Most of what we see in day-to-day cybersecurity is not cyberwar, or the perennial threat of the ‘digital Pearl Harbor.’ Crime, espionage, political vandalism, and military “long-range cyber-reconaissance”–rather than kinetic targeting that kills, damages, or disables–are more mundane, day-to-day concerns. National Defense University’s Samuel Liles does make a persuasive case that much of cyberwar exists mainly on the “low-intensity warfare” aspect of the general spectrum of conflict. I propose something of a middle category of operations that may clarify some of the murkier areas of state-sponsored cyberattack: covert action.
Looking at state and state-sponsored cyberattack as covert action clears away some of the messier definitional issues and also suggests that a multilateral solution of cyber arms control may have limited utility.
Intelligence agencies’ main role is to gather, filter, and analyze information to support policy–whether that policy is old-fashioned geopolitical objectives or enhancing a state’s commercial competitiveness. However, intelligence agencies and military organizations also carry out covert action–operations that use state resources to execute a given policy in support of national interests. Covert action consists of many different things–military direct action, targeted espionage, coups, training and logistical support of terrorist and insurgent groups, and even direct support of a large military operation (the Central Intelligence Agency’s Bay of Pigs fiasco). It is not solely carried out by intelligence agencies, but intelligence agencies–with their specialized structures and contacts–usually take the lead.
Covert actions are sensitive and discreet but not invisible. It was patently obvious where the weapons and logistical training for the 1980s Afghan insurgents were coming from. A trained observer could spot the hand of the CIA and the KGB was present in many third-world coups. Large and complex activities–particularly those that bear on crucial foreign policy outcomes–are hard to disguise. While covert actions do not have to involve material damage or violence, they often do. Plausible deniability is more about making covert actions less blatant than hiding them altogether.
The utility of state covert actions is to accomplish political objectives in a low-cost, low-liability manner. The United States wanted to stop the Soviet advance into Central Asia, but doing so militarily would risk nuclear war–hence the utility of a large-scale campaign in which the burden of fighting fell to the Afghans and the Pakistani intelligence and special operations forces rather than American soldiers. Operationally, covert actions balance their own objectives with the strategic concern of not showing enough of an obvious hand as to provoke a harsh response. Most covert actions fly under the threshold of what might be considered militarily provocative.
Much of what we see as state cyberwar is actually covert action. For example, Stuxnet–by disabling Iranian nuclear facilities–supported a policy objective shared by both regional and international states. Cyber as a medium is also ideally suited to covert action. The large-scale acquisition of civilian and military technologies in order to build a national-technical base is a type of covert action that–even if properly attributed–would not give latter-day Adlai Stevensons much to go on. States engage in espionage and covert action all the time. The scale of the action and its policy consequences is the issue, not the action itself. There are mountains and mountains of reports of state use of cyber for covert operations and espionage, but those states continue to launch attacks without much impediment.
How does this change of viewpoint help us? First, we have a framework for understanding actions that go beyond espionage but do not involve active warfare. If a state chooses to use a cyber tool to disrupt another state’s capabilities, degrade its information, or threaten something dear to its policymakers, such actions need not be the start of a stand-alone strategic information warfare campaign or an element of a large offensive to come. Rather, these cyberattacks could be an attempt to achieve a more limited policy objective. It is easy to see how everything from large scale-industrial cyberweapons to the use of loosely affiliated patriotic hackers can fit into this framework.
Second, there are enduring aspects of the mechanics of covert operations that are applicable to both cybersecurity and policy. First, as Rick Forno pointed out, a “Maginot Line” approach simply will not do. The entire point of a covert operation is that it is an indirect maneuver rather than a telegraphed military attack. None of the governments overthrown in Cold War coups faced armies on their borders that they could stop with fortresses and roadblocks. They instead failed because they did not detect or correctly analyze the nature of the plots against them before it was too late. Second, the history of covert action suggests that, despite the periodic wave of public distaste for it (“gentlemen do not read each other’s mail“) it is unlikely that multilateral agreements will lead to restrictions on what, by definition, is low-level activity that is relatively cheap and low-risk. Until the way a state evaluates the risk of the covert action changes–or the politics behind the action shifts–targets are forced to resume the responsibility for their own defense, deterrence, attribution, and possibly retaliation.