1. Countering Hybrid Threats in Cyberspace
Abstract: For almost two decades, cyberwar has posed various challenges to military organizations. Doctrine has hardly defined the scope of cyber activities and how military forces can act or react in that specific new battlefield. Highly technical by nature, the cyber defense mission was, at first, to counter major cyber threats, thus the focus was, and is, to protect critical infrastructures and networks. Building up a cyber force was, therefore, a move to militarize cybersecurity by transferring methodologies and skills.
But the reality of cyber conflict undermines the idea of the unique technical roots of cyber warfare. Most of the strategists and military experts considered cyberwarfare as a force multiplier in the global reshaping of the military affairs. Preparing for a “cyber Pearl Harbor” we have missed the overall picture where State and non-State actors use cyber tools to conduct their global information war.
This paper proposes a broad overview of the concept of hybrid threat and how it applies in cyberspace. Built to counter a major cyberattack against our National Critical Infrastructure (NCI), most of the cyber forces are not well adapted to face the guerilla style warfare imposed by our adversaries. Based on recent lessons learned, this paper enlightens the challenges and opportunities of countering hybrid threats in cyberspace.
Keywords: Cyber Operations, Hybrid warfare, information operations.
There is, so far, no clear definition of the ‘hybrid threat’ concept in Western military institutions although there is no longer any debate about the reality of its existence in cyberspace. Whether one refers to the 2006 Israeli – Hezbollah war, to the Ukrainian crisis or to the operations performed by the so-called Islamic State (IS), the global strategy of the warring actors fully takes into account operations in cyberspace.
Military organizations and doctrines faced with this form of warfare on and via the networks, which act as a mirror of air-land fighting, are subject to conflicting requirements. Therefore, structures of force have to quickly adjust to the persistence of State conventional or proliferating threats while regularly facing irregular adversaries, and also take the fifth operational domain of warfare[i] into account.
The concept of hybridity appeared as a follow-up of the asymmetric warfare doctrine, which has, since 2003, been greatly revisited in response to the Afghan and Iraqi conflicts. The process of evolution of the Western armed forces, embodied in the concept of Revolution in Military Affairs (RMA) and Transformation, rely, to a large extent, on the idea of high-tech warfare to ensure swift victory over an adversary whose means and decision-making process would be swept away by the deployed tactical and technical superiority. Even though some authors like Martin Van Creveld have imagined, since the early 1990s, that the transformation of war will mainly lead to an increasing number of sub-State players[ii], criticism of RMA and the doctrinal works dealing with counter-insurgency has reduced debate to a mere conflict of models. In this binary perspective, symmetric war opposes States resorting to regular modi operandi (without, for all that, defining them) and asymmetric warfare would only be a deteriorated version of symmetric war performed by low-tech non-State actors.
Today, the concept of hybrid threat is by far more difficult to grasp. The hybrid can be multifaceted and based on an entire set of possibilities. For example, the use of the new information technologies cannot be alone a discriminatory element allowing to categorize a potential adversary. One of the basic features of the hybrid threat precisely relies on this capacity, in the conduct of such operations, to use at the same time the so-called rustic modi operandi and sophisticated digital tools.
If it were only about the issue of potential adversaries using new tools made available thanks to the dramatic development of communications, addressing the hybrid threat in cyberspace would only require minor adaptation of operational thinking. The challenge, however, goes far beyond the simple aspect of an appropriation of new technologies by our adversaries, and raises the question of the link between military action and global strategy, making armed conflict central to political rivalries.
Beyond the tactical and technical aspects, developing and integrating digital operations is a real strategic challenge upsetting the classical concepts. For example, the notion of an adversary, or battlefield and even the scheme of maneuver require, in cyberspace, new approaches to counter complex threats. For all that, it should be remembered that no tactical response will be sufficient in itself as far as the attainment of the expected end-state is concerned.
3. Hybrid threats a doctrinal challenge
A. A new concept for ancient evils?
It seems that the idea of the hybrid threat was revived during the 2000s by the U.S. Marine Corps and is an extension of the concept of military operations ‘other than war’. This idea relies on the existence of a form of ‘genuine war’ as expected by the West; a mechanized, organized and high-tech war, opposed to any other forms of combat. This hypothetic war, however, balances two wills and is materialized by symmetry between forms and practices. It appeals to the imagination of the Western armed forces since it strengthens the feeling of technical superiority on the battlefield and, consequently, justifies the constant downsizing of the military that has taken place since the end of the Cold War. As a result, Western armed forces rather look like highly qualified and fully equipped expeditionary forces able to score swift victories without permanence on the ground[iii]. This “shock and awe”[iv] doctrine is based on the idea of rapid and brutal dominance on the battlefield that would paralyze the adversary’s will to fight.
Military history, unfortunately, teaches that the adversary has a regrettable tendency not to behave as expected. When he becomes aware of the material imbalance, the adversary adopts bypass strategies, thus conforming to one of the most classical teachings of the Art of War. Hybridity thus has its origin in the very nature of war. Nobody ever wages battles without hoping to win. The aim of the adversary is, therefore, to create a break in the dialectic of war, not to be dragged into a form of combat, from which he knows he will not emerge as a victor, at least in the short term. To win, the adversary should refuse the type of combat pressed or imposed upon him. Hybrid warfare is therefore no reasoned option but imposed. Based on this approach, according to Williamson Murray and Peter R. Mansoor, there is a historical link going back to Ancient times and the first form of hybrid war[v]. This link is to be found equally in tactical and strategic constructs.
B. Hybrid war or hybrid threat?
The definition of the hybrid war concept is also problematic as defining a phenomenon whose internal dynamic seems to be constantly and radically changing. Some authors reduce the definition to a combination, at the tactical and operational level, of the conventional and non-conventional warfare types[vi], referring again to a broad definition of conventional war. Within this framework, does ‘conventional’ simply refer to the law of armed conflicts or does it include everything related to accepted practices?
Conversely, some other approaches put forward a broader vision and introduce the concept of ‘hybrid threat’. Franck Hoffman defines the hybrid threat as ‘an adversary simultaneously and adaptively using a combination of conventional arms, irregular tactics, terrorism, and criminal activities in the operational battle space in order to achieve its political goals.[vii]’ More broadly, the aim of this adversary is to capitalize on the adversary’s vulnerabilities both from a political and military point of view and, consequently, to wage a war beyond limits.
To conclude this short review of the concept, we deem it relevant to add the idea that the hybrid threat does not formally lend itself to open and declared war. If one analyzes the Ukrainian crisis according to this logic, it seems quite justified to say that the Russian Federation opted for a hybrid approach to achieve its goal in the Crimea.
4. Cyberspace, a new frontier for hybrid threats
The emergence of cyberspace as a space for battle and conflict poses numerous challenges. From a conceptual point of view, it is necessary to design national strategies to determine the ambitions and assignments of the State in this environment.
Very quickly, the boom in the attack on the information systems resulted in a growing awareness among the highest authorities and decision makers leading to decisions in the field of organization and cooperation. These changes began first from the protection of the systems, then from the legal response and lastly to the military sector. Today, cybersecurity and cyber defense rank first in security concern for most countries whose stability and economy depend on well-functioning networks.
Although it still remains sometimes quite difficult to clearly explain what is a cyber matter or not, terminology has significantly evolved in this area and has become quite consensual in NATO and various countries even if the definitions are different.[viii] Cyberspace is, therefore, a domain that encompasses both the networks and their management (from a technical point of view) and the information carried or stored in it.
The globalization of the communication and exchange tools resulted in growing mobilization capacity within the framework of limited-scale conflicts. No armed force can claim to be able to intervene and operate in a media and social bubble of silence any longer. Even if under control, the networks tend to be reorganized and allow, despite everything, the production of images, data or information. The attempts to block the Internet networks during the Arab Spring illustrate that activists immediately changed their normal practices and re-used old generation modems (assisted by foreign online support networks). This expansion of the warring theater necessarily means that information operations play an increasing role in the military strategy and are taken into account at the operational level whatever the type of engagement.
What appears to be clear is that cyberspace is now the core of information warfare strategy. This link between what seems to be a new domain (cyberspace tools and techniques) and what we used to call the information domain is getting stronger as most of our society relies on digital artifact to communicate, live, work and interact. One of the very first conclusions is that no one can setup an information strategy without integrating a digital strategy. Thus, military forces must consider cyberspace as a fighting domain and develop new skills and tactics to guarantee freedom of action.
A. Why do hybrid threats thrive in cyberspace?
First invested by criminal logics, cyberspace, as a tool and a vector of power, could not remain free from any operational strategy. Leveraging all the battle spaces, the hybrid actors, find new functions for available objects to achieve their goals. Cyberspace is no exception to that and the possibilities arising from that are still greatly underestimated. Like Thomas Rid, one may consider that cyberspace does not basically revolutionize the art of war, cyberwar ultimately only serves the three traditional objectives: espionage, sabotage and subversion[ix]. Yet, the appropriation of this battle space by hybrid players raises the issue of the nature of the response to be made. At the core of the decision-making systems and the exchange processes, cyberspace is essential to Western governments and societies. It imposes conflicting requirements, acting without censoring, monitoring and respecting privacy. Information in the broad sense is, therefore, a key element to control cyberspace. As for hybrid actors, they can develop operational strategies by capitalizing on these contradictions.
For example, as a political struggle, guerrilla warfare, which is an expression of the hybrid threat, includes propaganda in its scope of action. All the activities aim at increasing the commitment of the group members, at weakening the adversary’s ideological foundations, and in fine at causing the collapse of the adversary for political, moral or psychological reasons rather than on account of the blows suffered. The lessons learned from decolonization wars and the US withdrawal from Vietnam have been perfectly assimilated. In a connected world, where a picture is worth thousand words, where emotion is dominant over reason, strategic victory is only obtained by piling up tactical successes. Even the opposite can be true, and a cause can be won even if the fight is ‘technically’ lost.
In this context, social media, the archetypal space for expression, provides hybrid players with a non-regulated mass dissemination channel allowing them to conduct real information operations and gather intelligence. Using state-of-the-art marketing techniques, digital operations, which are a vehicle for propaganda as well as a factor of internal cohesion, allow building an image of the force and creating a label, and a brand.
B. The different faces of hybrid threats in cyberspace.
To develop their strategies, hybrid actors systematically work in two directions: an outward-looking direction for recruitment of new members or supporters and an inward-looking direction using the strong power of the confirmation biases. Outward-looking action should not be reduced to propaganda or recruitment. The quality and availability of some products (especially videos) allow hybrid actors to reach an audience, which one knows will not be recruited but will, hopefully, at the very least remain passive or at best offer a form of implicit support.
The possibilities offered by the social media operations and more generally speaking on what can be called the ‘2.0 media’ have by far not been fully appreciated and mastered yet. The opening of Big Data as well as by the Internet of Things (IoT) are harbingers of new ‘original’ tactical developments. Considering that the use of digital tools by hybrid players is merely another dissemination channel would be a mistake and would only prove the inability to open up to a new form of influence. In this field, IS has shown considerable creativity and, beyond the horrific videos glorifying the movement; it has developed numerous ‘by-products’ with a fair degree of ideological content. There are, for example, secure messaging applications but also games or educational applications targeting young recruits.
For all that, the use of digital tools to conduct information and propaganda campaigns is only one of the prerogatives of non-State hybrid actors. Some countries have, in this field, had a long tradition of information control and manipulation to reach their political and strategic goals.
« Russia has a long history of using misinformation and misdirection in conflict to create benefits for domestic and foreign policy (Glantz 1988) as well as of using agitation and propaganda to mobilize its population (Kenetz 1985). Therefore, it is hardly surprising that the country’s current leadership seeks to exploit the new complex networked information environment to its advantage[x] »
Hybrid actors naturally invest in cyberspace to collect information and conduct information operations. Information collection in cyberspace is far more complex than what was known as OSINT (Open Source Intelligence).
In this field, the digital revolution has entailed deep changes. When an agent that had been patiently infiltrated on the ground was needed to get the plans of a railway station, a port or a nuclear facility, the tools now available allow getting such information from one’s living room. Regarding operations preparation, the benefit is invaluable. Resorting to the techniques of social engineering, a widespread practice in hacker communities, offers the possibilities to accurately detect the vulnerabilities of a target and adopt tailored and efficient modi operandi. As a consequence, both the intelligence cycle model as well as its time management can be modified. Lastly, operations to neutralize, partly or totally, a target system can be launched following information collection or the identification of the vulnerabilities. Hybrid actors resort to what is improperly called ‘cyberwar’, that is to say, the possibility to destroy a target through the use of software as a weapon.
Whatever the final goal, intelligence collection, destruction or propaganda, the combination of these three types of action is what characterizes best the hybrid threat in cyberspace. Everyone will draw from cyberspace the resources they cannot get in the physical spaces and therefore create the imbalance, which is the founding principle of their freedom of action. For example, in the Ukrainian crisis, the Russian Federation chose to cultivate ‘ambiguity’ in its digital and information operation. Conversely, IS conducts a much more open campaign, both at external and internal levels, thus conforming to the instructions given by Ernesto “Che” Guevara in his book Guerrilla Warfare, in which he insists on the quality and importance of the messages to be released in the areas controlled by rebel movements[xi].
In any event, the use of digital tools makes it possible for a hybrid actor to achieve a high degree of leverage on the adversary by deporting the fight to a domain in which the Western armed forces have little control. Exerting direct influence, at lower costs, on the perceptions of a large audience or at the art of the information systems, the hybrid player seeks to attain a strategic effect while the West is often satisfied with a tactical victory.
5. Countering the threats, challenges and opportunities
The biggest challenge relates to the legal aspects of military action conducted in cyberspace. Indeed, the distinctive characteristic of hybrid action is precisely its ability to capitalize on the various stages defined by the laws of war and the ambiguities related to the status of combatants in the field of information warfare. For example, armed engagements are governed by a very precise logic, a defined framework and a strict doctrinal model of peacetime, crisis, and wartime. Digital war does not necessarily correspond to this fragmentation. It requires preparatory actions, which are carried out in peacetime and sometimes by ‘non-combatants’. This specificity quickly raised the question of the threshold to decide when an action could be regarded as an act of war and, therefore, result in a change of strategic posture[xii]. As a consequence, how are actions conducted that are below a theoretical nuisance threshold (no civilian casualties, not necessarily any disruption of the information systems) and whose sole objective is to weaken the political cohesion of an adversary by creating a state of panic or doubt concerning official information?
The hybrid actor knows how to perfectly use this gray area. For example, on September 11, 2014, several Twitter accounts announced the explosion of the chemical plant in St. Mary Parish, LA (USA) and the possibility of toxic release; some residents even received SMS asking them to go to shelters. Very rapidly, due to the date chosen (9/11) and the geopolitical situation, a rumor circulated about an attack perpetrated by IS. Yet, the origin of this information attack was a Russian group (Internet Research Agency – IRA) promoting the dissemination of rhetoric favoring Kremlin authorities. It seems this group was also behind rumors about the onset of an Ebola virus epidemic outbreak in Atlanta. In both examples, even if one cannot underestimate the volume of the means deployed (number of trolls, dissemination strategy relying on refined targeting, quality of products), there is no choice but to accept that no ‘offense has been committed. The hackers (or the attackers) simply used free and available dissemination tools and their success can mainly be accounted for by Western populations developing a growing mistrust of official information. Countering this type of attack requires detection as soon as possible, information dissemination, and providing a quick response through official and non-official channels (community of the users of the network used to conduct the attack for example).
The difficulty in integrating this type of operation into the planning process is the second challenge military organizations are faced with in developing information counter-measures. As mentioned above, numerous types of actions are taken before any armed engagement, which raises the question of action at stage 0, that is to say long before a final strategic objective, or an end-state, has been determined. Consequently, hybrid actors have free rein, as they do not burden themselves with restrictive doctrinal corpus and only have in mind a permanent strategic effect to be obtained whatever the group considered. Because of this gap, the armed forces are faced with a paradox; to intervene in this field, they will have to modify their relationships with the other non-military actors, thus running the risk to only be able to carry out a succession of tactical operations without any overall consistency.
As military operations tend to involve a long-term vision, today a digital aspect can be introduced in most engagements, even if this has not been contemplated before. The challenge is to make up for the time lost to counter the action of the adversary who has the advantage of anteriority. To fill this gap, a clear end-state should be defined, which is the only guarantee to produce specific effects to develop a tailored targeting process and make an unprecedented effort in the field of intelligence collection. Difficulties then pile up because once a digital or information operation has been planned and conducted, the question of the assessment is raised. How to develop new kinds of Measures of Performance (MoP) and Measures of Effectiveness (MoE) to assess our actions and adjust them in the long-term? These measure require new expertise often related to the communication and marketing disciplines but also, and in an increasing proportion, to the emerging sector of data analysis (data scientist, data analyst).
Beyond the integration into the operational process, the operations to counter hybrid threats in cyberspace have raised deeper questions about the nature and framework of the engagement of an armed force in this type of fight. The challenges are both conceptual and organizational as they require to associate disciplines directly related to the field of academic research, social sciences, technological sciences, and law.
B. Opportunities: ‘know yourself’
The hybrid threat in cyberspace has opened a new front regarding military actions on which, like in the other fields, operations are conducted, effects are obtained, and successes achieved. For example, the aim is not simply to counter the hybrid threat in cyberspace but rather to devise an operational strategy that, while offering protection from the attacks, will play a part in the overall success of the operation. To achieve this, the first step implies to counter the traditional approach consisting in taking the threat as a starting point and in concluding with a force generation (structure, organization, command) and the assignment of missions that will trigger modi operandi. Such an approach, not only confines one to a defensive posture, but does not allow capitalizing on opportunities offered by cyberspace to counter the hybrid player. For example, operational reflection requires first to change the state of mind and to become aware of our own forces instead of seeking to identify all weaknesses and vulnerabilities.
First, and to use an image often employed in connection with land combat, cyberspace is a relatively well-known ground, which can be converted and, to some extent, controlled. To conduct information operations (propaganda, recruitment, and intelligence collection) the adversary will rely on tools, which are aimed at the general public to reach the targets and have a psychological impact. So, one should expect the adversary to use popular tools and services, most of them are well-known companies established within Western countries (or allies). We can therefore also use these platforms and services, which is already the case regarding public information. The armed forces can also initiate a controlled hybridization process by integrating, at lower cost, public tools or tools directly developed for the private sector.
Furthermore, the international community faced with a hybrid threat calls for coalition-led operations (generally under UN mandate). If it can prove difficult to form a coalition at the operational or tactical level within the air-land framework, it may not be the case in cyberspace. With a coalition, the necessity to combine effects on the ground creates a strong need for interoperability, for a common doctrinal base, and a suitable command &control system. As regards to digital engagement, even if cyberspace may seem to be borderless, that fragmentation exists when one works on a very particular target or via community networks. For example, the adversary’s propaganda activity can specifically target a linguistic group within a particular community. Countering this activity will require the necessary linguistic skills and knowing the social codes governing the targeted community (and therefore to be defended). That is the reason why an international coalition can be an invaluable asset as it will be easier to detect the required skills.
The globalization of a certain number of phenomena or behavior can also be an asset. Fox example, the increasing number of social media and the theatrical representation of some individual paradoxically highlight new vulnerabilities with a hybrid actor. The theories of revolutionary war taught that secrecy, and a strict control process of the information was essential for the security of an insurgent. Keeping up with the times, the hybrid actor directs himself, shares photos and comments, and is a second-generation connected guerilla. That is the reason why a counter-offensive in cyberspace should integrate this new sociology of the adversary and make an asset of it. By directly engaging targets via social media, by deteriorating their image or by driving them to make security mistakes, a determined and coordinated action can be the first step of an efficient counter-offensive.
C. ‘First in last out’
The counter-offensive should focus on the adversaries’ ego and strict principles for the control of the operational environment. In the never ending fight to draw attention on social media, early warning is critical. Therefore our own forces have to deploy early in cyberspace and hopefully before one’s adversary. Presence is a key and invaluable asset. That point is even more critical regarding social media strategy. That is why platforms and services should be identified as soon as possible, their codes understood as well as the communities, before devising an e-reputation strategy related to the values and objectives to be defended. Besides, the direct engagement of the adversary, simple principles derived from the feedback from psychological operations (PSYOPS) should be taken into account. For example, in the field of information, the law of large numbers applies; the adversary has, just like us, only a limited capacity to process the information, with most of the weak signals not perceived. To efficiently counter a hybrid player in cyberspace, one should be able to generate a large amount of content and to disseminate it through a great variety of channels. This strategy requires massive and decentralized action to have a chance of obtaining a saturation effect on the target.
If mass and speed are sometimes incompatible with classical operations, these two factors of power are easily combined in cyberspace. Rapid readjustment allowed by distributed networks should not be regarded as an obstacle to the development of a counter-offensive. The saturation effect will necessarily drive the adversary to react and the effort will focus on another medium. One should prepare for that, if not provoke such changes to derive tactical benefit (spotting the players involved in the information war, identification, intelligence collection in material sectors). For example, the supporters of IS, pestered on Twitter have turned to Telegram, a secured messaging platform, in order to carry on their information operations. No effect can be said to be sustainable but the plasticity of the hybrid actors’ also amounts to vulnerability.
To counter hybrid threats in cyberspace, adaptive principles should be established both at technical and organizational level. The structure of forces should integrate and assimilate new specificities relying on skills to be developed or confirmed such as linguistics, sociology, psychology, new technologies, big data, and marketing.
Like other types of threats, the hybrid threat is the vehicle for numerous prejudices. It is impossible to totally deal with it as its main feature and that it always gets rid of the classic cannons of combat is very widespread. As regards to its digital aspect, the hybrid threat, which should not be overlooked, offers the possibility to initiate an engagement ‘on equal terms’ in which the advantage of asymmetry that can appear in physical spaces are offset by new vulnerabilities related to the use of digital tools.
That is the reason why, far from being an impossible task that would require, as is the case for Sisyphus, to replicate what has already be done the day before, the armed forces should be able to seize the opportunities on this fighting ground. The first step consists in becoming aware of our forces which, if they cannot be reckoned regarding tanks or troops, should be finely assessed before being engaged. The digital spaces allow finding this saturation capacity that is difficult in the classical battlefields. Quick reconfiguration limits the scope of the effects of some operations but replaces the maneuver in a faster tempo that can, however, be easily mastered and anticipated. Digital operations command to hybridize our own forces and to lead to opportunities that could well be permanent.
About the author
LTC Bertrand BOYER is an officer in the French Marines assigned as Chief Ops at the French Info Ops Center. He is a graduate of the French Army Military Academy of Saint-Cyr and Joint Staff College in Paris. He has served, in France and overseas, in various operational units. He has a master degree in Telecommunication and Network Architecture from Telecom Paris Tech where he started his work on cyberdefense operations doctrine. He has written several articles and three books about strategy and tactics in cyberspace (Cyberstratégie, l’art de la guerre numérique, Nuvis, 2012; Cybertactique, conduire la guerre numérique, Nuvis, 2014; Dictionnaire de la cybersécurité et des réseaux, Nuvis, 2015).
[i] Cyberspace is nowadays regarded as the fifth operational domain of warfare.
[ii] Martin Van Creveld, The Transformation of War, Free Press, New York, 1991.
[iii] Joseph Henrotin, Techno-Guérilla et guerre hybride, le pire des deux mondes, Nuvis, Paris, 2014.
[iv] Harlan K. Ullman and James P. Wade, Shock and Awe: Achieving Rapid Dominance, National Defense University, 1996, XXIV.
[v] Williamson Murray and Peter R. Mansoor, Hybrid Warfare. Fighting Complex Opponents from Ancient to Present, Cambridge University Press, Cambridge, 2012.
[vi] According to Elie Tenenbaum, quoted by Hervé Pierre in Relire Beauffre pour penser l’hybridité, Revue Défense Nationale, Février 2016.
[vii] Franck Hoffman, Hybrid Vs. Compound War. The Janus Choice: Defining Today’s Multifaceted Conflict, Armed Forces Journal, October 2010
[viii] See the different definitions at the CCD COE web resources: https://ccdcoe.org/cyber-definitions.html
[ix] Thomas Rid, Cyber War Will Not Take Place, Hurst & Cie, London, 2013.
[x] Margarita Jaitner and Dr. Peter A. Mattson, Russian Information Warfare in 2014, 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace, NATO CCD COE Publications, Tallin.
[xi] Ernesto “Che” Guevara, Guerilla Warfare, Milles et une nuits, Paris, 2009.
[xii] To have a comprehensive overview on the legal aspects of cyberconflicts, refer to the Tallin Manual, NATO CCD COE, Tallin.