The number of countries and non-state groups that are developing various types of cyber capabilities continues to rise. These skills and tools are also being integrated into the wider arsenal that these actors use to achieve their political objectives. Many also say there is now an ongoing “arms race” not only between cyber criminals and security companies but also between powerful nation-state competitors. At the same time, international law is developing slowly at best. Public attribution is limited by technical challenges, creating conditions for opacity and impunity. In this confusing context, is it possible to project power in and through cyberspace? If so, how, when, why and perhaps even where?
These questions were the underlying theme of the 8th annual International Conference on Cyber Conflict (CyCon), held last week by the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia. Network defenders, hackers, analysts, officials, and politicians found much to talk about but reached limited agreement. It’s clear that the concept of cyber power could be highly relevant to analyze the countless calculations made daily by those with access to the relevant capabilities. But is it? Power generally refers to the ability to compel or influence other actors to behave in ways that benefit one’s own objectives. Putting aside semantic and definitional issues, do nations and non-state groups even employ this idea in their own thinking, either implicitly or explicitly? The panels, keynotes, and coffee break conversations demonstrated that there is a wide variety of approaches to this question.
In terms of international organizations, NATO was the subject of pervasive discussion. With the Warsaw Summit approaching, the main debate in NATO cyber defence policy is about whether to adopt cyberspace as an operational domain. Many states have already done so, and most high-level speakers also expect this to occur in Warsaw. However, there were also voices of caution. Presumably, declaring cyberspace as the fifth domain of warfare will ultimately (albeit very slowly) open the door for future cooperation beyond merely the defence of networks. If NATO allies can agree on the utility and value of working together both defensively and in cyber operations, then this would constitute a strategic shift to imbue the Alliance with the ability to potentially project power in line with its central objectives of collective defence and cooperative security. Given the current state of relations with a resurgent and aggressive state on NATO’s eastern periphery, some would consider this as a very positive development indeed. In the long term, it may well be seen as one of the first steps toward deterrence in the cyber domain.
The conscious transition toward cyber power is slightly more perceptible at the national level. Sovereign states will continue to be the most relevant actors in global affairs for the foreseeable future, with cyber commanders and political leaders alike agreeing at CyCon about the need for developing national capabilities in cyberspace. This applies to defence, where investments into network security can influence potential adversaries to not attack one’s systems. It also applies to offense, where threat actors with links to some states have already demonstrated the capability and intent to conduct espionage, influence operations, and attacks on critical infrastructure in pursuit of their broader foreign and security policy objectives. Investment into the personnel and tools necessary to carry out network defence and cyber operations is growing in most countries, especially those with the greatest stake in global economic and security policy. This trend shows no signs of slowing down, and it is likely that states will continue to use either military and intelligence units or subcontracted criminals and extremists to pursue their national interests in and through this new domain. However, it is a separate question entirely whether current activities are effective, irrelevant, or even counterproductive. From this perspective, there can be great value in case studies focusing on a particular conflict or even an individual operation.
While this year’s CyCon was keynote-heavy and adopted a strategic focus, several panels also highlighted the tactical methods of achieving cyber power or preventing one’s adversaries from employing it effectively. Particular attention was played to the nature of advanced, targeted cyber attacks, the protection of weapon systems, cyber threats to aviation, and the Internet of Things as an attack vector. Insofar as it did emerge, the consensus was a familiar one: the threats are becoming more numerous and complex, the lines between adversaries are often blurred, the role of the human remains crucial, and shared standards are needed as more devices become connected.
All in all, the conference provided another snapshot of the current state of affairs in international cyber security as well as the requisite historical and theoretical analyses. CyCon continues to demonstrate its value, both for the quality of the presentations and proceedings as well as the variety and sophistication of its participants. In fact, the brand is now spreading to the United States, with the first “CyCon West” taking place in Washington, D.C. in October. The Call for Papers for that new event as well as next year’s CyCon are open. I, for one, am certain neither will disappoint.