For years, cyber warfare has been a topic of concern for the world’s leading nations, all of which have outlined scenarios in which they are the victims of either a state or non-state actor using cyber weapons to carry out an attack to cripple their national power grids. As a result, a fundamental shift from defensive to offensive cyber operations is now underway in order to deter these attacks. The United States and its European ally France are at the forefront of this trend.
France and offensive cyber operations
At the beginning of 2019, French Defense Secretary Florence Parly publicly acknowledged in a speech delivered at the Forum International de Cybersecurité in Lille, France that her nation was changing its posture from “active defense” to “offensive cyber capabilities.” This was not just a throwaway line in a speech, either: it was the public articulation of a very real change in the way that France views the global cyber threat matrix. As Parly herself pointed out, “Cyber war has begun.” And France is not about to sit around idly as other nations mobilize offensive cyberspace operations (OCO).
In moving from defensive to offensive cyber operations, Parly was simply advancing the more aggressive French policy towards military cyber capabilities that had been outlined by former Defense Secretary (and now Minister of Europe and Foreign Affairs) Jean-Yves Le Drian, who set up a cyber command for France back in 2016.
As Parly sees it, “The cyberweapon is not only for our enemies.” And, to follow through on that claim, Parly outlined a variety of ways that France would be beefing up its offensive cyber operations. For example, as of February 2019, France will now be operating a “Yes We Hack” partnership between France’s cyber command and tech startups around the nation. The goal of the partnership is simple: to recruit hackers to help France develop its military cyber capabilities. In addition, France will now be working on developing other private sector relationships, especially with the small- and medium-sized enterprise (SME) sector. The goal is full private sector involvement and the engagement of what Parly refers to as “the industrial supply chain” in the cyber warfare arena.
This approach to cyber security is in stark contrast to that pursued by other European allies of France. For example, within the UK, the policy stance is still officially a defensive one. Moreover, the UK government typically only works with very large defense contractors with the requisite security clearances, rather than the entire private sector. So you can see at a glance how France is stepping up its game when it comes to cyber. France will now use cyber arms as well as other traditional weapons to respond and attack, in accordance with international law.
The United States and offensive cyber operations
In shifting from defense to offense in its cyber operations, France appears to be following the lead of the United States, which recently announced a major policy change of its own back in September 2018. At that time, the Trump Administration authorized offensive cyber operations. National Security Advisor John Bolton officially eased the rules that prevented the Department of Defense from coordinating offensive cyber attacks against the enemy.
At the time, though, the White House did not outline any details on the nature of the weapons to be used, or even how significant the new offensive cyber operations would be for the federal government. But the message was clear: the United States would no longer have its hands tied in the cyber realm, as they were under the Obama Administration, which was often criticized for slow and timid responses to evidence of cyber hacking.
What’s worrisome, however, is that the U.S. specifically pointed to two of the world’s most powerful state actors – Russia and China – as its primary adversaries in cyberspace, and not a rogue nation like Iran or North Korea. In other words, the threat of a terrorist organization carrying out a cyber attack on the U.S. homeland now appears to be much less than that of a major nation-state carrying out a coordinated attack against the U.S. infrastructure. What would happen, for example, if China decided to launch a cyber attack on the U.S. in the aftermath of a nasty trade war?
With the easing of the rules of engagement in cyberspace, the U.S. military would largely be free to engage in any action that falls below the important threshold known as the “use of force.” In other words, as long as the U.S. military or cyber defense team decided that a threat was imminent against the U.S, grid (or any network deemed to be critical), it could launch a cyber attack that did not result in death, destruction, or extreme financial damage.
Potential for escalation
Now that other nations realize that the U.S. and Europe are changing their stance from defense to offense, will they follow suit? Presumably, both Russia and China will follow soon with public statements of their own. And with regard to other state and non-state actors, the risk is that they will develop asymmetric non-cyber weapons of their own that will provide a deterrent. One current fear in the U.S., for example, is that rogue nations will threaten EMP attacks against the national power grid in order to instill fear within civil society.
The real risk of escalation is something that military planning experts refer to as “cross-domain escalation.” What this means in practical terms is that a cyber war suddenly morphs into a kinetic conflict and even cyber attacks under a minimum threshold level might escalate quickly. Since cyber weapons are generally non-lethal, they might require the use of additional “kinetic force” to make a real statement to the adversary.
In other words, the threat of a strategic bomber flying overhead makes much more of a deterrent than the threat of offensive cyber operations. If your nation knocks out my nation’s power grid with a cyber weapon, am I limited to responding in kind (with my own offensive cyber operations), or can I act unilaterally with a strategic bombing strike in retaliation? Given the difficulty of attribution when it comes to cyber attacks, it’s far too conceivable that a so-called “false flag” event might provoke one nation to attack another nation by mistake.
Going forward, the world will very much be in uncharted territory. Without the right civilian oversight of military operations, we could soon be headed for a world in which cyber attacks are the new normal, and the rush to develop offensive cyber operations as a deterrent leads to a cyber arms race just like the old nuclear arms race that once threatened to engulf the world in a mushroom cloud.