The Case For A UAE Cyber Defense Doctrine – Analysis
By Aleksandar Mitreski
Estimates suggest that over 140 countries have increased awareness about the power of cyber warfare. Recent history has shown examples of a limited use of cyber capabilities, as seen during the Russian armed conflict with Georgia in 2008. It is increasingly evident that cyber attacks have also been used as diplomacy by other means; for instance, Stuxnet targeting the Iranian nuclear program. These are just the beginning of the new threats posed by the technological advancements of the information age, and the risks will become even greater in the future.
Needless to say, this development has tremendous implications on modern warfare and demands a change in calculus, particularly through the addition of a cogent chapter on cyber doctrine to today’s defense doctrines. Many countries are already creating such doctrines and it is likely to become the next mandatory document for a modern-day military force. By adopting this forward thinking view, the UAE should opt for an effective and credible cyber doctrine; one which will mirror national interests, within the boundaries of overall military doctrine, aware of the realities in the country, and aligned with international law. The role of the doctrine is to confirm, and project, a firm stance on protecting the nation’s safety even if the battle is transferred into the cyber realm.
Though the development of cyber doctrine is still in its embryonic phase, insufficiently explored by academics, policymakers, and military planners, there are a few possible options to determine the type of cyber doctrine that best fits UAE’s national interests: offensive doctrine – where the country uses its cyber weapons not only for deterrence but for preemptive attacks; one based on the principle of reciprocity – when the military retaliates with an adequate cyber response; or, defensive – where the focus of the military is on defending the nation systems from cyber attacks and only retaliates if the nation’s sovereignty is endangered.
Offensive cyber doctrine would suggest that UAE is ready and willing to engage in a cyber conflict, even in the form of preemptive attacks, if there is an imminent danger. It would mean taking the first blow to disable the operational systems of the assault-ready country. In practice, that means striking the C4I systems and preventing an attack before it begins or, alternatively, disabling parts of the enemy’s critical infrastructure facilities. This is the least favorable doctrine for mainly four reasons. Firstly, it does not match the national interests of the country and its declared and proven peaceful nature to its neighbors, the wider region and the rest of the international community. Secondly, this offensive character of the doctrine cannot be supported by current military might as it lacks the most advanced cyber-weapons. The indigenous industry has not yet developed to a point where it can engage in production of such weapons, and buying them from abroad is difficult due to global market restrictions. Thirdly, obtaining such weapons will have detrimental consequences to the relationships with the allies, especially the United States. Lastly, it is also very important that the doctrine should be aligned with international law. International law is not yet clear on all challenges posed by the cyber realm. The international community is clearly interested in utilizing international law in cyber conflicts. For example, earlier this year NATO experts finalized their discussions in Estonia where they explored ways of how jus ad bellum and international humanitarian law apply to the cyber field. Although The Tallinn Manual is a nonbinding document, it underlines NATO’s interest in upholding the rules of the international community. The UAE should do the same.
Much of the same arguments go towards the cyber doctrine based on the principle of reciprocity. Namely, the current lack of advanced cyber weapons makes the threat of retaliatory attack less credible. However, even if in the future this capability is developed, the doctrine based on reciprocity does not fully mirror the national interests of the UAE. To understand this point we have to consider the nature of cyber conflict – its destabilizing power to societies, the collateral damage that can be caused, and the possible blowback.
Engagement in an elevated cyber conflict with another country can have disruptive consequences to the networks vital for domestic and foreign firms doing business in the UAE. The risk of creating a panic in the civilian and societal elements might not be taken into account in countries that are less integrated with the global markets and are facing some form of international isolation (e.g. Iran).However, due to the UAE’s interconnectedness, the stability and the confidence of the society are vital for the country’s growth.
The collateral damage can also be devastating. Launching certain types of cyber attacks, for example specifically tailored computer viruses, is not always executed with surgical precision, and can thus cause unwanted damage to areas that are not targeted. In the worst case, the chain of events would lead to releasing a global virus with even greater consequences. The blowback is another part which needs to be considered. The sophisticated virus which is originally used as a weapon in a retaliatory attack might be used by the same or another enemy in the future, or the code can be made public as has happened before. Not only does this factor put the UAE in danger for the possible blowback, but it also portrays it as a country spreading cyber weapons.
An additional complication when engaging in cyber reciprocity is determining who your enemy is. Cyber attacks can come from states, non-state actors, state-sponsored non-state actors, or indigenous groups. Though nation-states are the usual suspect when it comes to sophisticated cyber weapons, other adversaries can be the source of the threat. After all, programming skills relevant to this field are taught at universities worldwide. In order to carry out an influential cyber attack, non-state actors must have developed a set of skills. For instance, over 10 years ago it was believed that cyber tools for a complex attack could be developed by non-state actors in 6 to 10 years, but today this timeframe is much shorter. Also, there are hackers-for-hire, such as the recently exposed group called Hidden Lynx. Their anonymity and global reach provided by the nature of the internet makes it difficult to find the smoking gun, let alone prove their. That defines the cyber doctrine based on the principle of reciprocity as a high-risk option, not aiding UAE’s national interests, and difficult to make it effective.
Defensive cyber doctrine merges as the best option for the UAE, and there is a plethora of arguments in support of this claim. It paves the way for non-restrictive cyber capability build-up, provides a platform for peaceful non-threatening development, projects confidence for cyber security for all domestic and foreign stakeholders in the country, strengthens the partnerships with the allies, and improves the UAE’s stance in the international community.
The best deterrent against future cyber attacks would be intercepting the “we can cause a damage” message from the enemy and providing enough evidence that “no, you cannot”. This refers to all hostile actions which demonstrate part of the enemy’s abilities, their power to cause damage and disruption (e.g. Aramco, RasGas), or incognito network infiltrations exploring system vulnerabilities. Cyber attacks neither always begin with denying accessibility, disruption of networks and causing damage, nor is the goal of every breach to corrupt and destroy data. An intrusion might be organized for the purpose of finding system vulnerabilities or for installing elements to be utilized when the cyber attack begins. Reaction to such probing might not be spurred due to the lack of awareness of such hostile activities. Moreover, the intruder might also cover the tracks on the way out of the system. To sum up, by conducting Computer Network Exploitation (CNE) the intruder pinpoints additional weak spots for future use, or prepares a Trojan horse scenario. Suspected targets for these threats are critical infrastructure elements, and SCADA (Supervisory Control and Data Acquisition)systems. A strong national defense would be able to recognize and deter both types of attacks – the strategic cyber attacks and CNEs.This capability is best achieved through establishing an active defense. This effort envisions network monitoring and actively engaging in prevention of successful attacks or CNE, with the ability to identify any backdoors used by the enemy and provide a fix for it. An additional benefit of the active defense is using a “honeypot” for observing the behavior of the intruder and understanding the intentions. Ideally, the defense cyber warrior would provide false intelligence to the hacker, thus using oncoming cyber attacks for deception of the enemies.
The biggest challenge for the UAE military is to provide confidentiality, integrity, and accessibility of its C4ISR systems. C4ISR are the first target in tactical cyber attacks. One challenge for C4ISR systems are cyber raids which aim to gather intelligence, in particular, information on the positioning of troops and information shared in the network. A DDoS (Distributed Denial of Service) attack can prevent access to parts of the network which are critical for providing situational awareness of all forces, hence creating a fog of war. Also, by gaining access the foreign cyber warrior might use cyber manipulation to create false imagery. A clear example of such actions is the 2007 Operation Orchard, the bombing of Syria’s alleged nuclear facility when Israeli fighter jets (F15 & F16) went unnoticed by Syrian radars. A similar scenario is unacceptable for the UAE. Considering its geography and its surroundings one would easily conclude that air and sea surveillance and defense is top priority for the country.
Nonetheless, the build-up of such strong defense is not an easy task. It is expensive and requires a lot of resources, including manpower. In the short term, establishing a defense cyber doctrine and declaring the country’s cyber capabilities are for defense purposes only, the UAE can utilize the partnerships with its allies for acquiring the most advanced defense systems. For example, this approach avoids restrictions by the U.S. for whom offensive use of their products is a sensitive topic due to the potential blowback and repercussions of having U.S. companies engaged in offensive cyber initiatives of other countries. As far as selling and usage of other countries of such systems for defensive purpose is concerned, the U.S. is willing to offer assistance to its allies. Recent announcements suggest that the U.S. would want to help its allies in the Gulf (including the UAE) for matching the growing threat from Iran, which is seen as an act of creating synergy between the countries for future cyber conflicts. It is not a secret that Iran is a country which rapidly advances its cyber warfare capacity for which it has allocated enough money and created a military unit. Enforcing and utilizing such partnerships will secure UAE cyber defense while at the same time strengthening the UAE’s position as an partner to its allies.
In the long term, however, the UAE will have to develop its own domestic industry for providing cyber defense systems, as it is already oriented towards production of C4ISR systems. Experiences from other countries have shown that foreign-made systems for government and military use can be inherently compromised. To illustrate, such advanced systems might have a hidden kill switch which can shut down the system (or parts of it) and can be activated remotely should there be a reason for it. Additionally, dependency on foreign companies to manage these highly sensitive systems adds to the risks. Hence, building a domestic capability for development of the hardware, software and the training of the local personnel will ultimately provide the necessary support for the UAE’s cyber security.
All actions derived from a defense cyber doctrine, as proposed here, will be fully compliant to the existing international laws. No questions will be asked about the ethics of the actions either, due to their defensive nature, which would place the country in a strong position to be the advocate for international restriction of such weapons. At the same time, the UAE will not be the reason for an expensive cyber arms race in the region. Ultimately, not having offensive cyber weapon sremoves the suspicion of being the source of any cyber attacks against a country with which there is a latent tension. As a reminder, Iran instantly blamed Israel and the U.S. for Stuxnet because only these two countries together with China – who lacks the motive to attack Iran’s program – were believed to have the ability to create such a sophisticated virus. Yet, there is no bulletproof cyber defense. And the question is how many successful attacks and for how long will the UAE suffer from a sustained attack before it responds. Obviously, the doctrine cannot exclude any kind of response, but due to its defensive character, it should limit the response to critical situations where the sovereignty of the nation is at stake. The peaceful development of the UAE’s cyber defense should take an offensive turn only if under sustained, massive, state-organized or state-sponsored cyber attack which is crippling national systems. One possibility is when a cyber attack is waged simultaneously with a physical attack which is the obvious red line. However, if considered an act of war, then the military armed forces are employed. After all, a victory would not be obtained by cyber counter-attacks, but by causing a physical damage to the source of the attack with own military force.
So far the UAE is making significant progress in advancing cyber security domestically. The Emirates are creating institutions which would make these issues priority and (the new National Electronic Security Authority or NESA) is implementing an advanced set of cyber laws, established its own CERT as early as 2008, and is launching an awareness campaign for the general public about online dangers. But, as this analysis shows, the UAE can establish a stronger, more confident and stable national defense, by creating a defense cyber doctrine. Having adopted a way of dealing with the modern day cyber threats, the country will engage in internal development and consolidation of multiple departments across the government and the military. A cyber doctrine will inspire a strategy which will allocate the necessary budgetary resources for developing a comprehensive cyber defense, uphold the highest security standards, train the much needed skilled personnel (civilians and military alike), and foresee the challenges to its systems and provide appropriate responses.
Aleksandar Mitreski, INEGMA Non-Resident Analyst