It was the cyberwar we were promised; it was the cyberwar nobody expected…
The conflict in Ukraine has validated a number of assumptions cyberspace strategy and intelligence thinkers have been promulgating for over 20 years. The use of cyber attacks in conjunction with the traditional components of armed conflict, for example. Likewise, the involvement of “patriotic hackers” in an armed conflict, with or without the approval of the national government, is a phenomenon that has been around since at least the Hainan Island incident, and the fall of what used to be Yugoslavia.
This same conflict has also revealed a few surprises. For example, everyone assumed the bulk of cyber attacks carried out in this conflict would originate from Russia. The fact that such attacks have not substantially manifested (yet) – and the relative silence on the wire from the US and NATO countries – may be an indicator that such activity can in fact be deterred: if you’re inclined to adhere to an implied nonproliferation agreement… which random Ukrainians and their friends on the Internet are not. I also don’t recall anyone envisioning a community under threat going all Fire of Moscow on their own infrastructure.
Between the time when a website defacement was considered an event worth briefing to the highest defense and intelligence officials in the land, to the conflict we’re witnessing today, a cottage industry has sprung up around efforts to envision how warfare (and actions short of war) will play out now that we have this fifth domain to deal with. But shortcomings in how we’ve been doing this work, and with whom, threatens our ability to effectively deal with the issues.
In any conflict first reports are often wrong, but if a fraction of what is being talked about regarding things-cyber in Ukraine is true, we have only the slightest grasp of what is possible when people faced with an existential threat arm themselves with CPUs and a decent Wi-Fi connection. It is too soon to craft the after-action report of current events, but there are a couple of early observations that will probably be around long after the shooting stops.
Norms that only apply to some are not norms. Standards of good behavior in cyberspace have to be applied universally. You have to have the intestinal fortitude to apply the standard even when actions are carried out by “the good guys.” People are outraged that cryptocurrency exchanges are not banning Russian transactions, but that’s called adhering to one’s principles. The Vice Prime Minister of Ukraine calls for the formation of an “IT Army” and the “norms in cyberspace” community is strangely silent.
What happens when this happens everywhere? There are 59 armed conflicts going on in the world, and there is no reason why any of them couldn’t develop a cyber component that could impact lives thousands of miles away. When we’re hacked by Russians or Chinese there is always an indictment at the ready; what exactly is our response to a Colonial Pipeline-type event perpetrated by the EZLN?
What happens when anyone is a combatant? Private enterprises and citizens are not staying in their lanes. What are our adversaries to think – or do – when private enterprises take sides? What is government to do when its citizens find themselves on the business end of another nation-state’s capabilities because they joined the digital militia du jour?
It is clear that when it comes to armed/cyber conflict, the issues are not as mature or well-understood as we may have thought. Current events illustrate that the operative aspect of these issues is more politics than it is technology or methodology. Cyber issues do not stand apart from everything else that makes up a state’s toolkit. They must be understood on their own terms and viewed in an integrated fashion. We use analogies to explain things-cyber because it is easier than talking in zeros and ones, but our solutions will come up short if we mistake abstraction for reality.
In a time when diversity and inclusion are so valued, we must recognize the importance of including more intellectually and culturally (hackers, not soldiers) diverse voices in our discussions about and preparations for cyber conflict. The lack of imagination, or even understanding of the art of the possible, is a disservice gatekeepers perpetuate to keep those with rare skills and unique experience – along with their penchant for pointing out imperial nudity – at bay. This is a situation we maintain at our peril if we hope to emerge victorious from the conflicts we will face, vice preparing for the ones we want to be in.