Cyber Warfare: Offence, defence and deterrence

Line of Defence Magazine, Autumn 2017

Cyber War

Dr Joe Burton, senior lecturer in political science and public policy at Waikato University, presented on cyber warfare at the 2017 NZDIA Defence, Industry & National Security Forum. We ask him about how New Zealand is positioned in relation to cyber warfare, and find that among the challenges there are opportunities.

In his presentation abstract, Dr Burton remarks that although cyber warfare has become an increasingly salient feature of the international security environment, there is still a tendency to conflate the term with other aspects of cyber security and to misunderstand the nature of cyberattacks in the military sphere. He aims to provide some clarity.

Outlining the core features of cyber warfare, and how the concept and practice of cyber warfare has evolved over the last decade, his talk will cover aspects of cyber defence, the pros and cons of developing offensive cyber security capabilities in the military sector, and the very significant problems associated with creating effective cyber deterrence.

Dr Burton, who is also a member of Waikato University’s New Zealand Institute for Security and Crime Science, has worked at the highest levels of professional politics as a ministerial advisor in New Zealand and the UK, national campaign coordinator and political organiser.

With a PhD in international relations and having worked within the corridors of political power, Dr Burton is not the typical cyber security commentator. His background reflects the notion that cyber security is an international security issue with drivers and implications well beyond the domain of information technologists.

This places him in analytically potent position. An understanding of the evolving cyber threat landscape – and future cyberwar battlespace – logically requires a comprehensive knowledge of the strategic relations between nations and the nature and motivations of non-state actors looking to weaponise cyberspace.

LoD: You mentioned in your abstract that there exists a tendency to conflate the term with other aspects of cyber security and to misunderstand the nature of cyberattacks in the military sphere. Can you elaborate on what you mean by this?

JB: There are many examples in popular media and even by our foreign policy leaders and statesman that refer to cyberattacks as cyber warfare when in fact the attacks don’t meet that threshold. Cybercrime is not the same as cyber warfare and nor is cyber espionage – both are based on the theft of information but don’t involve the use of military force and may lack political motivations.

Enjoying this article? Consider a subscription to the print edition of Line of Defence.

Former NATO Secretary General Anders Fogh Rasmussen referred to cyberattacks against NATO networks as a form of permanent low-level warfare, but I think this type of activity is better categorised as espionage or maybe subversion. The overuse of the term cyber warfare creates fear that may be used to justify excessive controls of the internet and may contribute to the militarisation of cyberspace.

Enjoying this article? Consider a subscription to the print edition of Line of Defence.

LoD: Would it be correct to say that New Zealand lags well behind its strategic partners in terms of cyber warfare capability? If this is so, is the investment for Defence cyber protection earmarked in the most recent Defence White Paper and Capability Plan enough?

JB: Maybe five years ago you could say New Zealand was a weak link, but not anymore. Our military are investing significant resources in this area and this is taking place in the context of a whole of government effort in cyber security.

We have a national cyber security centre, a cyber policy unit in DPMC, a second version of a national cyber security strategy, a new national Computer Emergency Response Team (CERT), reformed intelligence agencies and an increased awareness across government of the nature of the cyber threat.

We do need to develop new military doctrines around the use of cyber capabilities, but that is something all countries are needing to do simultaneously. The government’s allocation of resources to the NZDF for cyber capabilities is significant – let’s see what comes of it.

LoD: Is the capability first and foremost about the ability to maintain interoperability with international partners that the NZDF deploys with – so that New Zealand does not become a cyber ‘weak link’ within a multinational deployment?

JB: Operational cyber security is of paramount importance to New Zealand military deployments. We need to make sure our communications networks and systems are security from cyber intrusion. Failing to do so could involve a loss of life, especially when we are deployed in danger zones like Iraq or Afghanistan.

Almost invariably we deploy in multilateral contexts, working with our security partners. If our systems are not secure then that creates vulnerabilities for them. So yes, there is an obligation on our part to invest in this area.

LoD: As a small state with limited physical offensive capabilities, would New Zealand actually benefit from an offensive cyber warfare capability, even if the attribution problem was solved?

JB: The attribution problem is unlikely to ever be completely solved, especially as more advanced encryption technologies come online. Hackers will find new ways to cloak their activities.

There is also a political and legal attribution issue – it may be possible to use digital forensics to identify the source of an attack, but foreign governments will still deny involvement and be reluctant to help prosecute hackers that may be associated with those governments.

The question of whether New Zealand should develop offensive cyber capabilities is a wider one, but very important. There are reasons why an offensive capability might give New Zealand an asymmetric advantage over larger, more powerful states.

There may also be circumstances where the use of offensive cyber capabilities can be used for force protection – stopping hackers that pose threats to our military personnel and assets seems like a reasonable thing to contemplate.

Perhaps the most compelling reason I’ve heard for the development of offensive cyber tools is that they might make violence less necessary. If you can destroy an adversary’s anti-aircraft capabilities through cyberattacks rather than having to use bombs and guns, that is a safer and less costly modus operandi. However, the development of offensive cyber tools presents real dangers too.

The militarisation of cyber space, costly arms races, security dilemmas, collateral damage, and escalation pressure are all very serious concerns. We need to think carefully about the wider implications of having offensive cyber capabilities (including being a greater target for hackers) and consider any unintended consequences.

LoD: Given New Zealand’s strong support of international institutions and a rules-based order, should New Zealand be taking a more proactive stance around the development of international cyber warfare norms and legislation?

JB: We have limited diplomatic resources but I’d like to see a greater and more focused international effort in this area. We had a golden opportunity at the United Nations recently to put cyber security on the UNSC agenda but decided to focus on other things.

My sense is that cyber should be higher in the hierarchy of priorities for our diplomats. I just took a team to the ‘cyber 9/12’ student challenge in Australia, where I heard their new Cyber Ambassador, Tobias Feakin, talk. We could create a similar position here in New Zealand.

We have a history in New Zealand of being very active in disarmament, and there may be a compelling international case to prohibit or regulate the development of cyber weapons. If we can de-nuclearise the South Pacific or prohibit the weaponisation of outer space, then why not the militarisation of cyberspace? I hope our government will think as hard about cyber peace as they do about cyber war.

 

RiskNZ