This is a series of three articles in which we aim to communicate our opinions on why it is a dire need for Pakistan to establish a cyber command and what strategic challenges such a command will need to tackle to be effective. In the first article, we sought to explain how cyberspace has now become a strategic competitive space. The second article will explain the several challenges posed by cyber offensive operations executed by nation-state adversaries or rogue regimes against Pakistan. The final piece will provide a comprehensive road map of how such a command may be established by identifying some of the national-level components that should be treated as prerequisites to the establishment of Pakistan’s National cyber command. These components that we speak of are currently, unfortunately, non-existent in Pakistan.
The Challenges of Cyber Offensive Operations
In the previous article, “Cyberspace: The Environment of Continuous Strategic Competition,” we explained how cyber offensive operations executed below the threshold of armed conflict call for new strategic thinking in cyberspace. States predominantly leveraged the cyber domain to compete in an Intelligence Contest. Most cyber operations executed by great powers were about collecting or protecting information. Blindsiding even the perpetrating ‘hawks’ of the time, one particular event in cyberspace transformed the intelligence contest into a Strategic Competition of unmanageable convolution and ferocity. The inevitable adoption of technology will propel every state into this continuous competition – whether they like it or not.
The Pandora’s Box of Cyberspace
It is highly possible that the first instance of cyber being used as an offensive weapon in peacetime was the ‘Operation Olympic Games’ on the Iranian uranium enrichment facility: Natanz. It was one of the most advanced cyberattacks ever experienced by a state and was allegedly carried out by a Joint U.S. and Israeli intelligence team. The cyberattack caused a delay in Iran’s nuclear program by damaging the structural integrity of the centrifuges and staying undetected for three years.
Operation Olympic Games exposed the world to a new kind of warfare and set a precedent for what is now considered acceptable behavior in cyberspace. This was the point of singularity for cyber offensive operations that plunged the globe into an invisible menace that presents an existential crisis for both the most technologically advanced states and the developing world. The problem had a cascading effect when states realized cyberspace as a means not to coerce but to exploit other states and redistribute power in the international system while avoiding any escalation risks in the physical domain.
The U.S. DoD and U.S. Cyber Command adopted new strategies to tackle these challenges in 2018. These policy and strategy shifts have been labeled ‘Persistent Engagement’ and ‘Defending Forward.’ This action is a formal acknowledgment of the challenges presented by cyberspace and the inapplicability of deterrence as a solution. The root problem these new ideas set out to solve is the continuous competitive nature of cyberspace caused by the unique set of circumstances surrounding cyber offensive operations. We will list and explain some of these challenges below while pointing out that this list is not exhaustive.
Attribution is the process of identifying the threat actor responsible for any cyber operation with a great degree of confidence. Attribution has historically been considered a challenge for any victim state. Still, it is an improving condition for developed nations that have invested heavily in cyber defense and the development of highly-skilled cyber professionals. Developed nations can positively conduct technical attribution given enough time and resources. Nevertheless, it is considered a challenge for developed and developing nations due to several other factors. It should be noted that attributing a cyber operation implies that the victim state has successfully detected malicious activity in its networks, which is a challenge in itself. Some of the factors are as follows.
First, the degree of confidence in attributing a cyber operation or attack to any state has to be very high. Errors in attribution may lead to loss of reputation in the international system for the victim state and would diminish the legitimacy of any future attributions. This confidence has to be very high as based on this attribution, the victim state will pursue retribution or reparation. If a victim state wrongly accuses and then acts against another state based on false attribution, the consequences could spiral out of control. States are now employing proxy groups to execute cyber operations on their behalf, and when a particular attack is attributed to these groups, the sponsoring state can claim detachment.
Consider an example in the physical domain. How easy it was to positively attribute the destruction of trees in Pakistan to the Indian Air Force (IAF) in February 2019. The physical evidence of the actions was clear, and the threat actor’s movements were easy to observe, record, and share with the international community. The same is not the case for a threat actor’s movements, intents, objectives, and actions in cyberspace.
Second, states are now demanding complete attribution. Sharing complete attribution entails that the attributing state provides full details of the resources, systems, and processes it utilized in its investigation. This data is considered highly classified and sharing such information with the international system is not always possible. Providing the technical details of attribution is a pitfall as it would allow the adversary state to refine its methods for future cyber operations and would also allow it to attempt to discredit the attribution.
Continuing on the example of the physical domain: In local and international media, Pakistan publicly shared all relevant information of the IAF’s debacle of February 2019 and established strong legitimacy for Pakistan’s response before actually responding. This is rarely possible to achieve for actions taken in cyberspace. Furthermore, the IAF now has a better understanding of the tactics and response capabilities of the PAF as they have been revealed, and this understanding will indeed influence the planning of any future IAF’s operations.
Third, attribution alone cannot lead to deterrence. It has to be followed up with severe penalties levied against the aggressor. If such penalties are not placed following attribution, the deterrence posture of the victim state is further diminished. We point back to the retaliatory actions of the PAF in February 2019 in the physical domain. How they were a reinforcement of Pakistan’s deterrence posture and communicated intent to impose heavy penalties on the aggressor in the present and, more importantly, the future. However, confidence in attribution must be proven by the victim state to the international system to impose such costs. The weak nature of international law in cyberspace makes this another challenge explained in detail later in this article.
Red Lines and Signaling
Red lines are self-defined thresholds of tolerance by individual states which define the limits of exactly how much aggression they will tolerate before escalating the issue. These are commonly used to define the deterrence posture of states and are strictly well-defined lines, coupled with an announcement of the capabilities that will be used, and actions that will be taken if any aggressor breaches the tolerance threshold. Together, the defined lines and announcements (signaling) constitute a deterrence statement that is of critical importance to the deterrence posture of any state. The Line of Control (LOC) between Azad Jammu and Kashmir (AJK) and Indian Occupied Kashmir (IOK) is a well-defined red line for Pakistan and India. Both states clearly understand that any activity by one state that breaches this line will be met with a solid retaliatory response.
In cyberspace, red lines seem to inherit the vagueness of the space itself. This leads to red lines being ill-defined and increases the probability of misinterpretation by the enemy. For example, if critical infrastructure is a red line and a cyber-attack on such facilities will not be tolerated, what constitutes critical infrastructure? What constitutes a cyber-attack? Will the reconnaissance stage of the cyber kill chain constitute an attack? Will data theft be considered an attack? Or will only data degradation be judged as an attack? Or only a disruption in the services provided by the facility will be considered an attack, and anything with lower effects is fair game? The list of such questions is never-ending.
Expanding on the above example of the LOC between Pakistan and India in the physical domain. The line defines physical territorial limits, and both states understand what it represents. Such a clear understanding is not possible in cyberspace. Furthermore, even clearly defined red lines are porous as India constantly breaches the LOC with mortar fire, and such activity does not escalate. However, it is met with equal retaliation by Pakistan, probably because it is mutually understood that this is acceptable up to a level. In cyberspace, conducting cyber offensive operations above the threshold of armed conflict seems to be the only red line. At the same time, this line itself is vague in nature.
The problem with establishing red lines in cyberspace is described as two folds. First, states fail to set red lines fearing that doing so would cede freedom to maneuver when responding to cyber operations. In simpler terms, it would take away the capability of a flexible response with predefined red lines. Second, if the redlines are established, most states fail to enforce them.
Furthermore, strictly defining red lines in cyberspace may lead to a different problem altogether. It will allow an adversarial state to continuously operate a shard below the red lines, an unacceptable scenario. Unlike conventional warfare, where adversarial actions below strictly defined red lines are visible and can be countered, this is much more complicated in cyberspace. Consider how India has established strongholds and posts right at the edge of the LOC as an example, but also imagine that their activity was invisible to Pakistan.
Additionally, in cyberspace announcing a capability diminishes its effectiveness and in some cases, might even render it completely useless. This is true as cyber capabilities target specific vulnerabilities and complex zero days in Information Technology networks and systems. Once information is available on the specific target, several tests can be conducted to identify vulnerabilities and patch them to harden the potential target. This makes signaling almost impossible.
Weak International Law
Several institutions have been established to pursue litigation and reach a legitimate decision regarding conventional warfare or territorial issues in the international system. These institutions and bodies are legitimate and acceptable for all nation-states in the system and are guided by international law. The same cannot be said for cyberspace. An initial problem can be found in acknowledging that customary international law and the U.N. Charter were born out of the legal challenges presented by threats to stability via coercion and conventional use of force and conditioned from the nuclear and conventional environments. Whereas, strategic competition in cyberspace threatens stability via exploitation due to states employing cyber offensive operations unilaterally, with effects below the threshold of use of force.
The Tallinn Manual 2.0 is considered applicable law in cyberspace by NATO member states, but the collective defense may never be invoked in response to cyber operations below the threshold of armed conflict. Furthermore, the law is considered non-binding, and several states that claim to abide by it frequently infringe the law, never being reprimanded. Offensive cyber operations are a sensitive subject for organizations trying to build international norms that discourage cyberattacks. No specific body exists to manage cyber conflicts, and it never may. Even if such a body is indeed established in the future, it will be riddled with questions of legitimacy. The United Nations Group of Government Experts (UN-GGE) has attempted to meet this challenge for more than a decade but to no effect whatsoever.
At the core, there is no consensus on how international law can be applied in cyberspace. Not even a basic understanding exists. The problem is further amplified by most states not wanting to establish consensus in the area. Such a consensus would strip them of the strategic opportunities offered by the current nature of cyberspace governance. How do you build norms in cyberspace where your state making strategic gains are considered fair game, but it is illegal for other states to exhibit similar behavior? Hence, it is clear why states have failed to develop an effective opinio juris sive necessitatis on the matter. Understanding how strategic advantage in cyberspace can be gained legally and illegally is required.
International law is weak as is in the physical domain. For example, the U.N. resolution that grants Kashmiris the right to self-determination has not been implemented. The verdict delivered by the U.N. resolution is legitimate, explicit, was passed decades ago, and the means to implement the resolutions are clear. Furthermore, the actions of India invading Kashmir is a clear breach of the threshold of use of force and is a matter of breach of Pakistan’s sovereignty. And yet, the international system has failed to provide justice. The weakness of international law worsens exponentially in cyberspace.
Escalation Risks and the Impetus to Compete
Three types of escalations need to be addressed when calculating such risks in any format of conflict. These are deliberate, inadvertent, and accidental escalations. Herman Kahn and Morgan et al. laid out the foundation for escalation dynamics, and the work of many other scholars is an extension of this foundation. Herbert Lin and Martin Libicki adapted this foundation when investigating escalation risks for conflicts in cyberspace. One factor that has been overlooked is that Kahn’s work is focused on sporadic and singular or occasional instances of conflict. This is so because kinetic war or conflict between states is not a continuous but rather occasional state of affairs. As explained in the previous article, cyberspace presents the challenge of a continuous strategic competitive environment rather than occasional instances of confrontation.
It should be noted that the escalation risk calculation framework that applies to the continuous nature of conflict in cyberspace is also Kahn’s work. For kinetic conflicts, Kahn described an escalation ladder with rungs depicting different escalation levels and explained how states could use the ladder to achieve escalation dominance to emerge victorious in a conflict. The space between any two rungs of the ladder represents nothing.
Kahn uses the term agreed battle to explain another scenario where the space between two ladder rungs constitutes the total escalation risk calculation framework. The agreed battle is a form of conflict where there is an implicit understanding of the rules of engagement as well as acceptable and unacceptable behavior. Explicit red lines and deterrent statements do not exist in agreed battles. The continuous strategic competition or agreed competition in cyberspace can be viewed as a digital format of the agreed battle format in the physical domain.
Agreed competition in cyberspace, similar to agreed battle in physical space, finds its escalation risk calculation framework bordered by and is inclusive of two rungs. The lower rung is a state of minimum activity of cyber offensive operations, and the upper rung is the threshold of armed conflict in terms of the effects of cyber offensive operations. What is occurring in cyberspace is tacit bargaining of acceptable or unacceptable behavior between states for agreed competition.
The behavioral status quo is that unless the effects of cyber offensive operations do not breach the threshold of armed conflict, such operations are considered acceptable behavior. Furthermore, there is a minimum risk of deliberate escalation because such actions have been implicitly agreed upon as acceptable behavior. This is proven by empirical evidence if one studies the escalation risks of cyber offensive operations conducted over two decades.
In a physical conflict, escalation can be leveraged for strategic advantage by widening, intensifying, and compounding mechanisms. All three mechanisms have been clearly employed in the continuous strategic competition in cyberspace. Yet, there have been no escalations and this implies the behavioral status quo mentioned above. The implicit understanding of acceptable and unacceptable behavior must be constructed through indirect signaling.
Hence, the phenomenon that drives the challenges posed by escalation risks, which concurrently presents an opportunity for countering cyber offensive operations, is that there are none. The challenge for the victim state is that adversaries do not fear escalation, as empirical evidence suggests that cyber offensive operations conducted below the threshold of armed conflict have never escalated into the physical domain. It should be clear by now that cyber is not a coercive space, and it is not an escalatory space, but an exploitation space.
Why would one be deterred if one does not face any escalation risks? Why would India think twice about invading Pakistan’s border in Kashmir if it were not clear that breaching Pakistan’s territorial sovereignty will be met with unprecedented sacrifice and courage and may even escalate into an all-out war? Furthermore, why would India risk going to war with Pakistan in the first place if it figured out a strategy to invade and occupy AJK without causing one by staying below the threshold of armed conflict? Such as the revocation of article 370 in Kashmir.
The low escalation risks provide a sole opportunity for the victim state to counter cyber offensive operations. Similar to the actions of adversaries in cyberspace, actions taken in cyberspace by the victim state below the threshold of armed conflict will not escalate. Only one strategy is viable for Pakistan: Compete!
The challenges of attribution, red lines and signaling, and low escalation risks presented by cyberspace, coupled with the opportunities made accessible by the dilemma of the threshold of armed conflict in cyberspace, have rendered the doctrine of deterrence utterly irrelevant in this new domain. The problem is further exaggerated with the weak nature of international law, and it is clear that states are left to fend for themselves when it comes to conflicts and events in cyberspace.
Nevertheless, it is a level playing field for everyone. All states face the same challenges in this environment, and similarly, the same opportunities exist for all to take advantage of. It is a matter of acknowledging the facts and investing in the right initiatives. Due to a lack of understanding of the dynamics of cyber offensive operations, Pakistan faces a two-fold disadvantage.
One, the country cannot comprehend and contain the damage it is being dealt with in, from, and through cyberspace. The fact that cyber offensive operations against Pakistan are being conducted below the threshold of armed conflict with invisible effects, the true extent of the degradation of national power is shrouded under a guise of stability and security. The spread of an undetected but fatal cancer spreading in the body can be viewed as a relevant analogy for this situation.
Information advantage is being developed by our adversaries, which will definitely be used against Pakistan as a force multiplier in any future conflicts. This information advantage is dealing heavy blows to Pakistan in economic, diplomatic, technological, social, and political spheres, even in peacetime. These are the exact strategic gains referred to in the first article, being made by our adversaries without invoking the deployment of Pakistan’s conventional or nuclear forces. If such actions are ever taken against Pakistan in the physical domain, and her sovereignty is breached at such a scale, it would invoke a strong response. PAF’s actions on the 27th of February are an example of retaliation in response to a breach of Pakistan’s sovereignty.
Two, because Pakistan has yet to acknowledge the existence of this competition, it cannot take full advantage of the strategic opportunities offered by cyberspace and can only make minor contributions to national power. Cyberspace is the new competitive environment where national power is being competed for by states, and Pakistan has yet to enter the competition. In order to compete, a nationwide effort will have to be made towards the development and achievement of strategic goals and objectives. All stakeholders will have to arrive on a single page, mirroring the interconnectedness of cyberspace itself.
In the first two articles, we have established the problem and the need for an effective solution. In the next article, we will explain how the authors have envisioned the establishment of a specialist entity as a national-level response by Pakistan. If this response materializes, it will compel many of Pakistan’s adversaries to shift resources to defend in an attempt to reduce the tactical friction, strategic costs, and the effects of a redistribution of power that they will face. Pakistan’s leadership will have to transition from the mindset of the Cold War to a mindset of the Code War.
*About the authors:
- Hammad Salik is a consultant to the Prime Minister’s Task Force on Knowledge Economy (Pakistan) and member advisory of the Strategic Warfare Group (SWG). The author aims to provide accurate and transparent cyber information to the general public. Expertise includes Cyber Warfare Operations, Kinetic Cyber Warfare, AI, and Cyber Conflict Management. The author can be reached at [email protected].
- Rao Ibrahim Zahid is a consultant to the Prime Minister’s Task Force on Knowledge Economy (Pakistan) and member advisory Strategic Warfare Group (SWG). The author tends to engage in research to provide awareness for a developing Pakistan. Expertise include International Relations, Cyber Warfare, Cyber Conflict Management, Cyber Threat Intelligence, AI, and Air Defense analysis. The author can be reached at [email protected].