The challenge of cyber warfare to policy makers
At the Fabian Society New Year conference the shadow foreign secretary, Emily Thornberry, was asked hypothetically whether NATO should support Estonia if Russian troops crossed the border. Thornberry responded in a surprising way by saying that Russia had already attacked Estonia, and NATO had done nothing.
Thornberry was referring to the 2007 cyber attack on Estonian infrastructure that crippled the country. In the three week coordinated assault, the Estonian parliament, ministries, political parties, universities, banks, companies and the media were forced offline. A silent, yet highly damaging attack for which Russia faced no repercussions.
Cyber warfare, cyber espionage and hacking are new characteristics of warfare. From the Estonia attacks to the North Korean Sony hack and the hacking of the 2016 US presidential election, policy makers have struggled to respond to this new threat. The use of such techniques does not fit into the conventional way warfare is conceived. How could NATO respond to the Estonia attack? No direct death was caused, no troops crossed the border and there were no columns of smoke, yet serious damage was caused. The framework of NATO’s Article 5 was conceived for Soviet tanks crossing into West Germany, not cyber warfare.
The use of cyber warfare is particularly advantageous to rogue states and terrorist groups; it gives them a way to flex their muscles without committing a conventional act of war. It is particularly effective against western democracies, which rely on the support of their people to govern. Democratic policy makers must convince the public both of the need to retaliate and that the consequences of retaliation are worth bearing, for example, reduced trade due to the implementation of sanctions.
For policy makers, cyber warfare poses three major challenges – visuality, uncertainty and proportionality.
Cyber warfare has the potential to cause untold damage and harm, but lacks the visuality of a conventional act of war. The digitisation of economies means core infrastructure is exposed to attack. Hacks on business and corporate cyber espionage have the potential to destroy livelihoods. An attack on Wall Street could have untold repercussions for the global economy. Shutting down the national grid for just a few hours could indirectly kill far more people than a conventional terrorist attack, but with none of the visual imagery.
Building political and public support for retaliatory sanctions or armed intervention is incredibly difficult even when aggression is clear. The images of the attack at Pearl Harbour, Argentinian troops raising their flag on the Falkland Islands and the twin towers burning on 9/11 were powerful motivators for retaliation. Policy makers need these powerful visuals to make the case for action, particularly military action. Cyber warfare is fire without smoke; it denies policy makers the visuals necessary to build a convincing case for retaliation.
The second key challenge is uncertainty. For intelligence agencies, tracing the source of a cyber attack is challenging. Furthermore, they must discern whether or not the attack is state sanctioned or a lone wolf. The nature of cyber warfare means that it can be carried out by as little as one person with a laptop. This information is vital for discerning the appropriate response.
Without powerful images, policy makers must rely on intelligence to make the case for retaliation. The public must be convinced that the culprit has been correctly identified for them to support retaliation. As can be seen in the US election hacking, there is considerable public doubt over Russian hacking, not helped by Trump’s denial and public distrust of intelligence services. A purely intelligence based argument for retaliation lacks the necessary emotion to convince the public of the need to take action. Public skepticism of the intelligence services, in addition to counter information from ‘fake news’ and propaganda, makes convincing the public of the need for retaliation difficult.
Finally, policy makers must react proportionally. They must decide on the most effective and most appropriate response. There are a range of options available to policy makers from sanctions to a counter cyber attack or even military intervention. Whilst retaliatory action should aim to deter further cyber attacks, there is a significant risk of escalation. Further to this, policy makers’ options are restrained by the extent to which they have public support. This means that retaliation may not be proportional to the scale of the attack, but proportional to the domestic political environment.
Therefore, policy makers are placed in a very difficult situation, with a need to respond to cyber attacks, but with a set of political obstacles posed by the nature of cyber warfare. Whilst cyber warfare has different characteristics to conventional warfare, it should still be considered an act of war and thus responded to as such.
International organisations such as NATO, the UN and regional blocs have institutionalised the response to conventional warfare, creating rules and norms that states on the most part abide to. The post-war Labour government was instrumental to developing these organisations. Now Labour has the opportunity to champion new institutions that can restrain the use of cyber warfare through developing new international norms and rules. Instead of governments responding to cyber attacks ad hoc, there must be guiding principles, rules and set policy responses. A new vocabulary must also be developed to discuss cyber warfare which overcomes the lack of visuality and encourages an emotional response. Once there is an institutionalised response to cyber attacks, the political obstacles to retaliation can be more easily overcome.
Thornberry stated at the Fabian New Year conference that we must be truthful with our NATO allies. The truth is, the UK has no coherent response to the new threat of cyber warfare, but that should not be Labour’s position. We must champion new institutions and develop defence policy that is not ad hoc, but clearly states our guiding principles for defending Britain’s cyberspace.