healey, Jason. “The Spectrum of National Responsibility for Cyberattacks.” Brown Journal of World Affairs 18.1 (2011): 57–69.
  • Maurer, Tim “‘Proxies’ and Cyberspace,” Journal of Conflict and Security Law, (December 17, 2016)
  • Bejtlich, R. ‘What Does “Responsibility” Mean for Attribution?’ (TaoSecurity, 22 December 2014) http://taosecurity.blogspot.com/ 2014/12/what-does-responsibility-mean-for.html4

4. History US Cyber Conflict

  • Warner, Michael (2012) Cybersecurity: A Pre-history’, Intelligence and National Security, 27:5, 781-799 http://www.tandfonline.com/doi/full/10.1080/02684527.2012.708530
  • Healey, Jason, and Karl Grindal. 2013. A Fierce Domain: Conflict in Cyberspace, 1986 to 2012. Cyber Conflict Studies Association.
  • Sanger, David E., 2012. Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power (NY: Crown), pp. 188-209

5. US(CYBERCOM) Cyber Strategy

  • Lynn, William J. III, “Defending a New Domain,” Foreign Affairs 89.5 (2010), 97-108.
  • United States Cyber Command, “Achieve and Maintain Cyberspace Superiority”, (March 23, 2018), retrieved from: https://assets.documentcloud.org/documents/4419681/Command-Vision-for-USCYBERCOM-23-Mar-18.pdf
  • Smeets, Max and Herbert S.  Lin, Chapter 4: A Strategic Assessment of the U.S Cyber Command Vision, 2018, Bytes, Bombs & Spies, Brookings Institution Press: https://medium.com/freeman-spogli-institute-for-international-studies/bytes-bombs-and-spies-261564d51157

6. The Strategic Value of Cyber – Deterrence, Compellence, Persistence and more

  • Gartzke, Erik. “The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth.” International Security 38, no. 2 (October 2013): 41–73. doi:10.1162/ISEC_a_00136.
  • Harknett, Richard J. and Michael P. Fischerkeller, “Deterrence is Not a Credible Strategy for Cyberspace,” (2017), Orbis Summer 2017, Vol. 61, No. 3
  • Gartzke, Erik and Jon R. Lindsay. “Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace.” Security Studies 24, no. 2 (April 3, 2015): 316–48. doi:10.1080/09636412.2015.1038188.
  • Aaron F. Brantly, Cyber Actions by State Actors: Motivation and Utility, International Journal of Intelligence and CounterIntelligence, 27:3 (2014)465-484

7. Cyber Norms

  • Finnemore, Martha “Cultivating International Cyber Norms.” America’s Cyber Future: Security and Prosperity in the Information Age 2 (2011).
  • Farrell, Henry and Charles L. Glaser, The role of effects, saliencies and norms in US Cyberwar doctrine, Journal of Cybersecurity, 3, 1, 1 March 2017, 7–17, https://doi.org/10.1093/cybsec/tyw015
  • Finnemore, Martha and Duncan B. Hollis, “Constructing Norms for Global Cybersecurity,”  110 American Journal of International Law, Temple University Legal Studies Research Paper No. 2016-52

8. International Law

  • Koh, Harold Hongju. “International Law in Cyberspace.” Harvard International Law Journal Online 54 (2012): 1–12.
  • Schmitt, Michael N. “International Law in Cyberspace: The Koh Speech and the Tallinn Manual Juxtaposed,” Harvard International Law Journal, 54 (2012) http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf
  • Waxman, Matthew C., “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4),” Yale Journal of International Law, vol. 36, no. 421 (2011): pp. 421-459.

Links

Why We Are Unconvinced NATO’s Cyber Policy Is More Aggressive, and That’s a Good Thing

Written together with Daniel Moore.

Retired U.S. Air Force Colonel Rizwan Ali, who helped to establish NATO’s cyber program, makes that case in a recent article in Foreign Policy that NATO has “embraced” a more “aggressive” stance with respect to “the use of cyber weaponry” when it recently established a Cyber Operations Center. The article provides valuable policy insights and highlights an important set of issues which have frequently been overlooked, including international cooperation on cyber capabilities and the (evolving) role of NATO in the cyber domain. It may also help to signal to a broad audience that NATO takes the ‘cyber domain’ seriously.

Yet, we are critical of his remarks and would like to pose two basic questions. First, should NATO want to be aggressive? Second, does the operations center truly mark a radical shift in policy?

First, an individual state or alliance may resort to the use of military force to pursue a range of objectives, such as defending a territory, deterring an adversary, or compelling a rival to do something. As a result, states try to be predictable in their actions or signal their credibility to follow through on a threat. All of these things are hard to do in cyberspace, making it prone to conflict and escalation. For example, states have a hard time assessing each other’s relative strength and capabilities, increasing the likelihood that offensive actions on either side could spiral out of control. As Ben Buchanan’s Cybersecuirty Dilemma shows, even routine intelligence operations can be misinterpreted as aggressive intent.

Second, (luckily) there is also little evidence to suggest that NATO has become more aggressive. It’s worth citing Secretary General Stoltenberg’s briefing following the Defense Ministers meeting held in November, which Col. Ali refers to, at length here:

Finally, we discussed ways to strengthen our cyber defense. We must be as effective in the cyber domain as we are on land, at sea, and in the air, with real-time understanding of the threats we face and the ability to respond however and whenever we choose. Today, ministers agreed on the creation of a new Cyber Operations Centre as part of the outline design for the adapted NATO Command Structure. This will strengthen our cyber defenses, and help integrate cyber into NATO planning and operations at all levels. We also agreed that we will be able to integrate Allies’ national capabilities into NATO missions and operations. While nations maintain full ownership of those capabilities. Just as Allies own the tanks, the ships and aircraft in NATO missions. NATO is a defensive alliance, whose actions are always subject to strict political oversight and always act in accordance with international law.

It might be that the prepared statements are an ill-reflection of what’s happening behind the scenes. Yet, from what’s known, NATO’s initiative to create of a new cyber operations center can equally be characterized as a new effort to solve internal integration problems or as a way for NATO to provide a more credible deterrence posture. From this perspective, the new center seems to represent both a consolidation of efforts that began with the establishing the Tallinn-based Cooperative Cyber Defense Centre of Excellence in 2008 and continued with the acknowledgement of “cyber” as a warfighting domain in 2017.

Individual NATO member states have a hard enough time articulating a defense strategy, aligning interests, developing and coordinating new capabilities among military branches and government departments. Although states have the intent to develop cyber weapons, very few actually possess a meaningful capability. Even states that can conduct military cyber operations, like the United States, have faced significant challenges in making them effective.

Between NATO member states, these issues are equally relevant and perhaps even more daunting. Hyping up NATO’s efforts does nothing to promote a better understanding of how states operate in cyberspace, or of how state interactions in cyberspace work.

This article was first published on the Net Politics Blog of the Council on Foreign Relations