Written By: Syed Ali Hadi
The strategic community as well as the technical diaspora must join heads to formulate a comprehensive framework of understanding to overcome the ‘Cyber Dilemma’. The interdisciplinary approach must be adopted in order to overcome the knowledge gap and implemented through research institutions, government organizations as well as academia and universities.
Since ages, the traditional dimensions of war have been land, sea, air and discreet/covert. The rise of information technology and communication systems has added two new dimensions to the said concepts which are the space war and the cyber war. The two new dimensions in general and cyber war in particular reside under the realm of Revolution in Military Affairs (RMA) debates, which in turn is based on Network-Centric Warfare (NCW). These doctrines talk about the future of wars connected with technology, guided systems and command and control centers. Its first use in actual warfare was seen in the 1991 Gulf War.
The threats of cyber warfare and cyberattacks emanating from cyberspace are real and have already been deployed and engaged with the enemy targets. Titan Rain in 2005 was an ‘Advanced Persistent Threat (APTs)’ executed by Chinese hackers which breached Lockheed Martin facility in the state of Florida. Ghost Net in 2009 was a botnet that targeted different NGOs and diplomats. Similarly, the latest attacks like Estonia in 2007, Georgia in 2009, and the Stuxnet in 2010 culminates a whole new wave of cyberattacks over time. Stuxnet, was the first of its kind which was a state-sponsored attack in order to achieve geo-political leverage in nuclear politics.
Such cyberattacks are considered as eminent threats emanating from the enemies. The global powers have already moved ahead in terms of doctrinal approach towards such attacks and warfare. Pakistan needs an active engagement in this dimension so that it does not lag behind in the future wars to come. The seventy years of our history depict opposite of what is desired above–the reactionary decision-making process. For the said purpose, the strategic community as well as the civilian-military bureaucracy must recognize this dimension of war and ‘securitize the cyberspace’.
The Copenhagen School developed the theoretical framework of the concept of Securitization in constructivist domain which is centered on the collective work of Barry Buzan and Ole Waever. The concepts entails the construction of threat.
It is a process whereby an actor [state, politician(s), or organization] declares another actor or issue to be securitized. That actor or issue poses an existential threat. The threat is directed towards a certain referent object which is to be protected. Finally, it is the target audience that adheres to it as a matter of security threat which allows the actors to suspend normal politics and invoke special politico-military measures in order to contain or respond to that threat which is directed towards the relevant referent object.
By applying this concept of Securitization to the fifth dimension of war would elucidate that actor (state of Pakistan) has declared another actor (state or entity) to be securitized. That actor (state or issue) poses an existential threat (attacks from cyberspace). The threat is directed towards a certain referent object (Pakistan and its critical infrastructure) which is to be protected. Lastly, it is the target audience (nation of Pakistan) that adheres to it as a matter of security threat which allows the actors (civilian-military bureaucracy) to suspend normal politics and employ special political and military measures in order to contain or respond to that perceived threat.
This act of securitization brings us to the next phase which is debating the contours of cyber warfare. Although, it is a relatively new dimension of war, however states are gearing up to respond to such an exponential phenomena. The challenges to understand this art of war are still many. The war itself is still in its infancy. In order to generate the scholarly debate on this subject-matter, cyber warfare would be categorized under the areas such as: its legal framework, the strategies of cyber-operations, regional cooperation for cyber-alliances, technical challenges (The Cyber Dilemma), simulation exercises and planning for understating and operationalizing cyberattacks and threats.
In order to govern the cyberspace and cyber war, there are no direct rules and norms in international law or a treaty, to say the least. Nonetheless, there are some debate initiatives taken by the United Nations that talk about cooperative measures to address the potential threats to cyberspace. The reports/initiatives were then intertwined with the ‘cornerstone provision’, Article 2(4) of UN Charter that entails the ‘use of force’. The Tallinn Manual being adopted by the NATO’s cyber command talks about the application of international law on cyberspace and cyber operations. Yet it is not a binding document of law.
On the other hand, the ‘Schmitt Criteria’ is considered to be the foremost scholarship to analyze and comprehend the possible steps and processes in cyber operations. Yet, he himself declares that the Six Principles of Schmitt Criteria were imprecise when he applied it to 2007 attacks against Estonia where only five principles were applicable. Hence, all of the aforementioned initiatives and many alike are not binding legal documents.
The best possible approach would be the Bottom-Up approach in which the states must legalize the cyberspace and create laws of their own. The overlap between the cyberspace and the law occurs most of the times at national level. The great powers of international community must aspire to make their own cyber laws and legalize the framework on domestic level. It will help in controlling and managing the cyberattacks emanating from individuals for heinous purposes like identity theft, creating viruses for personal gains.
It will also provide a basic building mechanism to further deliberate over the semantic attacks which are perpetrated by the states. The practice of these legislative documents of the respective states in turn would pave the way for the creation of international rules and norms under the international law.
Strategies of Cyber Attacks
The cyberattacks or cyber operations must be strategized before being deployed. It should also be done on the national level whereby applying the traditional or relatively contemporary strategists and their principles/axioms, be beneficial as to their scope and acceptability in cyberspace.
Sun Tzu’s most relevant principle which states that all warfare is based on deception is the clear manifestation of the fact that cyber operations, most of the times, are and will be deceptive in nature. Likewise, his strategy of outmaneuvering the enemy than to outfight him certainly applies in the cyberspace where information dissemination and propaganda warfare through information and electronic means is the practice of the time.
While applying Clausewitzian principles of warfare to cyberspace, the concept of trinity remains obsolete because the cyber operations are usually discreet in nature. The Centre of Gravity (COG) concept when applied in the cyberspace needs more deliberation as to what accounts for the COG when talking about cyber warfare. Nonetheless, a whole new array of strategies should be developed for this dimension of war which would require the strategic community to link up with the technical diaspora in order to generate scenarios and simulations, which is thoroughly discussed below.
The countries like United States, United Kingdom, Netherlands, and Germany have also built their cyber command to mitigate the cyberattacks and conduct cyber operations. Estonia, India, Israel, and China have also followed suit.
Regional Cooperation for Cyber Alliances
Last year, United Nations Group of Governmental Experts (UN GGE) was constituted to delineate in the field of cybersecurity and for confidence building. The paper, “Towards a Secure Cyberspace via Regional Cooperation”, talks about the role of regional organizations for implementing the recommendations by the UN GGE on cybersecurity. These recommendations revolve around three recurring keywords; Outreach which talks about other stakeholders and their participations which are outside the GGE, Universalization for broad dissemination of GGE work and Operationalization to ensure that all recommendations by GGE must be operationalized as well as implemented.
In addition to this, the European Union Agency for Network and Information Security (ENISA) in collaboration with the Bulgarian Republic organized the Regional Cybersecurity Forum for Europe in 2016. It focused on specific topics like national cybersecurity strategies, the national Computer Security Incident Response Team (CSIRT) in the context of its developments, practices and approach. It also involved national policy and decision makers, service providers as well as academia to further strengthen the regional cooperation on cybersecurity.
The Tallinn Manual was adopted and facilitated by NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE). It talks extensively about the application of existing international laws in the context of cyber operations and cyber war. Its 2.0 version was adopted in 2013 as a second edition and authored by nineteen experts of international law. The manual concludes that the laws of comity of nations are applicable to the cyber-related operations which are directed against or by the states. Therefore, states would have rights as well as obligations under the international law. The full-spectrum application of international law to cyberspace is covered in its 2017 edition which elucidates the legal regimes to the laws of armed conflicts. Moreover, it includes the general principles of international law such as sovereignty as well as jurisdiction. Human rights law, law of the sea and air and space law are also examined in the context of cyber operations.
Technical Challenges–The Cyber Dilemma
The most common hurdle for not securing a comprehensive, single and holistic framework of understanding of how to secure the cyberspace stems from the fact that cyber operations involve technical knowledge. These technical aspects of operations in cyberspace are incomprehensible from the lens of security studies experts as well as the policy and decision makers. As of now, there is no single authority on the said subject matter which could comprehend this overlapping of the technical knowledge of cyberspace in relation to its policy formulation for the states and international community at large. Hence this could be termed as the “Cyber Dilemma”.
The strategic community as well as the technical diaspora must join heads to formulate a comprehensive framework for understanding to overcome the ‘Cyber Dilemma’. The interdisciplinary approach must be adopted in order to overcome the knowledge gap and implemented through research institutions, government organizations as well as academia and universities.
Simulation Exercises and Planning
There is no agreed-upon aspects of what constitutes a cyberattack or a breach in the cyberspace. The exponential growth in the advancement of technology is one of the reasons. The strategic community in collaboration with the technical diaspora, once overcoming the cyber dilemma, must initiate cyber scenarios. These scenarios must account for how cyberspace is being used for the attacks as well as state-sponsored covert operations.
This in turn, would give impetus to understanding and creating general framework on types of cyberattacks and their categorization. Henceforth, the said planning exercises will create an analogy similar to that of the military operations which are conducted at tactical or operational levels. It would also help in understanding the basic building blocks of cyberattacks and cyber operations and how are these executed. What motivates a cyberattack? What is the target in cyberspace? Which technical infrastructure comes or could be used for such operations? How can these be securitized? How should these attacks be mitigated? What should be the responses? These and other related questions need a comprehensive understanding for which the cyber scenarios will act as a catalyst in organizing and giving some degree of analysis to the cyber operations conducted in the cyberspace.
There exists a literature gap between the strategic community and technical diaspora which overshadows the comprehension of operations and attacks emanating from cyberspace and responses. The cyberspace needs to be securitized for it comes under the realm of 21st century non-kinetic warfare concepts (NKW). States must bring forth their cyber scenarios for creating a unilateral framework of understanding the cyberspace and its operations at first and then finally moving towards developing a comprehensive strategy in order to regularize the cyberwarfare. Addressing Pakistan’s strategic community in particular, the state of Pakistan has faced many challenges for its oblivious and casual approach towards doctrinal development and capacity building of state organs. Therefore, a certain accident which undermines our national interest leaves this vacuum of doctrinal approach unfilled which is followed by a quasi-reaction to overcome such a threat. All the pillars of the state are equally responsible for creating comprehensive programs to overcome the threats of 21st century warfare. Cyber warfare is one such concept which will affect us sooner or later. Examples can be taken up from within our borders and critical infrastructure, too.