Hybrid and cyber warfare appears frequently in the news and forms a topic of debate among scholars. We asked Dr. Steven Bucci, former Military Assistant to the Secretary of Defense and Professor Tim Watson, Director of the Cyber Security Centre at WMG, Warwick University, UK. The question is what is cyber and hybrid warfare and how they can they affect us?
According to both experts, it is crucial to understand hybrid warfare first, as it is a larger concept than cyber warfare. Professor Tim Watson defined hybrid as ‘a form of warfare partially in the digital realm, the aim being degrading capability of an opponent for military purposes.’ Thus, although sometimes hybrid warfare is taken as something which came with the rapid development of large-scale cyber weapons, it is a wider concept. Dr. Bucci described hybrid as ‘a combination of low-end, kinetic warfare activities that are sometimes paramilitary and are sometimes special operations type military and then combining it with informational warfare which today are mostly done digitally, that is what most people consider hybrid warfare’.
Both Watson and Bucci agreed that currently the general public misunderstand the term cyber warfare. For example, many people assume that hacking is ‘cyber warfare’ although both experts asked agreed that hacking in itself mostly constitutes spying. As Bucci put it, ‘people in America are talking about the Chinese attack on databases, getting all that information. But that isn’t an attack. It is espionage, old-fashioned spying.’ Watson analyzed another aspect of this question when discussing the differences between cyber weapons and mere exploits. ‘The thing about those exploits that those weren’t necessarily cyber weapons, there is a different set of laws that apply to intelligence gathering’ he explained, and later added that certain exploits can either be used as means of intelligence gathering but also as cyber weapons which makes it all the harder to actually differentiate between the laws applying to them.
Although the public opinion tends to understand war as an all-out, large-scale operation, specialists know that it is only one end of a larger range of activities. Steve Bucci argued that hybrid warfare as such ‘been out there since at least the First World War, Second World War and probably long before, going back to the Romans, using propaganda, using agents, using small units that infiltrated the enemy.’ The difference is primarily the means through which the opposing agents achieved their ends. As Tim Watson put it, ‘it’s all an upshot of military research to take advantage of any upcoming technique or technology.’ In that regard, therefore, there is nothing new under the sun, hybrid warfare solely continues the tradition of opposing actors using all means at their disposal to ‘win’ a certain scenario.
The image of the lonely hacker in a dark bedroom, hacking the database of NASA is strongly ingrained in the public imagination. However, this ties into the misconception about cyber espionage and warfare being the same. Watson explained that as cyber warfare falls under the Geneva Conventions, ‘you have to make sure that your newly developed cyber weapon is not going to cause collateral damage and you need to test it, so that’s expensive. You also need to maintain your arsenal and that means that you’ll need a constant resupply as these things start to break.’ It is therefore no different from an arsenal of traditional weapons – and the actual impact of the lonely hackers is limited.
The question inevitably arises: how can cyber warfare affect the people of a nation under attack? Bucci warned that in his view, cyber warfare ‘has the biggest potential to affect average, non-military, non-governmental people, more than hybrid warfare or more than kinetic warfare.’ This is especially the case, as the collateral damage of cyberattacks is usually quite large. Tim Watson emphasized that based on the fact that cyber warfare falls under the international laws of warfare, thus their collateral damage has to be minimal. However, he added that legally it should avoid collateral damage to civilians but he actually expects it to be just as damaging to civilians as kinetic warfare, especially as cyber warfare is less tied to geography and cyber effects can be created in the heartland of opponents as easily as on battlefield. In the case of for example an anti-aircraft battery, however, he argued that ‘it wouldn’t be affecting the public in a way that blowing up an electricity grid sub-station would, especially in the case if it only aims at disabling it through cyber means.’ In any case, the question emerges: how to mitigate the unintended consequences of cyber warfare and how to regulate the Wild West of cyber?
Although the Tallinn Manual could serve as a basis for the deeper collaboration of states on cyber issues it seems like it is not going to move further. This is partly the result of the difficulty of counter-proliferation in the case of cyber weapons, as they are both extremely fragile and kept a secret as well as the blurred line between what counts as warfare and what counts as espionage. Therefore, the realm itself requires radically new approaches in order to reach an effective regulation.
When a hack happens, however, governments are quick to jump into action. It is, however, incredibly difficult to attribute the hack to certain groups or nation states, without the resources of a nation state itself. Tim Watson clarified that it is nearly impossible to properly attribute merely using technological tracking – it only gets one so far. Without the human resources, it is not possible. However, even with that, proper attribution takes a long time. Steve Bucci told us an anecdote about the 2009 hacks on the US and South Korea. ‘There was a big hack against South Korea and the US in 2009 called the Korean Virus, and everybody assumed that it was North Korea based on whom they attacked and when they attacked – around 4th of July – and when I talked to some analysists later on, like six months later and asked them ‘Did you ever figure out who really did that?’ And they said, ‘Well, we can definitely say, it wasn’t the North Koreans. That’s how far we got.’
Cyber and hybrid warfare constitute not only the future but they are already the present. Understanding is key if we want to mitigate the collateral damage of such actions.
Would you like to read more of our exclusive content? Subscribe to our weekly cybersecurity briefing!