1 From cyber resilience to civil defence
Contested concepts, elusive goals
Greg Austin and Munish Sharma
Leading states, businesses and civil society actors have recently become more deeply concerned about national cyber emergencies. In April 2015, US president Barack Obama declared a ânational emergencyâ as a result of foreign malicious actions in cyberspace. He said that they presented âan unusual and extraordinary threat to the national security, foreign policy, and economy of the United Statesâ (White House 2015). In late December 2016, the national cyber emergency was renewed (White House 2016). That same month, the United States issued a new plan to address a nationally significant cyber incident (DHS 2016: 8). The document, National Cyber Incident Response Plan, defines this as an attack âlikely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American peopleâ. The plan reflects both the familiar focus on the cyber-technical dimensions for protection of critical infrastructure and a new focus on political information warfare conducted through cyberspace, though the document does not distinguish between cyber threats with political impacts as opposed to those with business impacts. Without using the term civil defence, the plan was, up to that time, the most comprehensive public document setting out what cyber civil defence in the United States might mean. In terms of length, detail, and scope, the document probably has no peer in any other country. It explicitly states that âAll elements of the community must be activated, engaged, and integrated to respond to a [nationally] significant cyber incidentâ (6). It sets out a comprehensive agenda for building nationwide capabilities in which local initiative (a hallmark of civil defence) is essential.
The same month, December 2016, Russia (Kremlin 2016) and China (CAC 2016) issued strategies for national information security which were wide ranging at the same time as reflecting a concern for escalating cyber confrontations that would require important new response capabilities. For these two countries, their version of national cyber emergency was premised more on continuing ideological warfare by the United States on their countryâs political and moral fabric. For both countries, the concept of social defence of the population was a central element (rhetorically at least). Both countries linked country-wide information security to national security.
For all three of these countries, the scope of the issues now in play went well beyond traditional approaches to cyber security and critical infrastructure protection, with an intensified concentration on non-cyber economic and social effects of such attacks. An important component of the new threat landscape was information warfare of the sort demonstrated by covert Russian use of social media to influence political outcomes in the United States which had intensified through 2016 (United States ODNI 2017). The âemergencyâ framing by the United States also included threats posed by large-scale Chinese cyber espionage that the US government says has been underway for more than a decade and claims is affecting its national economic viability.
Several middle powers responded to the escalating threats with civil defence planning. In 2016, Germany issued new regulations on civil defence (Zivile Verteidigung) to prepare for a possible armed attack or other disasters (Germany 2016). Apart from military attack and weapons of mass destruction, its main focal points for attention by all government ministries involved in civil defence were âcyber attacksâ and âfailure or disruption of critical infrastructureâ. In 2017, after a delay of two years, Indonesia set up its first national cyber security agency, the State Cyber and Cypher Agency (BSSN for its Indonesian initials), which had as one of its primary tasks ensuring national resilience. At that time, the Ministry of Defence commenced work on a âcivil defence conceptâ (ânon-military defenceâ), to ensure that such practices, including in cyberspace, became an obligation of all government agencies to defend against current threats (Indonesia Monitor 2019). This conformed to the countryâs concept of âtotal defenceâ, which sees the citizenry as potential combatants, including in cyberspace.
In 2017, Swedenâs National Defence Commission ordered a review of the countryâs total defence strategy, including a significant civil defence element: âanalyse the ambition levels for various preparedness measures pertaining to the protection of essential public services and infrastructure, population protection, maintenance, psychological defence, and advocacy operations, as well as cooperation and coordination within the total defenceâ (Sweden 2017a). In December 2017, the government produced âResilience, The Total Defence Concept and the Development of Civil Defence 2021â2025â (Sweden 2017b). In 2018, Sweden undertook distribution to its entire population of the first civil defence handbook for decades, titled Om krisen eller kriget kommer [If crisis or war comes], published in Swedish and English (Sweden 2018). It contained important elements of response to cyber and information attacks, especially deception.
By 2018, the potential military dimensions of national cyber emergencies came into much sharper focus, with the United Kingdom revealing it was prepared to black out Moscow using cyber attack if there was a crisis that warranted it (Wheeler et al. 2018). The UK introduced a new categorisation system for cyber attacks, which introduced the category of ânational cyber incidentâ, defined as âcyber attacks which are likely to harm UK national security, the economy, public confidence, or public health and safetyâ (NCSC 2018). The Pentagon issued a range of updates to strategies and doctrines moving military uses of cyberspace into an even more prominent position than previously, including a section in the National Security Strategy on âInformation Statecraftâ (Austin 2018). In 2019, France issued a new cyber military strategy based in part on the likelihood of massively damaging cyber attacks on the countryâs civil sector, and raising the spectre of even more serious events once future technologies like artificial intelligence are brought into play (Parly 2019: 3).
In all cases, the new policies for national cyber emergency were framed both for peacetime and for war, while recognising that the more serious attacksâregardless of the formal state of peaceâbrought questions of warfare inevitably into play. Terms like âhybrid warfareâ and âgrey zoneâ which had emerged out of the Russian intervention in Crimea in 2014 took on a new cogency. They were used increasingly to describe the overlap in information operations between wartime and peacetime and between the military and civilian domains. The shifts in policy and practice between 2014 and 2016 created new political realities and heightened tensions in international affairs, as well as stimulating new institutional responses at the domestic policy level.
In that period, there had been notable policy declarations on the military front that impacted non-military cyberspace interests. In 2015, China declared cyberspace (along with outer space) as the âcommanding heights of all international security competitionâ (China State Council 2015). The United States announced in its new Law of War Manual in 2015 that it may be lawful in wartime to attack the civil nuclear power stations or dams of an enemy (DoD 2015: 247), leaving unsaid that the safest way to do so would be by cyber means. The Manual contained a separate chapter on cyber operations. It observed that military cyberspace operations may include âlogic bombsâ1 in the infrastructure of adversary states in peacetime as an act preparatory to war: âpre-emplacement of capabilities or weapons (e.g., implanting cyber access tools or malicious code)â (995). But the most influential event of all was Russiaâs launch in January 2016 of escalated information warfare operations against the United States and the European Union to weaken these countries without provoking war. Russia had been waging a similar style of war on Ukraine since at least 2014, including through use of attacks on critical infrastructure, not to mention a direct armed insurgency.
Much earlier, however, the first indicators of the shape of things to come were not just the attack on Estonia in 2007 by Russian hackers but the victim governmentâs response in setting up a Cyber Defence Unit in its national civil defence organisation called the Estonian Defence League (Kaska et al. 2013). The League had a mission of enhancing the populationâs preparedness to defend the independence of Estonia and its constitutional order, while the cyber unitâs mission is âto protect Estoniaâs high-tech way of lifeâ (Kaska et al. 2013: 11). These civil defence missions, political and social in character, had rarely been considered in cyber national resilience planning of most countries prior to 2016. The chapter discusses the differences between civil defence concepts and national resilience planning later.
This chapter provides some conceptual and historical background to the concept of cyber civil defence, at both national and international levels as it has emerged under the pressure of escalating cyber conflict. That discussion is introduced, albeit in terms that will be familiar to most readers, by a restatement of the need for such measures. The chapter then provides highlights of scholarship on cyber emergencies to help position some of the bookâs novel arguments. This is complemented by a brief consideration of some international aspects of civil defence in general and the cyber case in particular. Informed by the scholarship, the chapter then poses a sceptical view: is civil defence a viable or worthwhile proposition?
The need
Cyber assets2 are now ubiquitous to every industry and service, with only a few exceptionsâfor poor rural, remote, or many indigenous communities. These assets fulfil the information and communication needs of national and international infrastructure, whether it is related to hardware (computing or communication devices) or software (information systems, data collection, data processing). Cyber assets also deliver social, political, economic, and news content, ranging from disaster alerts to disinformation campaigns.
While recognising a view that much critical infrastructure, as âscale-free networksâ, may be resilient to random failures (BarabĂĄsi and Bonabeau 2003), targeted attacks could be catastrophic when the attacks are directed at hubs of the network. Scale-free networks are not connected in a random or even fashion, but are composed of many âvery-connectedâ nodes known as hubs that are responsible for shaping the way the network operates (Tolba 2007: 2). Akin to complex systems, scale-free networks are quite resilient against accidental failures, but more vulnerable to attacks, and, in particular, a coordinated attack against the hubs which could disrupt the network topology (BarabĂĄsi and Bonabeau 2003: 59). A scale-free network completely fails only when the hubs are wiped out, and therefore the defence of the scale-free network lies in the protection of the few hubs and not the thousands of nodes forming the network.
Critical infrastructures, as networked systems, have complex relationships with a myriad of upstream and downstream systems, both inside an enterprise and often well beyond it. It is extremely challenging to map the complexity and randomness of these networks of dependency without reliance on software simulations. In the face of coordinated attacks against the hubs, scale-free networks can degrade quickly, as witnessed in the case of electricity grid outages, which are core to the functioning of every other sector.
All national economies and modern global society are highly dependent upon information and communication systems to execute essential daily functions. National infrastructures, be they electricity grids, banking services, telecommunications, roadways, railways, or healthcare, are interconnected and interdependent. Their interlinkages and interdependenciesâsometimes across the physical or political bordersâare often unforeseen. A small disruption in one infrastructure can have a crippling effect on others, and even cascading consequences beyond the infrastructure into the social and economic life of a community. Electricity grid outages in Europe (2006), India (2012) and Ukraine (2015) brought several essential services and transportation systems to a standstill, although the root causes were different, varying from load imbalance to coordinated attack. During the global WannaCry ransomware attack in May 2017, the unavailability of affected equipmentâworkstations, operation theatres, and diagnosticsâinterfered with the critical operations of the National Health Service hospitals across the United Kingdom.
Military forces also depend on cyber assets with increasing frequency and intensity, ranging from command and control, intelligence, and surveillance, to weapons control or even logistics and supply chain management. Any âcompromise, degradation in quality of performance, loss or unavailability of a cyber assetâ could lead to disruptions in the flow of militarily significant information or even functionality of weapons systems. Several states actively plan to exploit these vulnerabilities in technologies, processes, and people during a political crisis or wartime. Their goal might be to challenge the target state to contain the cascading non-cyber effects of the attack, recover from the incident, and restore the services. Another goal might be to simply disrupt the combat operations of an enemy. Apart from âcyber paralysisâ, as Amit Sharma (2010) has argued, another goal might be strategic decapitation (the severing of national command and control authorities from direct contact with national security actors), either in the purely military domain or in civilian agencies as well.
The fallouts of large-scale cyber incidents (their cascading consequences) are not easy to predict, forecast, or simulate, particularly in the face of coordinated multi-actor or multi-vector cyber attacks, persistently carried out over a long time period.
Cyber incidents can take a very large number of forms. They could arise out of a machine error, an accident, misuse, infiltration attack, or sabotage, at the hands of either an insider or an unauthorised external actor. They are almost always unannounced, usually unstructured, but very often demanding intense crisis management (Ernst & Young 2017: 3). Defensive preparations for such emergencies at the national level need to be multi-dimensional, involving technology, people, processes, and efforts at organisational, sectoral, state, or provincial, national, ...