The Militarisation of Cyber Security as a Source of Global Tension (page 4)

The role of the military in cyber security

Future conflicts between nations will most certainly have a cyberspace component, but this will just be an accompanying element of the battle. Regardless of how high we judge the risk of a large-scale cyber attack, military-type countermeasures will not be able to play a substantial role in cyber security because of the nature of the attacker and the nature of the attacked. Investing too much time talking about them or spending in- creasing amounts of money on them will not make cyberspace more secure– quite the contrary. These findings are not particularly new: Most experts had come to the same conclusion in the late 1990s, when the debate was not yet as securitised. At the time, the issue was discussed under the heading of critical infrastructure protection rather than cyber security, but the basic premises were the same. The role for the military as conceptualised then hardly differs from the role the military should take on today.

Undoubtedly, attacks on information technology, manipulation of information, or espionage can have serious effects on the present and/or future of defensive or offensive effectiveness of one’s own armed forces. First and foremost, militaries should therefore focus on the protection and resilience of their information infrastructure and networks, particularly the critical parts of it, at all times. All the successful at- tacks on military and military-affiliated networks over the last few years are less a sign of impending cyber-doom than a sign of low information security prowess in the military. In case the unfortunate label ‘cyber defence’ should stick, it will be crucial to make sure that everybody – including top-level decision- makers – understand that cyber defence is not much more than a fancy word for standard information assurance and risk management practices. Furthermore, information assurance is not provided by obscure ‘cyber commands’, but by computer security specialists, whether they wear uniforms or not.

The cyber dimension is also relevant in military operations insofar as an adversary’s critical infrastructure is deemed to be a major centre of gravity, i.e., a source of strength and power that needs to be weakened in order to prevail. However, intelligence-gathering by means of cyber espionage must be treated with utmost care: In an atmosphere fraught with tension, such activities, even if or especially because they are non-attributable, will be read as signs of aggression and will add further twists to the spiral of insecurity, with detrimental effects for everybody. The implication of this is that military staff involved in operative and military strategic planning and the intelligence community will have to be aware of cyber issues too. How- ever, in the future, decisive strikes against critical (information) infra- structure will most likely still consist of kinetic attacks or traditional forms of sabotage rather than the intrusion of computer systems.

As for the things the military should not do when it comes to the realm of cyberspace, two major points come to mind. First, particularly as long as the ability to withstand cyber intrusions of military networks or civilian networks remains low, it is unwise to declare the development or possession of offensive measures. It does not have a credible deterring effect, the actual use would bring unclear benefits and high risks, and again, it adds to the cyber security dilemma.

Second, the military cannot take on a substantial role in ensuring the cyber security of a whole country. Due to privatisation and deregulation of many parts of the public sector in most of the developed world, between 85 and 95 per cent of the critical infrastructure are owned and operated by the private sector. Given that overly intrusive market interventions are not deemed a valid option, states have but one option: to try to get the private sector to help in the task of protecting these assets. What emerged from this in the late 1990s already was a focus on critical infrastructure protection, with one particularly strong pillar: public-private partnerships. A large number of them were (and still are) geared towards facilitating information exchange between companies themselves, but also between companies and government entities, which are usually not part of the military or intelligence establishment. This is complemented by measures taken to ensure that the damage potential of a successful attack is constantly decreasing, for example by augmenting the resilience of information networks and critical infrastructures.

In conclusion, governments and military actors should acknowledge that their role in cyber security can only be a limited one, even if they consider cyber threats to be a major national security threat. Cyber security is and will remain a shared responsibility be- tween public and private actors. Governments should maintain their role in protecting critical infrastructure where necessary while determining how best to encourage market forces to improve the security and resilience of company-owned networks. Threat- representation must remain well informed and well balanced in order to prevent overreactions. Despite the increasing attention cyber security is getting in security politics, computer network vulnerabilities are mainly a business and espionage problem. Further militarising cyberspace based on the fear of other states’ cyber capabilities or trying to solve the attribution problem will have detrimental effects on the way humankind uses the Internet; and the overall cost of these measures will most likely outweigh the benefits. What is most needed in the current debate is a move away from fear-based doomsday thinking and a move towards more level-headed threat assessments that take into account the strategic context.

For more by Myriam Dunn Cavelty on this topic, see her paper, external pageThe Militarisation of Cyber Space: Why Less May Be Bettercall_made.