30 June 2020
Hybrid warfare can involve attempts to influence the adversary’s society through legal means such as purchasing news agencies and strategic infrastructure, as well as through illegal spreading of mistrust such as undermining free and fair elections (Shea, 2018: 6).Alongside these techniques, attacks on critical infrastructure and IT networks are an increasingly common method of hybrid warfare. They may be used either as a stand-alone operation or as a prelude to conventional military intervention, as was the case in Russia’s attack on Ukraine in 2014 (ibid.).
Taking into consideration modern societies’ heavy reliance on IT networks, ensuring cybersecurity is essential for the functioning of our communities. As pointed out by theEuropean Commission, a wide variety of key sectors including energy, transport, water, financial market infrastructures, and healthcare, rely on Information CommunicationTechnologies (ICTs), which are vulnerable for cyberattacks (European Commission, 2020).Due to our dependency on ICTs and their vulnerabilities, the cybersecurity aspect is crucial for ensuring the overall safety of the European Union.
Illustration of the vulnerability of our systems
A harrowing example that unveiled the vulnerability of our essential systems was the ‘NotPetya’ attack of 2017. On June 27, 2017, the Danish freight giant A.P. Møller-Maersk’s IT systems were infected by malicious software, which rapidly and effectively crippled practically all the corporation’s PCs, thus rendering the heavily ICT-reliant transportation company handicapped. NotPetya, according to McQuade (2018), began its spread from the computers of a small, Ukrainian family-run software business which had been hacked byRussian saboteurs. The incredibly effective virus was coded to “spread automatically, rapidly, and indiscriminately”, and although initially intended to target and cripple M.E.Doc, apiece of accounting software commonly used in Ukraine, the virus swiftly spread across the world (McQuade, 2018). The virus affected, among others, hospitals in the US, Maersk, TNTExpress, and, as a demonstration of the unpredictable damage it was capable of inflicting, even attacked the Russian oil company Rosneft (McQuade, 2018). The CIA has concluded that NotPetya was launched by the Russian military (Nakashima, 2018)
NotPetya resulted in unforeseen economic damages, and as the former US HomelandSecurity adviser Tom Bossert phrased: “While there was no loss of life, it was the equivalent of using a nuclear bomb to achieve a small tactical victory.” (McQuade, 2018). According to Bossert’s estimate, the total damages of the NotPetya attack exceeded 10 billion US dollars– a figure far exceeding any of the damages inflicted by any prior cyberattacks (McQuade,2018). In total, the NotPetya attack and the earlier WannaCry attack – attributed to NorthKorea – affected over 320,000 individuals in over 150 countries globally (European Court ofAuditors, 2019: 9; Bossert, 2017).
How can armed forces react to cyber threats?
Just like private corporations, national armies and infrastructures can also be subject to cyber attacks. If the essential infrastructure of a nation is compromised, the access to health care and government can be effectively shut off for the duration of the attack, which in the worst case can be weeks or months. In the case of a prolonged cyberattack of such a scale, the damages can exceed those of traditional military offences and cause widespread chaos and uncertainty, further exposing the society under attack.
Determining an appropriate retaliation for a cyberattack has been a topic of lively debate.One authoritative source on this is the ‘Tallinn Manual on the International Law Applicable toCyber Operations’ by the NATO Cooperative Cyber Defence Centre of Excellence, authored by nineteen experts on international law. Since cyberattacks rarely cause direct physical casualties, the use of conventional force as retribution is a dilemma to address. Rule 71 on the Tallinn Manual 2.0 (Schmitt, ed. 2017: 339) states that a “State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence”, continuing that “[w]hether a cyber operation constitutes an armed attack depends on the scale and effects”.
Despite its inherent vagueness, the statement, as well as the Tallinn Manual as a whole, provides a beginning for a common framework for understanding cybersecurity. Due to the hybrid and often arbitrary nature of the cyberattacks, common rules of engagement in this field are desperately needed to determine suitable and appropriate retaliation measures against the adversary. The use of conventional military force must always be justified. An attack on a nation’s cyberspace undoubtedly consists of a violation of national sovereignty –but when is the critical point of military intervention exceeded? These are crucial issues for the future of warfare and must be addressed appropriately. The Tallinn Manual has started this discussion on the rules of engagement and appropriate retaliation, but the issue warrants further discussion on the international, EU and Member State levels.
The European cybersecurity architecture
The threat posed by cyber warfare to national security is acknowledged on the EU level, as exemplified by the European Defence Agency’s increasing role in cybersecurity matters. In2018, memorandums of understanding were signed between the EDA and ENISA(European Union Agency for Cybersecurity), European Cybercrime Centre, and CERT-EU(Computer Emergency Response Team for EU Institutions) (European Defence Matters,N.D.). Increased cooperation between European institutions, the private sector, and armed forces is essential to ensure the future safety of the networks we so heavily rely on. In combatting cyberthreats, close cooperation, information exchange, capacity building, and research and development are of utmost importance, and the EU is taking important steps towards a secure future.
The European cybersecurity network is growing more resilient, but the adversaries are continually developing new methods to conduct hybrid warfare and to expose and exploit the vulnerabilities in our cyberspace. Alongside conventional defence activities carried out byMember States, the cybersecurity aspect must be strengthened significantly to deter future attacks on the vital networks – be it similar to the NotPetya attack, or wider-reaching, direct attack on military targets. Importantly, the cyberattack does not have to be directed at the nation’s armed forces to inflict substantial damage to the national security; chaos can be sowed by attacking hospital networks, financial institutions, or corporations. Moreover, the inherently anonymous and borderless nature of the internet complicates the identification of a perpetrator, which highlights the importance of swift and accurate information exchange between the parties involved in defending the European cyberspace.
The EU is undoubtedly grasping the importance of cybersecurity. Nevertheless, the low level of awareness of this aspect of security among the general public is worryingly low. For example, an estimated 69% of EU companies have “no, or only basic understanding of their exposure of their exposure to cyber threats” – despite 80% of EU businesses having“experienced at least one cybersecurity incident in 2016” (European Court of Auditors, 2019:9). Even more alarmingly, one global survey found that a third of organisations would prefer to pay the cyber attacker’s ransom than to invest in information security (ibid.). Given these issues, the EU should invest in disseminating information about the essential nature of cybersecurity, and securitise the issue on the national defence agenda to emphasise its significance to the general public.
Defending cyberspace is not only the job of the EU’s defence industry but the responsibility of every citizen, too. As the rapid spread of the NotPetya attack from a small company’s computers to various actors’ systems illustrates, even individual citizens’ and companies’ weak preparedness for cyberattacks may at its worst represent a direct threat to military actors and critical infrastructures. Therefore, the approach to cybersecurity must be comprehensive and all-encompassing: from the level of the individual understanding of cybersecurity to the international level of laying out common rules, as was already attempted in the Tallinn Manual.
Written by Veronika Edelmann, Defence Researcher at Finabel – European Army Interoperability Centre
Bossert, T. P. (2017, December 18) It’s Official: North Korea Is Behind WannaCry. Wall Street Journal. Available at https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537, accessed 12 June 2020.
European Commission (2020, April 15) The Directive on security of network and information systems (NIS Directive). Available at https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive, accessed 12 June 2020.
European Court of Auditors (2019, March) Challenges to effective EU cybersecurity policy. Available at https://www.eca.europa.eu/Lists/ECADocuments/BRP_CYBERSECURITY/BRP_CYBERSECURITY_EN.pdf, accessed 12 June 2020.
European Defence Matters (N.D.) EDA’s growing role in cybersecurity. Available at https://www.eda.europa.eu/webzine/issue18/focus/eda-s-growing-role-in-cybersecurity, accessed 12 June 2020.
McQuade, M. (2018, August 22) The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Wired. Available at https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/, accessed 12 June 2020.
Nakashima, E. (2018, January 13) Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes. The Washington Post. Available at https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html, accessed 12 June 2020.
NATO Cooperative Cyber Defence Centre of Excellence (N.D.)Tallinn Manual2.0. Available at https://ccdcoe.org/research/tallinn-manual/, accessed12 June 2020.
Schmitt, M. N. (ed.) (2017) Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge: Cambridge University Press.Hribar G., Podbregar I. & Ivanuša T., OSINT: A “Grey Zone”?, International Journal of Intelligence and CounterIntelligence, 2014. Available at https://doi.org/10.1080/08850607.2014.900295, accessed 22 June 2020.
Shea, J. (2018) ‘Foreword’, in Hybrid and Transnational Threats: Discussion Paper. Brussels: Friends of Europe. Available at https://www.friendsofeurope.org/wp/wp-content/uploads/2019/04/FoE_SEC_PUB_Hybrid_DP_WEB.pdf, accessed 12 June 2020.