Why we need to measure military cyber power

This article is part of the World Economic Forum's Geostrategy platform

Anyone who has been on a management training course will have been confronted with the proposition that ‘if you can’t measure it, you can’t manage it’.

For empires and nation-states alike, having the best possible understanding of the capabilities of potential adversaries to project power, especially in the military realm, has always been seen as a vital tool of statecraft.

The tendency has been for states to keep such capabilities secret, and that imperative remains. But recent historical experience – notably the Cold War – has given rise to a strategic culture of deterrence based on mutual awareness of capabilities.

The evolution of the cyber domain, however, has significantly complicated this picture, not merely in terms of how armed forces adopt and adapt to new technology, but in terms of raising questions about what constitutes military use in a domain where civilian and military users are inextricably entangled.

Military adoption of cyber capabilities is still in its early stage, but it is already the case that, as NSA Director and head of US Cyber Command Admiral Mike Rogers has observed, ‘every conflict around the world now has a cyber dimension’.

Grey-zone operations

Social media has emerged as a new battleground in shaping public opinion and exercising psychological influence on governments and publics alike, and ‘grey-zone’ operations such as Russia’s digital interference in elections in liberal democracies are becoming more pervasive.

And while the cyber domain is shaping the ways in which warfare is conducted, it also serves as a domain of warfare in its own right, a reality that was formally recognised by NATO at its 2016 Warsaw summit.

Armed forces know they need to become cyber enabled and cyber capable, but are struggling to make sense of what is involved.

To date, states have pursued different organisational approaches, either by creating a separate branch of their armed forces, as in the case of China’s Strategic Support Force, or by distributing capabilities across different service arms, as with the United States’ Cyber Command.

The overwhelming majority of military uses of the cyber domain have been aimed at securing short-lived tactical advantage on the battlefield. But at a strategic level, governments are struggling to work out how to combine the capabilities of their armed forces with other instruments of national power to create the kind of ‘all-of-nation’ capabilities and responses that a new set of challenges appears to demand.

What is cyber war?

There is a general acceptance that a war fought solely within the cyber domain is unlikely to be the shape of things to come – although some states, notably China and Russia, have developed a concept whereby cyber tools can be in some circumstances used for compellence or deterrence in ways designed to obviate the need for kinetic force.

However, activities within the cyber domain are far more likely to be a precursor to, or adjunct of, kinetic activities.

Thereafter, however, consensus quickly breaks down.

A succession of senior US policy-makers, including Richard Clarke and Leon Panetta, have spoken of the potentially devastating effects of concerted cyber attacks, leading to loss of life and irreversible damage.

Overwhelming an adversary

With such an outlook comes a belief in the pre-eminent importance of attack, overwhelming the adversary’s networks to pre-empt the disabling of one’s own.

At the other end of the spectrum, many scholars argue that to date no lives have been lost as a direct result of actions undertaken in the cyber domain; that most cyber attacks are reversible, and of limited impact; and that a combination of robust defence and resilience are the key to success.

In practice, the cyber components of most armed forces devote most of their capabilities to protecting military networks, though a growing number of states have declared a capability and intent to undertake offensive cyber operations.

The role of armed forces in securing national networks is far from clear, as is their capacity to contribute to achieving it.

There are worrying indications that this approach to the risk of cyber attack may prove unduly optimistic as a growing range of actors, both state and non-state, have engaged in ever more disruptive and ambitious actions in the cyber domain in ways that would seem to be contributing to growing instability.

A worrying indicator is the barrage of cyber attacks to which Ukraine has been subjected since 2014, giving rise to suspicions that Russia is using Ukraine as a test-bed for disruptive attacks of ever greater sophistication, such as CrashOverride, an autonomous exploit designed to enable the remote closing down of electricity-generation systems.

Physical damage arising from activities initiated in the cyber domain is already a reality. Fatalities, at the very least as a second-order consequence of persistent and large-scale digital disruption, may not be far behind.

Catastrophic systems disruption with wide-ranging second- and third-order consequences is beginning to look rather less like the subject of fevered Hollywood imaginings.

And even if these more extreme scenarios can be avoided, there is still a significant risk posed by a growing number of non-state catalytic actors who may want to provoke escalatory spirals between certain states.

This then raises the question of what constitutes a cyber attack or a cyber weapon, and whether such a question is even useful in a world that has become so network-dependent that cyber capabilities have become integral to most human activities.

Legitimate response

At what point does activity in the cyber domain rise to a level equating to an armed attack or use of force as set out in Article 2 (4) of the UN Charter? What constitutes a legitimate response to such an attack?

The US government has sought to address these issues through a policy of equivalence, reserving the right to retaliate in whatever manner it sees fit in response to a cyber attack equivalent in effect to a kinetic attack.

The criteria for making such an evaluation are left undefined, no doubt deliberately, but raise questions about whether, for example, sustained attacks against the US banking system resulting in the corruption or loss of data and general financial paralysis – effects more similar to economic sanctions or economic warfare – would meet those criteria.

Under existing maximalist interpretations of international law, which only admit of first-order fatalities, physical injuries or physical destruction as constituting a legitimate casus belli, they would not.

Theory and practice

Thus far, relatively little effort has been devoted to the question of how the cyber domain fits within a general theory of strategy, and it is hard to deny that more attention needs to be devoted to this task.

But when looking at a domain characterised by so much uncertainty, on the one hand, and accelerating technical evolution, on the other, a more pressing concern is to focus on what strategically relevant states are actually doing in relation to the cyber domain, and to understand what drives their behaviour.

In one sense, the evolution of the cyber domain can be seen as having a levelling effect. Any state not on the wrong side of the digital divide can develop capabilities in areas such as intelligence collection and sabotage that even a decade ago had been the preserve of a few top-rank powers.

Nonetheless, in practice, what will shape global perceptions of what military cyber power is, and how it is exercised, will be determined by the behaviour of a few major players, principally the United States, China and Russia.

Of these, the US continues to enjoy a substantial, if diminishing, first-mover advantage.

China and Russia both see themselves as vulnerable to this first-mover advantage, and have sought to constrain it in various ways, including through international diplomatic activities dealing with cyber governance and cyber security.

China has also sought to leapfrog US technological superiority by investing heavily in areas such as quantum encryption and artificial intelligence.

It is a battleground that benefits from the effective brigading of all-of-nation capabilities – to use the Chinese term, comprehensive national power – that comes relatively easily to authoritarian states but less so to liberal democracies. And it is a battleground where success is defined less in terms of decisive outcomes than as an ability to sustain destabilising and deterrent effect.

Although the cyber domain in its current form has been with us for some forty years, it is only now that major non-IT private-sector corporations have begun to redevelop their business models and practices with information and information-based capabilities at the core of the enterprise.

The world’s armed forces are, generally speaking, at a much earlier stage in this process, and how they adapt to this new environment will fundamentally reshape the character of conflict.

Understanding what capabilities are involved, and how and why they are developed and deployed, is becoming a critical element in determining the relative capabilities of armed forces and in determining the power dynamics between states – a task crucial to maintaining some degree of strategic stability.

This will require clear definitions to ensure that like is being compared with like.

There will be some areas where military purpose and effect is relatively easy to discern. Elsewhere, judgements will need to be made about how what would normally be viewed as civilian capabilities are factored into the balance.

But unless a serious and sustained effort is made to assess and measure military cyber capabilities and military cyber power, we could easily find ourselves in the position of that incompetent manager who has counted everything, understood nothing and set himself up for some very unwelcome surprises.

Measuring Military Cyber Power, Nigel Inkster, Senior Advisor to the International Institute for Strategic Studies