Deterrence Below the Threshold of Collective Defence: Is It Possible?
Since Russia annexed Crimea in March 2014 and the Western allies were suddenly confronted with the requirement to balance and, if necessary, fight a peer-level adversary, deterrence as a concept has been very much back in vogue. Long hours have been spent at NATO headquarters in Brussels debating the relationship between deterrence and collective defence, and many dilemmas not discussed much since the end of the Cold War have resurfaced.
The returning spectre of great power conflict requires the Western allies to relearn the fundamental principles of deterrence. Why and how did deterrence work successfully in the past, especially when it was put to the test in existential crisis situations? If experts take two of the most severe Cold War crises – Berlin (1961) and Cuba (1962) – deterring adversaries from taking extreme risks was not just about military postures and pressure; to an even greater extent, it also concerned deft political and crisis management skills. At the time of the Cuban missile crisis, US President John F. Kennedy resisted military pressures for immediate action while keeping military forces in place to act if necessary. He opened channels of communication with the Soviet leadership to understand its objectives and its own red lines. In sum, deterrence is about complicating the strategic calculus of adversaries, making them progressively aware of the unacceptable consequences of their actions, and thereby making them lose confidence in the wisdom and likelihood of success of their own strategy. At the same time, deterrence must give these adversaries a sense that they can preserve their vital interests (i.e. preventing the collapse of East Germany or of Castro’s regime in Cuba, respectively) without the extremity of war.
It is worth recalling these lessons at a time when NATO is rethinking collective defence against classical scenarios of armed attack, but is also coming to grips with an upsurge in another type of state-led aggression, commonly referred to as the ‘grey zone’, or hybrid warfare. This type of aggression is not existential, but it is also not something that the Western allies are prepared to tolerate as an unavoidable feature of modern life. Hybrid campaigns can achieve the goals of war (hegemony, control, dislocation and punishment) without actually going to war, if they are applied consistently and are unopposed. Hybrid warfare is not new, but the growing range of technologies and tools available to aggressor states, together with the cracks and vulnerabilities of the Western democracies, make it more wide-ranging and attractive as an instrument of coercion. So, as the Western allies grapple with the meaning of traditional deterrence, another debate is proving to be equally difficult and time-consuming. Can the traditional concept of deterrence, as has been applied with some success to the nuclear domain (and largely understood in that context), be applied also to hybrid warfare?
At first glance, the very nature of hybrid warfare makes deterrence a difficult concept to apply. If we take cyberspace as an example, there are a range of states engaging in offensive cyberattacks, with over 40 having developed this kind of capability. Allies can even use cyber or electronic activity against each other. Cyber also gives state institutions other than the military or the defence ministry the ability to take action. Proxies can give states deniability or be used to provide highly skilled technical tools that the attacking state may not itself possess. So-called ‘hacktivist’ groups can quickly disrupt cyberspace to convey any message they like. Equally, cyber tools can be many things at once, in contrast to a traditional weapon that has just one limited function. They can be used for information exfiltration, for data falsification and manipulation, and for disruption or even physical destruction by causing critical infrastructure to malfunction.
The speed of technological innovation in the cyber and electronic domains with the transition to the Internet of Things, 5G communications, artificial intelligence and quantum computing presents critical challenges for the security policy community.
At the same time, cyber tools render a much broader spectrum of targets available to attack, including those that in the past required very expensive, risky and costly military operations in order to be destroyed or disrupted. In 2018, for instance, the US intelligence agencies warned of Russian, Chinese, North Korean and Iranian attempts to target US critical infrastructure. Cyberattacks exploit the hyperconnectivity and deepening interdependency on which modern societies rely; globalized supply chains and multi-sourcing make modern communications, financial, manufacturing and utility infrastructures increasingly difficult to monitor. The NotPetya malware attack of 2017 brought home as never before the randomness of damage resulting from large scale cyberattacks, as companies across the globe suffered much higher levels of damage than the prime target, the Ukrainian government. The speed of technological innovation in the cyber and electronic domains with the transition to the Internet of Things, 5G communications, artificial intelligence (AI) and quantum computing presents critical challenges for the security policy community: it is difficult to achieve the awareness, gather the information, deploy the scarce human talent and decide whether and how to transform defence structures and processes in a timely manner.
Does this mean that deterrence cannot work in cyberspace? Certainly, the complex nature of this domain means that it has to be a progressive, evolutionary and step-by-step concept, rather than a one-off delivery of effect. Far more than traditional military activity, it will require a whole-of-society approach. The interconnections and interdependencies have to be understood, and many different things have to be coordinated in the most cost-effective sequence if deterrence is to be successful. This step change means that to the traditional elements of deterrence – such as a credible capability and the willingness of a single, centralized authority to use it – many new elements must now be added: the willingness and ability of the private sector to implement stringent security standards; the ability of governments to mobilize civilian society expertise; and the readiness to attribute and initiate firm responses even when there is no ‘smoking gun’, as in a military or nuclear attack.
Building blocks of deterrence
In the first place, an organization like NATO has to define its primary purpose in cyberspace. Its declaratory policy to make this level of engagement clear and the solidarity to back it up are the first building block of deterrence. Arguably, NATO has already moved a decisive step forward in this process by declaring at its summit in Newport, Wales in September 2014 that a cyberattack could be the equivalent of an armed attack, and could therefore trigger Article 5 on collective defence. Yet the threshold for reacting collectively and the type of response were left ambiguous. NATO needs to have an internal discussion to identify scenarios where it could be called upon to act. This internal discussion is required because ambiguity in response is matched by ambiguity in attack, with the risk that allies could be divided on when and how to respond. Cyber tools also need more careful preparation before they are ready to use – but if the decision is taken to respond with kinetic assets rather than electrons, political signalling will be essential to communicate to an adversary whether NATO is seeking to escalate or to de-escalate the situation through a single act of retaliation. If, on the other hand, cyber response options are selected, NATO commanders will need to have some understanding of what these cyber assets are, what they can usefully do, and the pros and cons of using them in comparison with more traditional weapons. Without such an understanding, it is unwise to talk up the likelihood of the use of offensive cyber in declaratory policy.
The second building block for successful deterrence up to and beyond the Article 5 threshold is a robust operational capability. NATO took the essential second step forward at its Warsaw summit in July 2016 when it recognized cyberspace as a domain of operations, and decreed that it needed to achieve the same efficiency and effectiveness for operations in this new domain as for land, sea and air. This step incentivized individual allies, beginning with the UK, to offer their national assets to NATO in a crisis or conflict, although it is not clear if they will be used by the individual ally or by NATO. Deterrence below Article 5 will require countries having niche assets, developed for national security first and foremost, to offer these to allies and partners and to do so early in a crisis. The provision of these national assets enabled NATO to set up at its Supreme Headquarters Allied Powers Europe (SHAPE) its first Cyber Operations Centre (CyOC), shortly after the Brussels summit in July 2018, in trial structure. It achieved its initial operating capability in December 2019, and is expected to be fully operational by 2023. CyOC’s function is to undertake the operational planning to use cyber effects, to integrate cyber into overall military operations and training and exercises, and to incorporate into its military planning and crisis-response measures those cyber effects that it expects (or hopes) willing and capable allies will provide.
One little-noticed but nonetheless significant outcome of the 2018 NATO summit is that the allies agreed a mechanism to generate these national cyber assets and transfer them to NATO’s military and political responsibility. The difficulty, as previously indicated, will be to achieve the same understanding of the impact and military utility of cyberweapons as compared with conventional weapons. For this purpose, NATO is in urgent need of a military doctrine for cyber operations that defines how they fit into the alliance’s order of battle.
The third building block, then, is the resilience of the national networks and infrastructures on which organizations like NATO and the EU depend to manage crises and prepare and conduct their responses. Achieving this resilience is the most difficult challenge, as much of the infrastructure has been privatized since the end of the Cold War and has been reconfigured for efficiency and profit rather than for redundancy of systems for resilience and security. NATO today depends on the private sector for 90 per cent of its military transport and 70 per cent of its satellite communications. Getting this infrastructure back up to wartime standards will be a demanding, long-term and costly challenge. Western allies will need to be clear where their vulnerabilities are, and map them systematically through training and exercises, rather than discover them only in a crisis. Europe does not have the money to retrofit its key infrastructure to military standards of resilience. The solution is to design future networks and facilities with military standards incorporated at source.
Although industry rarely likes more regulation, ultimately this will be a win-win situation as consumer confidence and protection will be enhanced at the same time as national security. As deterrence applies only to man-made premeditated activity, it can benefit from resilience investments by depriving an adversary of the ability to disrupt or to slow down and frustrate the response of the victim. This is often referred to as deterrence by denial. Yet deterrence by denial still exposes the aggressor publicly, and carries the risk of a robust response (e.g. through sanctions, ostracism, etc.) even if the act of aggression has brought the aggressor state no benefits.
It was not until the discovery of Russian interference in the 2016 US presidential election that the Western allies woke up to the dangers of fake news, bots, trolls and anonymity, and the use of social media platforms to spread conspiracy theories and alternative versions of the truth.
A fourth building block is the anticipation of threats through improved situational awareness and intelligence sharing, together with a more general understanding of the role of human agency. Intelligence and awareness usually focus on intentions and potential hostile behaviour. In the future, awareness must focus on technology as the critical enabler of disruption. Hybrid campaigns are all the more successful if they link up with technology and social change that are already in themselves polarizing and disruptive – even before an adversary has discovered novel ways to exploit them. A greater degree of government activism will be needed in regulating technological innovation. It was not until the discovery of Russian interference in the 2016 US presidential election that the Western allies woke up to the dangers of fake news, bots, trolls and anonymity, and the use of social media platforms to spread conspiracy theories and alternative versions of the truth. As the world enters the era of AI and machine learning, robots, intelligent weapons and satellites, technically enhanced humans, and all-pervasive surveillance, there will be an urgent need for wide-ranging discussions, at global level, on the security and humanitarian implications of extremely rapid and poorly regulated technological change as the key driver of insecurity. A more intensive dialogue is required between government and international organizations and the private sector, not only to identify promising new technologies and innovations that can offer a technological advantage over an adversary, but also – and more importantly – to map the impact of technological change on diplomacy and conflict much earlier, and to bring the world of science and policymaking much closer. Arguably, the NATO alliance needs to create a high-level board of science and technology advisers to engage the ambassadors on disruptive technologies and their impact on international security.
Deterrence rests on an understanding of what is permissible or non-permissible behaviour, and thus on accepted norms and standards. The problem with the so-called grey zone is that many actions are legal, even if potentially threatening to our security, as is the case with the development of 5G networks in Europe by the Chinese telecommunications conglomerate Huawei. If there are no (or inconsistent) rules or codes of conduct, or no universally accepted constraints on cyberattacks, or on the use of social media advertising in political campaigns, pushing back will be hard – including in the diplomatic sphere. Western nations need to work far harder to establish norms and standards in the grey zone to distinguish legal from illegal activity, business from interference, or normal globalization and interdependence from loss of sovereignty and national autonomy of action and choice.
Recent efforts at the UN, or within its specialized International Telecommunication Union, to regulate internet governance have not borne fruit, due to disagreements over the extent and role of state sovereignty in the virtual domain. More regional agreements among like-minded states may be a better approach, as with the two Organization for Security and Co-operation in Europe (OSCE) conventions on cyber confidence building measures, agreed in 2013 and 2016 respectively; or the 2018 Paris Call for Trust and Security in Cyberspace, which is open to both state and civil society participation. As industry has created the technology that now needs to be regulated, it also has to play a role in setting the norms and partnering with governments.
The fifth and final building block of deterrence in the grey zone depends on a consistent pattern of crisis management and incident response. Deterrence is contingent on the deft handling of individual situations. It is important to indicate when a red line or a new threshold has been crossed, as occurred when the EU and NATO both expelled hundreds of Russian diplomats after the nerve agent attack on a former Russian military intelligence officer and his daughter in the UK in March 2018. In the grey zone, making the aggressor pay a price – but not too high a price – is the way to deter further, similar activity. This can be done by more public attribution and the considered release of intelligence material to support attribution and build a public case. What NATO can usefully do is to define a common methodology for attribution based on shared intelligence and other elements to facilitate collective attribution and response. As the tradecraft and methods of actors in the grey zone become more familiar, identifying them with confidence becomes easier. A second requirement is to establish a playbook of responses that offer a flexible menu of options to policymakers. This is a trial and error process, given that it is difficult to know in advance which measures have an impact on which aggressors. Time and experience will tell what works best as a form of deterrence, and in changing the calculus of aggressors to respect limits on their behaviour in their own ultimate self-interest. The key is to be measured and consistent, so as not to give the impression that red lines are negotiable, or that costs can be avoided.
In conclusion, deterrence is not a science that can produce standardized results for standardized types of behaviour. Even if followed to the letter, under textbook conditions, there is no guarantee it will work vis-à-vis the unpredictability of aggressors, their perceptions, and their reactions under mounting external and internal pressures. Certainly, the more contingencies and threats it needs to cover, the less reliable it will be as a security buffer. But that does not mean that it is redundant and cannot be improved with patience, consistency and a willingness to learn by doing.
99 Landay, J. (2018), ‘U.S. intel chief warns of devastating cyber threat to U.S. infrastructure’, Reuters, 13 July 2018, https://www.reuters.com/ article/us-usa-russia-cyber-coats/u-s-intel-chief-warns-of-devastating-cyber-threat-to-u-s-infrastructure-idUSKBN1K32M9 (accessed 11 Mar. 2020).
100 Greenberg, A. (2018), ‘The Untold Story of NotPetya, the Most Devastating Cyberattack in History’, WIRED, 22 August 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ (accessed 14 Feb. 2020).
101 NATO (2014), ‘Wales Summit Declaration’, Heads of State and Government participating in the meeting of the North Atlantic Council in Wales, 5 Septempber 2014, https://www.nato.int/cps/en/natohq/official_texts_112964.htm (accessed 14 Feb. 2020).
102 Brent, L. (2019), ‘NATO’s role in cyberspace’, NATO Review, 12 February 2019, https://www.nato.int/docu/review/articles/2019/02/12/natos-role-in-cyberspace/index.html (accessed 14 Feb. 2020).
103 Organization for Security and Co-operation in Europe (2013), ‘Decision No. 1106: Initial Set of OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies’, PC.DEC/1106, 3 December 2013, https://www.osce.org/pc/109168?download=true (accessed 14 Feb. 2020).
104 Organization for Security and Co-operation in Europe (2016), ‘Decision No. 1202: OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies’, PC.DEC/1202, 10 March 2016, https://www.osce.org/pc/227281?download=true (accessed 14 Feb. 2020).
105 Paris Call (2018), ‘Paris Call for Trust and Security in Cyberspace’, 11 December 2018, https://pariscall.international/en/call (accessed 14 Feb. 2020).