On 4th October 2019, Microsoft announced that they have uncovered multiple attempts by hackers believed to be linked to the Iranian government to infiltrate a 2020 US presidential campaign1.
While far from ground-breaking, this revelation is yet another sign of a major strategic disruption: over recent years, cyberspace has become the most fertile battleground for states and non-state actors seeking to further their geopolitical and economic ambitions.
The digital world has phenomenally expanded the means and thresholds of aggression, and rendered obsolete the traditional dichotomy between war and peace.
Over the years, western democracies have found themselves on the back foot against a boom in cyber threats. At the heart of their vulnerability is their struggle to grasp and act on the full scope of cyberspace.
Cyberwarfare is a reality
Cyberspace encompasses all the global hardware and software means of storing, processing and transporting bits and bytes, but also, and most critically, all the information-content of that data.
Cyberwarfare is the offensive use of these multiple components with the purpose of exerting influence or control over an adversary.
Practically speaking, it can take the form of hacks that seek to compromise the confidentiality or integrity of digital systems for the purpose of espionage or sabotage, but also of assaults on the integrity of the information sphere, such as the mass dissemination of fake, biased or incomplete information through digital media.
To cite only a few examples, the disruption and partial destruction of Iranian centrifuges by the Stuxnet malware in 2010, the North Korean-led hack of Sony Pictures in 2014, the mailbox hacks of Hillary Clinton’s presidential campaign and the targeted social media propaganda operation orchestrated over the course of 2016 by a constellation of Russian-affiliated actors (most prominently, Russian military intelligence and the Saint Petersburg based Internet Research Agency), and, last but not least, the WannaCry and NotPetya attacks of 2017 have all made for headline-grabbing news.
Far from being isolated events, such operations are increasingly part of integrated strategies that seek to undermine an opponent by acting under the threshold of open warfare.
At this early stage of cyber competition, there are clear winners and losers. China and Russia were quick to recognise and experiment with the asymmetric opportunities of cyberspace.
China first specialised in the cyber theft of western intellectual property assets. Today, its leaders see digital technology as a major way towards global economic leadership.
Russia, for its part, has made cyber operations a key component of what it considers its legitimate response to western attacks on its sovereignty and sphere of influence. Following a string of events that range from endorsements of the “colour revolutions” by American officials and US-based NGOs to the enactment of economic sanctions against Russia, Moscow saw in cyber-attacks an opportunity to hit western countries at their weakest point while remaining below the threshold of open warfare.
Smaller actors, namely Iran and North Korea, have also recognised the extent to which cyber operations can transform an unfavourable balance of power.
Iran’s response to the Stuxnet attack is most telling: within the space of two years after discovering the US-Israeli malware, Iran was able to mount a series of incursions on US financial institutions that completely inhibited President Obama from further cyber offensive actions.
After two decades of overconfidence in their cyber intelligence collection, US officials were alarmed to discover foreign actors’ proficiency in hacking into their critical infrastructure, and completely caught by surprise by the information attacks that took place during the 2016 presidential campaign.
That said, the United States has come a long way since 2017, bolstering its defensive and offensive doctrine and capacities in cyberspace, to the point of pre-emptively knocking IRA servers offline in the run up to the 2018 midterm elections, and ensuring an increasingly active ‘forward’ presence on foreign networks to defend its own critical infrastructure.
Similarly it has been revealed by Reuters on October 16th that at the end of September a US cyberattack targeted the Iranian digital propaganda apparatus.
Our Old Continent, however, remains a step behind on both fronts. Europe has struggled to weigh in coherently against “digital powers”, whether they be states or private enterprises,and several EU Member States have already faced serious challenges to their electoral processes and wider security in cyberspace.
Governance in cyberspace is the challenge
Governance remains the number one challenge: no one would contest the fact that the internet is now a vital global infrastructure yet there is no international body in charge of protecting it.
What the International Civil Aviation Organisation (ICAO) is for commercial aviation or the International Atomic Energy Agency (IAEA) for nuclear energy simply does not exist in the cyber sphere.
To date, the only significant initiative in this direction is the Paris Call for Trust and Security in Cyberspace launched by President Emmanuel Macron in November 2018. This code of good conduct in cyberspace has the merit of hailing signatories from 67 States, 139 international and civil society organisations, and 358 private companies and its principles have already started to positively influence UN debates on global cybersecurity.
However, it lacks the signatures of the USA, Russia and China.
As we argue in our book, the creation of an “International Cybersecurity Agency” is essential, and it will only see the light once major powers agree to mutual confidence-building measures in cyberspace.
At a European level, the Council agreed on two major decisions in 2019 to improve governance and security.
First, on 9th April, the Council adopted the Cybersecurity Act, thereby establishing EU wide certification schemes and transforming the current ENISA into a EU Cybersecurity Agency.
Secondly, on 17th May, it decided to give the EU the capacity to sanction persons or entities directly or indirectly responsible for cyber-attacks against its institutions or Member States.
Information sharing and partnering
These moves are significant but remain insufficient to cope with two emerging challenges.
First, states are seeing an increasing amount of ”pre-positioning” cyber-attacks against their critical infrastructures, particularly in the energy sector.
While implants may be innocuous, they put targets at risk of sabotage at the will of an aggressor, with potentially devastating effects. This very capacity serves to pressure the targeted country.
Secondly, artificial intelligence will soon make attribution far more difficult, reducing a target’s ability to retaliate, and increasing the risk of escalation in the case of “false flag” attacks.
To face these challenges, the cyber commands and intelligence agencies of the most capable and determined Member States must reinforce information sharing, and develop common plans of response to attacks below the threshold of open warfare.
In spite of Brexit, partnership with the UK remains essential. In addition, we recommend the establishment of a cyber innovation unit within the new Directorate-General for Defence, able to work with the private sector in agile ways that reflect the speed of technological change and to grant contracts exclusively based on the technological merits of their proposals.
Jean-Louis Gergorin is the owner of JLG Strategy, an aerospace and defence consultancy. He teaches a course entitled “The New Strategic Upheaval” at Sciences Po Paris. An alumnus of Ecole Polytechnique, Ecole Nationale d’Administration and the Stanford Executive Program, he is the co-founder of the French-American Cybersecurity Conference. He was previously inter alia Executive Vice-President (Strategy) of EADS (now Airbus) and Head of Policy Planning of the French Foreign Ministry.
Léo Isaac-Dognin is an engagement manager at Capgemini Invent in Paris, where he advises public and private organisations on digital strategy and artificial intelligence. He holds a BA from the University of Cambridge and a joint MPA/MIA from Columbia University and Sciences Po, focused on technology and policy. He also lectures at Sciences Po Paris. He previously worked for the UK’s Financial Conduct Authority as a financial crime analyst and policy advisor.