Do we need more transparency of cyber operations doctrines?

There is no question that cybersecurity is among the key world challenges. As reports of cyber attacks increase, policy decisions follow. The creation of military cyber operations, including planning and conducting offensive or defensive activities in cyberspace to achieve strategic and military objectives, slowly become the standard. While the details of military cyber readiness are notoriously secret, public announcements follow on a regular basis -- with many countries around the world announcing the creation of military cyber units. More events are to follow, especially now when it is more and more evident that cyber capabilities are treated as integral part of State powers.

Cyber capabilities and uncertainty

The inflation of states building cyber capabilities coupled with the inherent secrecy of cyber operations (including in context of broader military activities) creates challenges and uncertainty for global stability. For strategists it is difficult not to worry about the risks of conventional conflicts starting from cyber attacks. At the same time it is too easy to forget that the vast majority of cyberspace is in fact civilian in nature. Cyber conflict carries unavoidable risks of interfering with ordinary users and their lives or businesses. The risk of offensive cyber attacks spilling over to civilian networks due to extreme connectedness of networks has been demonstrated many times, perhaps most vividly by the activity of the non-discriminating NotPetya threat in 2017. In the U.S. there is still an ongoing legal dispute between one firm and insurer who denies covering the damages citing “war-like activity” exception. Today it is clear that NotPetya was merely a small warning sign, as the potential capabilities go much further. 2019 also saw the first claimed kinetic response to alleged preparations of cyberattacks, even though no particular details are known. Recently once again,  we had a reminder of the inherent risk of supply chain cyber risks. Happened in the context of a likely cyber espionage operation exploiting access to systems via infected software of a legitimate vendor (SolarWinds).

Cyber capability transparency

Due to the inherent risks of military cyber operations, civilian societies should expect states to publicly disclose more details about the intended uses of cyber capabilities. However, such announcements are still rare. While some countries have begun to speak about their cyber agenda, others, such as the  United States or the United Kingdom (UK) tend to keep their doctrines classified (like the UK Joint Doctrine Publication 0-50, classified secret, though the UK is considering to be more transparent).

Today, France is among the countries which revealed the most about its cyber doctrine. The announcement (my analysis here) of France’s cyber offensive operations doctrine prescribes that the French cyber forces act autonomously, or in conjunction with conventional military in context of existing conflicts.

The doctrine stresses conformance with international law, increasingly signaled also by other countries such as the Netherlands. Even though no specific rules are mentioned (and the ritual link to the Article 51 of the United Nations Charter reserves a response in arbitrary domain). But the crucial and much needed message from the French doctrine is about the application of international humanitarian law, which encompass the Geneva Conventions. International humanitarian laws with its principles of distinction, proportionality, and precaution applied to cyber space can offer the minimum but so much needed elements of restraint in cyber conflict to protect civilians and civilian infrastructure. Abiding by the rules of international humanitarian law also demands developing processes of conducting impact assessments and reviews of risks, including the collateral damage to civilians. In its disclosure in 2019 France went even further, clarifying which types of cyberattacks during armed conflict cyberattacks may be perceived as attacks in the law or policy meaning, the list includes destructive operations but also ransomware.

What we need are open frameworks forming the minimum rules of cyber warfare. This is a question of risk and stability. While the pace of developments around cyber security are rapid, no serious cyber attack is merely a single click activity. While cyber attacks against power grids or other critical infrastructure remain highly debated, there is no doubt about the inherent civilian nature of the infrastructure. But even merely discussing the targeting of such sensitive elements as if there were no limits to operations should be worrying in itself. Because the world might not avoid the existence and proliferation of advanced and dangerous technical payloads. Including those not typically merely used for computer network exploitation, not even those potentially able to cause temporary downtime. Rather, tools reaching even the levels of physical damage to infrastructure that warrants the use of the term “cyber weapon”. Dangerous tools of the kind already exist. However, today the access to seriously destructive capabilities is beyond the reach of vague terrorists or petty cyber criminals. Instead, the capacity is rather within the reach of states or their proxies, which are deemed to have similar levels of responsibility under international law.

The rules of cyber warfare and what next

The acknowledgment that cyber warfare is subject to the rules of international law, and the rules of armed conflict in particular is a step in the direction of stability. However, while it is effortless for states to say that they respect international law, many states still might not be prepared to openly communicate how the rules are respected and apply to cyber conflict.

Still, there is a need to go beyond vague statements, and towards explaining how the rules, such as the law of neutrality or the distinction between civilian and military infrastructure or personnel, among others, are made in practice. Such certainty cannot be reached at the numerous panels, conferences, or keynotes. Only state action can move the debate forward.

The public can pressure governments to disclose their cyber operation doctrines, including the decision-making process and applicability of frameworks such as international humanitarian law. This would be a move meant to enhance the transparency of cyber operations.

Ultimately, this should lead to states working together on ensuring that cyber conflict will not lead to undesirable escalations. Fortunately, recently cybersecurity negotiations resumed at the United Nations, within two dedicated groups, the GGE, and the Open-Ended Working Group, both devoted to cybersecurity. We should await for their final reports, and expect a clear road forward. The topic has also been analysed seriously by the neutral and impartial body, the International Committee of the Red Cross, which issued a report on the human consequences of cyber operations (of which I am the co-author), being a first comprehensive reference on cyberattacks in context of armed conflicts and tackling the risks and consequences ensuing from high-impact cyberattacks. A document explaining the applicability of the international humanitarian law to cyber conflict followed. It says it very clearly that decisions to launch cyberattacks are deliberate, and need technical preparations. Cyberattacks, if or when a party resorts to them, can be technically designed to be self-limited to particular targets. They are not inherently non-discriminating. Such decisions are a matter of the tool design, which fortunately do not subscribe to the popular notion of cyberattacks being a matter of 5 minute clicks.

While disclosing cyber offensive doctrines can be seen as a deterrence measure directed at potential adversaries, ensuring  stability, and decreasing the risk of conflicts waged over the open internet is of paramount importance. The Internet must by definition be kept as a primarily civilian good.

Did you like the assessment and analysis? Any questions, comments, complaints, or offers for me? Feel free to reach out: me@lukaszolejnik.com