In the future portrayed by the hit 1995 Japanese animated film Ghost in the Shell, hackers alter the memories of a man, via an installed connection to the internet, causing him to embark on a violent rampage until he is brought under control by an elite team of anti-cyber specialists. While digitally controlling humans remains science fiction, cyberspace is becoming ever more entwined with what older generations would call ‘the real world’ (Praprotnik et al., 2013). As systems and organisations become more digitally evolved, so do they become more vulnerable to cyber threats (Ferreira, 2015). While mind control is not a reality yet, the ability of digital to affect the real is already a reality. Over ten years ago, the malware Stuxnet was released. It wreaked havoc within Iran’s Natanz nuclear enrichment facility, causing significant physical damage and project delays (Constantine, 2011).
Sun Tzu remarks in his treatise The Art of War, 'The Art of war is of vital importance to the state. It is a matter of life and death, a road either to safety, or to ruin. Hence it is a subject of inquiry which can on no account be neglected' (Tzu, n.d., para. 2). Cyberspace has often been described as the ‘fifth’ combat war zone, along with air, land, sea and space (Sevis & Seker, 2016) but despite these bold assertions there is little consensus amongst governments and militaries as to what cyber warfare is, both tangibly and legally. Nevertheless, governments have continually expressed the importance of ‘cyber’, dedicating vast funds to the establishment of cyber commands and capabilities (Koch & Golling, 2018).
The future of cyber warfare will be determined by two things: the mindset (policies, strategies) and the technologies (tools). You can give two combatants a katana, but in fifty years, they will develop very different fighting styles. It is crucial then to understand the policies/mindsets of governments as they are the prism future actions will be taken through (Healey, 2017). Once this is known, we can look at the types of upcoming cyber-swords.
The United States of America
The United States is the sole remaining world superpower and thus the benchmark for world competitiveness (Fritz, 2008). It has long been an advocate for an effects-based approach to cyber warfare, i.e. the means via which that effect is produced (cyber or kinetic) is irrelevant, it is the effect that is desired that is important (Farrell & Glaser, 2017). Official U.S. cyber policy is contained within the umbrella of deterrence, this approach being first detailed in the 2011 Whitehouse policy ‘International Strategy for Cyberspace’ and reiterated again in 2015 Department of Defense policies (Kania, 2017). The U.S. defines deterrence as 'the prevention of action by the existence of a credible threat of unacceptable counter-action' (Joint Force Development, 2017, GL8.). Thus, U.S. cyber primarily exists so that adversaries will be too afraid to act for fear of retaliation.
U.S. policy has evolved in the shadow of specific terrorist and espionage events, leading to the domination of the field by the Department of Defense and the militarisation of U.S. cyber policy over the last two decades (Healey & Grindal, 2013). Hence policies to counter specific threats and support specific military operations has become the norm (Whyte & Mazanec, 2019). The U.S. status as ‘leader of the free world’ also means that it generally aligns its doctrine with the principles of proportionate response and international laws applying to the use of cyberspace (Farrell & Glaser, 2017).
Two examples exemplify U.S. effects doctrine: Sutor and Stuxnet. In 2006, the Sutor offensive computer program (Leyden, 2007), designed by the USAF (Gasparre, 2008) was used by Israeli fighter planes to infect, confuse and render useless the Syrian air defence networks around Deir ez-Zor nuclear facility as part of Operation Orchard (Maathuis et al., 2016). In 2011, Stuxnet (Constantine, 2011), a highly targeted malware program, was used to autonomously infect the programmable logic controllers within the Iranian Natanz nuclear enrichment, delaying the project by approximately four years (Virvilis et al., 2013). Both Sutor and Stuxnet are designed from a military perspective to achieve an effect without collateral damage, the hallmarks of U.S. cyber policy.
Despite this expertise, there are fears amongst modern commenters that the U.S. will fall behind strategic rivals in the cyber sphere (Donnelly & Ratnam, 2019). From a technological perspective, the U.S. continues to be at the very forefront of development and implementation thanks to vast budgets and a world leading private sector, although the gap is closing (Wu et al., 2019). Stuxnet, though ten years old now, was unprecedented in its sophistication and elegance (Karnouskos, 2011) and a non-U.S cyber weapon of similar pedigree has yet to be unveiled. With continued investment, such as the establishment of dedicated cyber research units like the Army Cyber Institute at the United States Military Academy (Wong & Sambaluk, 2016), it is reasonable to assume the U.S. will maintain a healthy technical edge moving into the future.
From a strategic perspective, U.S. dominance remains less certain. Decades of focus on tactical effects has left America with a tunnel vision (Healey, 2017) that is already being exploited by the Information Warfare doctrines of other powers, such as the Russian cyber interference in the 2016 presidential election (Abrams, 2019). Furthermore, some have noted a general disinterest or disdain for analysing and learning from the doctrines of adversaries (Kania, 2016). Recent U.S. policy however is moving to a more proactive footing, as evidenced in the Trump Administration’s 2018 White House ‘National Cyber Strategy’ of which a key theme is to ‘Advance American Influence’ in the future (The White House, 2018). This could indicate that America intends to pivot from purely tactical effects into a more aggressive information operations approach (Fazzini, 2018). To what extent U.S. cyber policy will progress towards information warfare remains to be seen.
Russian and U.S. perspectives on the use of cyberspace for warfare and conflict differ significantly (Giles, 2012). Contrary to the U.S.’s haphazard and multi-departmental approach (Whyte & Mazanec, 2019), Russia nestles tactical effects within the umbrella of information operations, a focus championed by former General of Russia’s Army Forces, Valeray Gerasimov (Parsons & Raff, 2018). Russia’s contemporary literature does not even use the terms cyber (kiber) or cyberwarfare (kiberrvoyna), except where referencing western doctrine, instead using the term information warfare (informatsionnaya) when discussing cyber effects (Connell & Vogler, 2016).
As terrorism influenced America’s cyber policies, Russia’s legacy is inherited from the U.S.S.R and the economic and territorial disputes arising from its collapse. The current political climate is one of standing in opposition to the west, continuing the Leninist doctrine of an endless war for existence (Connell & Vogler, 2016). This, combined with a more unstable geopolitical situation compared to the U.S, has resulted two key tenants of Russian cyber warfare: a proactive focus on offence, and belief in cyber sovereignty instead of a free worldwide cyberspace (Weber, 2020).
The informatsionnaya approach consists of two pillars: informational-technological and informational-psychological (Thomas, 2010). The former is characterised by attacks ranging from influence operations via website defacements (Medvedev 2015) to deployment of malware against enemy networks. The later could be characterised by the use of botnets and fake accounts on social media (Shane, 2017) to create a general disillusionment with the authenticity of online news and information. While U.S. doctrine sees cyber threats as things like malicious code and hacking, Russian cyber analysts additionally see information content itself as a potential cyber threat (Giles, 2011). Thus the Russian view of what constitutes wartime and peacetime cyber operations differs from that of the west (Medvedev, 2015).
Russian willingness to conduct offensive informational-psychological operations was on display in the 2016 U.S. presidential election, where a cyber campaign allegedly sanctioned by President Vladimir Putin was conducted in order to disrupt and discredit the election process, damaging the integrity and reliability of American democracy (National Intelligence Council, 2017). This consisted of the alleged hacking of DNC email servers (Nakashima, 2018) and prolonged social media ‘fake’ news campaign to damage the electability of Hillary Clinton (National Intelligence Council, 2017). This sort of cyber action is nothing new to Russian cyber policy, as the FBI Assistant Director for Counterintelligence Edward Priestap stated before the U.S. senate, 'They (Russia) probe a lot of things (infrastructure) of critical importance to this country' (Senate Committee on Intelligence, 2017, p.41).
What does this mean for the future of cyberwarfare? Given its success, informatsionnaya, will likely remain pre-eminent, perhaps becoming an even greater focus on offensive operations (Connell & Vogler, 2016). Russia will also continue to leverage the difficulty in cyber-attack attribution through the use of third parties, such as corporations and criminal syndicates. A continued research and development into tactical effect capability, such as those demonstrated in Estonia, Georgia and the Ukraine, for use in conventional warfighting operations seems likely (Connell & Vogler, 2016). If the election of President Trump was an objective, informational-psychological goals seem to also be a success, with American faith in institutions and news at an all-time low (Persily and Cohen, 2016). Russia will likely leverage new technologies to continue cyber information dominance via social media manipulation and direct malware/hacking attempts.
People’s Republic of China
China is considered one of the more notorious cyber warfare participants, always on the lookout to make others feel its influence and power (Sahu et al., 2016). Like Russia, the Peoples Liberation Army (PLA) conceptualises cyber conflicts under the aegis of information operations (xinxi zuozhan) (Kania, 2016). China too has an ‘endless war’ mindset, likely a joint inheritance from Cold War communist beginnings, not distinguishing between peacetime and wartime cyber operations (Kania, 2016). China’s heavy focus on information is most evident in the ‘Great Firewall of China’, a permanent digital construct designed to prevent the free flow of information between Chinese citizens and the western world (Medvedev, 2015). In contrast to the west, China views digital sovereignty as no different to territorial sovereignty and this has shaped their defensive and offensive cyber ethos.
The above philosophies are summarised in the suspected PLA doctrine of Unrestricted Warfare. The term first appeared in a book authored by senior PLA Generals Qiao Liang and Wang Xiangsui and claims that warfare is no longer a strictly military operation and that the battlefield no longer has boundaries (Fritz, 2008). The broad and far reaching theft of technological and intellectual property from rivals for re-appropriation and reverse engineering for their own military use (Giles & Hartmann, 2019) exemplifies this contemporary offensive cyber doctrine. Operation Aurora, where Chinese cyber agents allegedly hacked many of the top 100 fortune companies, such as Google, Adobe and Juniper networks, is a more specific example. A complex malware was used to steal core intellectual property and re-purpose it for Chinese use (Sahu et al., 2016). This kind of intense, relentless espionage that would usually be reserved for wartime, is the standard under an Unrestricted Cyber Warfare.
What is unique about Chinese doctrine is leveraging cyber as part of a wholistic attempt to exert state power, using political, economic and cyber in tandem, over long periods of time to achieve CCP objectives. Western contemporaries, such as General Charles Dunlap Jr, have stated China is using the cyber domain to create a form of ‘legal warfare’ (Brose, 2015). Thus, rivals to Chinese interests must expect sustained, pre-emptive cyber campaigns to reframe normative, legal and military issues in ways that paint them as dangerous and China as favourable (Brose, 2015).
Looking to the future we can expect to see the PLA/CCP push for development of technologies and capabilities that further support the xinxi zuozhan and Unrestricted Warfare approach. The very nature of an oppressive, authoritarian communist regime means that strict information control, especially in cyber, is vital to its continued survival and thus defending Chinese ‘cyber sovereignty’ will be the fulcrum of future cyber policy. Unfortunately, we have not discussed China’s battlefield cyber effect capability and that is because, unlike Russia, there have not been any major conflicts for China to display and thus it remains shrouded in mystery. However, if comments from high ranking PLA officials, such as Major General Jiang Yamin of the PLA’s Academy of Military Science, are anything to go by, developing a tactical cyber capability that matches and surpasses the U.S. is a priority for China moving into the future (Kania, 2016).
State policies provide a lens into how state actors will shape the future but equally important are the technologies they may use to enact those policies. Thus, we will review a few of the key emerging technologies that will shape the future of cyberspace.
On 23 October 2019, Google announced they had performed a successful quantum computation, a calculation that would have taken a current generation computer 10,000 years was completed in a mere 200 seconds (Rash, 2019). While performed on an unreliable test machine, quantum computing has still been moved from theory to proof of concept and there is no doubt that soon ‘quantum supremacy’ will be achieved (Koch & Golling, 2018), i.e. where one party is the sole possessor of quantum computing technology. The applications of quantum computing for cyber warfare are limitless. With quantum processing power the security of modern cryptography would be in doubt, with algorithms such as RSA (Rivest–Shamir–Adleman), ECDSA (Elliptic Curve Digital Signature Algorithm) and DSA (Digital Signature Algorithm) no longer being secure and others such as AES-256 and SHA-256 being weakened (Sham, 2019). This decryption capability would yield enormous intelligence advantages. In fact, it is for this reason that many nations are stockpiling data that, while they cannot decrypt presently, they could with quantum computing (Kania & Costello, 2017).
In any future cyber war, a side with a favourable quantum mismatch would be able to brute force its way through almost any non-quantum defence, hacking into computer systems, taking control of weapon platforms or disrupting and damaging critical infrastructure. China and the U.S. have both invested heavily in the quantum race as a result. CCP Chairman Xi Jinping has emphasised the importance of quantum technologies to national security, designating quantum communications and computing as a prioritised 'mega-project,' in 2017 (Kania & Costello, 2017). The U.S. has also invested in quantum information science by offering vast multi-year grants to various private corporations through the Intelligence Advanced Research Projects Agency (Kania & Costello, 2017). Quantum safe security methods and algorithms are also under development, but all remain theoretical (Quantum Change, n.d.). Whoever achieves quantum supremacy first will have an advantage the likes of which has never been seen in cyberspace.
Artificial Intelligence (AI) is defined as 'the intelligence displayed by software that allows for autonomous computer solutions capable of adapting to context through self-management, self-diagnosis and self-tuning to adjust to unpredicted stimuli in order to achieve a programmed goal' (Trifonov et al., 2018). Such software offers a staggering array of opportunities for increased efficiency and effectiveness on both virtual and kinetic battlefields (Whyte & Mazanec, 2019). Daily data generation already far exceeds the capacity of humans to investigate, sift through and understand (Burton & Soare, 2019). Primitive AI, through the form of complex algorithms, handle much of this workload already, whether sifting through Facebook comments for inappropriate material or analysing military intelligence (Williams, 2018). As with quantum computing, the first to achieve new benchmarks in AI will have a brute force advantage allowing them to analyse more data, granting significant strategic and tactical advantages in the decision-making processes. Advanced AI could also automate the information-psychological component of information operations, allowing for an ‘attrition war of data’, overwhelming a defender’s ability to sort fact from fiction (Burton & Soare, 2019). Advanced AI could also develop malware and hacking methodologies that humans are incapable of, while blanket defending against all enemy threats, creating a serious power mismatch in virtual battles between the haves and have nots (Healey, 2017).
On the kinetic battlefield, AI controlled autonomous weapon platforms are being researched by all great military powers (Burton & Soare, 2019). The weakness of many contemporary unmanned platforms is the uplink to the human decision maker. Removing this would greatly enhance resilience to enemy cyber interference and extend their operational capabilities (Williams, 2018) all while performing better than under human control (Koch & Golling, 2018). The AI controlled autonomous ‘Loyal Wingman’ drone operated by the Royal Australian Air Force, which takes the place of fighter planes in dangerous situations, is an early example of this kind of capability (Insinna, 2020). However, human decision making will likely never be fully removed due to the ethics, morality and legality of using lethal force. The U.S. has stated that nuclear weapons will never be placed in the hands of autonomous AI (Burton & Soare, 2019). Even without complete control however, AI will likely be providing the decision altering intelligence to future human commanders and given that the infallibility and incorruptibility of such theoretical AI is has yet to be proven, this is a growing concern (Williams, 2018).
Cloud computing is certainly not a new phenomenon, but its advance and impact on the digital landscape has been relentless and pervasive (Whyte & Mazanec, 2019). According to the National Institute of Standards and Technology, cloud computing is best defined as 'a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction' (Mell & Grance, 2011, p.2) A broad field, we will focus on one cyber warfare application, the field of information fusion systems (IFS). IFS involves the study of theories and methods of processing and analysing multi-source uncertain information (Hao et al., 2015). Essentially it is how we make sense of a wide range of data from different sources and draw conclusions from it. The vast arrays of intelligence gathering platforms such as satellites, airborne drones, warships etc, all constitute the eyes and ears of an IFS.
The advantages of faster, more accurate and on demand intelligence gathering are obvious. Advances in cloud computing will allow independent IFS access to more calculation capacity and data than could ever be stored on the individual platforms, resulting in information reaching human commanders exponentially faster (Hao et al., 2015). In addition, this virtual decentralisation insulates them against any single, pinpoint cyber/kinetic attack, rendering them highly resilient. The data they observe would also be imminently saved to multiple locations, preventing its loss or destruction.
Looking into the crystal ball to determine the future is always a risky business, the very nature of disruptive and innovative technologies is the suddenness and unpredictability of their arrival. Nevertheless, the fact that the importance of cyber in state-on-state conflict will only grow is a certainty. While we have only looked here at the cyber policies of three major players, additional perspectives should be investigated. North Korea’s Supreme Leader Kim Jong-un majored in computer science and has dedicated significant time and resources to the promotion of the hermit states' cyber capability (Ji-Young, et al., 2019). Israel, while often aligned with U.S. doctrine has been increasingly adopting its own unique perspectives on achieving future cyber power (Tabansky, 2016). The asymmetric and generally resource light nature of offensive cyber operations, such as distributed denial-of-service (DDOS), makes it attractive for traditionally weaker powers and given the growth and connectivity of worldwide networks, virtual conflict will likely become a crowded marketplace.
With this growing level of connectivity, and an entire generation now having been raised from birth with social media, information warfare will only become more relevant. Western democracies, such as the U.S., which inherently rely on the free flow of accurate information to allow an informed voting populace, will need to develop and enact counter strategies. Further consideration should also be given to the difficulty in attributing cyber space operations to a guilty party and the ways in which certain nations have been able to, and will continue to, leverage this through third parties. Given the aggressive way in which advanced cyber powers such as Iran, Israel, the United States, China, Russia and North Korea are using covert cyber capabilities, the above seems increasingly likely (Healey, 2017). Study into the apparent reluctance to adopt open positions on what is lawful in cyberspace in order to maintain the ability to perform cyber operations would also be interesting and beneficial (Giles & Hartmann, 2019).
While quantum computing, artificial intelligence and cloud computing are revolutionary technologies for cyber conflict, they are not the only upcoming innovations. Everything we own, from cars to toasters, is becoming connected to the world wide web, a phenomenon labelled the ‘internet of things’ (Whyte & Mazanec, 2019). While this has provided unparalleled convenience, the cyber-war applications are legion, such as using smart phones to gather information or forcing control of autonomous machines. Another interesting line of thought is that many of these revolutionarily technologies could be made by private corporations, beholden to no-one, granting them cyber superiority over even the greatest military powers of the world.
The further we investigate into the future, the less accurate our predictions will become. Who could have predicted Covid-19 and the way the pandemic is reshaping world economic and digital footprints today? The only thing we can say for certain, is that cyberspace is here to stay and whoever can control it, through the myriad forms of digital conflict, will shape the future to their vision.