Nation-State Cyber Offensive Capabilities E-Book

Para minha família.

1. INTRODUCTION

This research delves into the current state of cyber conflict and its consequences for nation-state competition. The study does not intend to present conceptual innovations, instead it focuses on empirical evidence to present its conclusions regarding the use of cyber offensive capabilities. With this approach this research will avoid inflating threats by considering hypothetical cases where devastating consequences could be achieved through offensive cyber offensive operations.

One of the most striking features of the 21st century is the widespread adoption of information technology in every aspect of the modern life of individuals, society, and nation-states. This process is referred to as the “Fourth Industrial Revolution,” and the internet is its iconic expression (J. Nye 2010).

The internet went from innovation to one of the essential pillars of the modern economy. According to the United Nations, since 2014, all countries possess a digital footprint, though it varies in sophistication and scale (2020). A previous study also demonstrated that security is a major concern regarding cyberspace, as more than eighty countries have published national strategies for cyber security (Izycki and Colli 2019).

Moreover, the growing interconnectivity will increase exponentially in the years to come with the adoption of new 5G networks, the internet of things (IoT), large volumes of information (Big Data), the use of machine learning (artificial intelligence) and the use of quantum computing. As a result, economic activity and ordinary life will be even more exposed to the threat of offensive cyber operations (Kello 2017).

When compared to land, sea, air, and space, cyberspace has unique features. Its “geography” is easily modified, oceans and mountains are hard to be changed, but entire cyberspace regions can be turned on or off at the click of a button (Kramer 2009).

Additional features such as the relative anonymity, the irrelevance of geographical distances for some processes and purposes, the low cost of acquiring or developing offensive capabilities, and the plausible deniability of actions have turned this dimension into a theater of operations for nation-states (J. Nye 2010). Further, the collective perception is that the number of incidents and the number of actors will increase in the future (Geers and Lewis 2015).

Cyberspace can be conceptualized in different manners, but a straightforward approach defines it as a hybrid composed of physical and logical layers. Its infrastructure - servers, submarine cables, internet exchange points, internet connection providers - is oriented by economic laws, limited resources, and increasing marginal costs. The logical layer - content providers, web applications, data, information - allows for economies of scale given its intangible nature (J. Nye 2010).

These features have generated high frequency and low-intensity offensive actions (Rid and Buchanan 2015), potentialized by the absence of clear framing regarding international law application.

The actors in cyberspace vary from individuals to nation-states. Individuals (Edward Snowden and Chelsea Manning), hacktivists groups, and public disclosure services (such as WikiLeaks and Cryptome) have not displayed the same sophistication as nation-states. However, their actions caused worldwide political impacts (Coleman 2014).

The core of cyberspace infrastructure is owned and managed by multinational companies and organizations such as Amazon, Apple, Facebook, Google and Twitter –, an Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the domain name system (Domain Name System - DNS) and the Internet Engineering Task Force (IETF) is responsible for establishing the internet protocols globally.

Private actors also have a market share of offensive actions. Indeed, a noticeable number of them are the providers of cyber capabilities to state actors (Kello 2017). By 2018, at least 60 countries acquired some cyber offensive artifacts (Izycki and Brandão 2019).

This panorama prompts the following questions: what is the current state of affairs regarding nation-state cyber conflict? Will firing bits and bytes become more, or as frequent as, throwing bombs and firing bullets?

The debate regarding cyberspace and cyber conflict needs to be based on evidence and not extrapolations of the worst-case scenarios (Valeriano and Maness 2018). Threat inflation is a scourge of cybersecurity, in part due to private vendors because it is good for business and also for governments to take advantage of discourse to enhance their prerogatives and powers in cyberspace.

Following the steps of Valeriano and Maness (Valeriano and Maness 2018), this research intends to analyze empirical data about cyber offensive actions performed by - or that can be attributed to - nation-states, instead of focusing on high-profile hypothetical cyber-attacks. The purpose of this research is to provide a clear picture of the stakeholders and their behavior so that future policy decisions are based on accurate observations of cyberspace.

This research has two main goals for the fields of international security and international relations.

The first is a methodological contribution. This research built an algorithm to collect and process the empirical data used to examine its hypothesis. The extensive use of Python3 and Natural Language Processing (NLP) can be adjusted to different subjects within social sciences by preparing a customized ontology.

The second contribution of this research is to gather evidence of 29 different countries engaging in offensive cyber actions and 85 nations acquiring offensive cyber technologies from private vendors. The numbers challenge the average perception of concentration of cyber capabilities in a few “traditional” actors. This implies that cyberspace, as an operational theatre, favors the diffusion of power among nation-states.

To summarize, this master’s research will provide an innovative contribution with an unprecedented dataset gathered from open source and official data. Besides the raw data, this research will provide a unique perspective by addressing the nation-state stakeholders, their behavior, and their goals when conducting cyber offensive actions.

2. CONCEPTUAL FRAMEWORK

To address such a complex issue as conflict in cyberspace, it is necessary to define the issue before engaging in analysis. The first item for the scope definition regards what conflict means in the context of this research.

There is a great divide regarding the nature of cyber conflicts. A host of authors consider that cyberspace introduced a revolution to state affairs, and there is an equally engaged group that claims that it is mere technological evolution.

The revolutionary faction began with the seminal work of Arquilla and Ronfeldt (1993) - Cyberwar is coming! - and continuously assert that cyberspace conflict will eventually escalate to the level of war (Kello 2017). Similar thinking was presented in the “cyber–Pearl Harbor’’ scenario by Leon Panetta, Central Intelligence Agency Director (2012). Influential works by Clarke and Knake (2010) also evaluate countries according to their cyber capabilities to wage war.

To this group, there is little doubt that the coming changes will be dramatic enough to induce structural transformations in the framework and pattern of states’ mutual relations. If this is the case, current concepts and dynamics will become unfit to assess and predict future conflicts.

On the other side of the spectrum, evolutionists consider that cyberspace’s intrinsic characteristics will prevent a purely cyber conflict. According to Thomas Rid This realm’s engagement will be a variation from countries influencing each other, through espionage and sabotage (Rid 2011), a silent and persistent battle.

Rid (2011), Lindsay (2013), and Gartzke (2013) assert that cyber offensive actions lack the kinetic effects (destruction and loss of human lives) to be an autonomous instrument to pursue political goals. Rid goes as far as to say that cyberwar will never take place, given that conflict without death and violence to achieve a political goal (Clausewitz) is not war.

In this sense, Nye points out that it is unlikely that cyber conflicts provoke escalation, because states face constraints in cyber offensive actions (2018). This, in turn, would convert the so-called “offensive’s advantage” into a myth (Valeriano, Jensen and Maness 2018).

This theoretical schism appears unsolvable given the currently available evidence. Perhaps only time will settle this dispute, with the emergence of conclusive concrete cases. However, both sides agree that there is an increase in cyber engagements, and further studies about the subject are necessary.

It should be highlighted however, that offensive cyber capability applications as a support for conventional weapons are very promising. Their use for command and control, remote sensoring, terrain monitoring, enhanced communications systems, and increased striking precision is already in place and improving.

The case of the 2008 Georgian War in which intense offensive cyber actions preceded the Russian invasion is a real example of the supportive nature to conventional engagement. Several attacks against government services and denial of service attacks were seen during the confrontation (Georgia 2009).

Another interesting example where cyber actions have displayed a supporting role to conventional actions is the Russian-Ukrainian conflict (ongoing since 2014). The cases of BlackEnergy (Kaspersky 2016) and Industroyer (Cherepanov 2017) campaigns are additional evidence that cyber actions are used to degrade the opponent’s morale and infrastructure as part of an ongoing broader conventional conflict.

In fact, the use of new technology in conventional operations is inexorable and constant throughout history and is accelerating with the possibilities presented by cyberspace. This, however, should not be understood as cyberwar itself, as Rid clearly stated. Despite the relevance of cyber actions as support to the conventional military operations, this subject is not going to be addressed further in this study.

To avoid trying to solve this complex theoretical issue, this research will consider a broad idea of cyber conflict that can be achieved through offensive cyber actions. According to Valeriano and Maness (Valeriano and Maness 2016), it means “the use of computational technologies for malevolent and destructive purposes to impact, change, or modify diplomatic or military interactions.”

This definition includes both Computer Network Attacks (actions from cyberspace that produce effects beyond the digital realm) and Computer Network Exploitation (actions and results remain contained in cyberspace) equally relevant. This vocabulary is often used by the United States government (Kramer 2009).

It is also relevant to incorporate the idea brought by Kello (2017), referring to cyberspace as a dimension in a state of unpeace. The concept portrays cyberspace as an intermediate where states can engage aggressively without crossing the armed attack threshold, thus not provoking war. However, at the same time, their actions are extremely detrimental to their targets.

It is assumed that to perform cyber actions, states need power, that they derive from capabilities and intent to perform actions (Voo, et al. 2020). The concept of power is used often, however there are various definitions of power.

There are at least three dimensions of power. The first, introduced by Robert Dahl, is the ability to enforce a third-party to do as you desire, something that they would not otherwise do. The second dimension of power proposed by Peter Bachrach and Morton Baratz addresses the notion of agenda-setting or framing, without necessarily any coercion instruments. Steven Lukes created the third face of power as he indicates that ideas and beliefs can shape a desirable outcome to the one exercising it (J. Nye 2010).

The three facets of power were later reorganized by Joseph Nye between the dichotomy of hard power (coercion and material retribution induce third parties’ behavior) and soft power (persuasion, ideological attraction, and agenda-setting in a cooperative fashion induce behavior).

There are examples of soft and hard power applied through cyberspace: cyber actions with kinetic consequences and cyber actions with cybernetic effects (J. Nye 2010).

Nye (2010) provides a few examples to synthesize the concepts of Soft and Hard power and its effects within and beyond cyberspace:

Table 1 – Physical and Virtual Dimensions of Cyber Power

Cyber Effects

Kinetic Effects

Kinetic Action

Hard Power

Government controls over internet/telecom companies

Bomb internet exchanges, cut submarine cables, or bomb threat actors HQ

Soft Power

Providing infrastructure to human rights activists

Criminally prosecuting alleged state-sponsored hackers

Cyber Action

Hard Power

Wiper attacks (data destruction), denial of service attacks

SWIFT system heists, attacks against Critical Infrastructures

Soft Power

Set norms and standards (5G), data privacy laws (GDPR)

Disinformation campaigns, public diplomacy in social networks

Source: Nye, Cyber Power, pg. 5, 2010

To address such a complex issue as conflict in cyberspace, it is necessary to define the issue before engaging in analysis. The first item for the scope definition regards what conflict means in the context of this research.

There is a great divide regarding the nature of cyber conflicts. A host of authors consider that cyberspace introduced a revolution to state affairs, and there is an equally engaged group that claims that it is mere technological evolution.

The revolutionary faction began with the seminal work of Arquilla and Ronfeldt (1993) - Cyberwar is coming! - and continuously assert that cyberspace conflict will eventually escalate to the level of war (Kello 2017). Similar thinking was presented in the “cyber–Pearl Harbor’’ scenario by Leon Panetta, Central Intelligence Agency Director (2012). Influential works by Clarke and Knake (2010) also evaluate countries according to their cyber capabilities to wage war.

To this group, there is little doubt that the coming changes will be dramatic enough to induce structural transformations in the framework and pattern of states’ mutual relations. If this is the case, current concepts and dynamics will become unfit to assess and predict future conflicts.

On the other side of the spectrum, evolutionists consider that cyberspace’s intrinsic characteristics will prevent a purely cyber conflict. According to Thomas Rid This realm’s engagement will be a variation from countries influencing each other, through espionage and sabotage (Rid 2011), a silent and persistent battle.

Rid (2011), Lindsay (2013), and Gartzke (2013) assert that cyber offensive actions lack the kinetic effects (destruction and loss of human lives) to be an autonomous instrument to pursue political goals. Rid goes as far as to say that cyberwar will never take place, given that conflict without death and violence to achieve a political goal (Clausewitz) is not war.

In this sense, Nye points out that it is unlikely that cyber conflicts provoke escalation, because states face constraints in cyber offensive actions (2018). This, in turn, would convert the so-called “offensive’s advantage” into a myth (Valeriano, Jensen and Maness 2018).

This theoretical schism appears unsolvable given the currently available evidence. Perhaps only time will settle this dispute, with the emergence of conclusive concrete cases. However, both sides agree that there is an increase in cyber engagements, and further studies about the subject are necessary.

It should be highlighted however, that offensive cyber capability applications as a support for conventional weapons are very promising. Their use for command and control, remote sensors, terrain monitoring, enhanced communications systems, and increased striking precision is already in place and improving.

The case of the 2008 Georgian War in which intense offensive cyber actions preceded the Russian invasion is a real example of the supportive nature to conventional engagement. Several attacks against government services and denial of service attacks were seen during the confrontation (Georgia 2009).

Another interesting example where cyber actions have displayed a supporting role to conventional actions is the Russian-Ukrainian conflict (ongoing since 2014). The cases of BlackEnergy (Kaspersky 2016) and Industroyer (Cherepanov 2017) campaigns are additional evidence that cyber actions are used to degrade the opponent’s morale and infrastructure as part of an ongoing broader conventional conflict.

In fact, the use of new technology in conventional operations is inexorable and constant throughout history and is accelerating with the possibilities presented by cyberspace. This, however, should not be understood as cyberwar itself, as Rid clearly stated. Despite the relevance of cyber actions as support to the conventional military operations, this subject is not going to be addressed further in this study.

To avoid trying to solve this complex theoretical issue, this research will consider a broad idea of cyber conflict that can be achieved through offensive cyber actions. According to Valeriano and Maness (Valeriano and Maness 2016), it means “the use of computational technologies for malevolent and destructive purposes to impact, change, or modify diplomatic or military interactions.”

This definition includes both Computer Network Attacks (actions from cyberspace that produce effects beyond the digital realm) and Computer Network Exploitation (actions and results remain contained in cyberspace) equally relevant. This vocabulary is often used by the United States government (Kramer 2009).

It is also relevant to incorporate the idea brought by Kello (2017), referring to cyberspace as a dimension in a state of unpeace