Written evidence submitted by Lucas Kello, Oxford University (TFP0033)

 

The inquiry into technology and the future of foreign policy must begin with an important assumption: we live in a revolutionary time. The international order is doubly challenged: from within, by China, Russia, Iran, and other rising centres of power; from below, by new technology that has altered the nature of force and conflict. Either trend alone would complicate foreign policy and security planning; their convergence compounds policymakers’ difficulties. Policymakers must address not only geopolitical disruptions but also their interrelation with technical complexities. A central arena of contention in the new era of conflict is cyberspace.[1] States large and small use it to penetrate each other’s political systems and vital infrastructures. Because machines and networks pervade modern society, security threats permanently reside at its core. Never before has a major power transition in the international system transpired under the present conditions of pervasive technological vulnerability.

              The response to current policy challenges depends on our conception of them. It is important to understand which aspects of the technological revolution fit the conventional model of statecraft and which ones defy it. This submission of written evidence sketches out such an analysis. It discusses where prevailing policy dogmas apply and where they break down in relation to one of the central topics of the inquiry cyber conflict. The main argument is twofold. Cyberspace has enabled new forms of strategic competition below the traditional threshold of war, with important consequences for foreign policy and security strategy. Geopolitical adversaries are outpacing the United Kingdom and its Western allies – so far – in the race of doctrinal adaptation to this new reality.

 

 

Technological Vulnerability and the Changing Security Landscape

 

The distinguishing feature of modern society is technological vulnerability. The basic functions of government, the economy, and society rely on the proper operation of computer systems and networks that are exposed to permanent adversary intrusion and frequent disruption. This situation resulted from the rapid growth of cyberspace over the last three decades, beginning with the Internet’s economic and social expansion in the 1990s, intensifying with the emergence of social media in the early 2000s, and continuing with the advent of sophisticated algorithms. Events over the last several years illustrate two notable changes in the security landscape arising from new technology.

One change involves the evolution of espionage. Traditionally, espionage primarily involved the theft of military or commercial secrets by foreign powers who wished to conceal their action (not just their identity). What is the aim of espionage today? Here the surprises begin. Espionage increasingly involves the Russian tactics of kompromat: the release of sensitive information about a public official or organization that is timed to influence an adversary’s foreign policy or possibly alter the shape of its government. The United Kingdom experienced such an event during the general election of 2019. Foreign Secretary Dominic Raab accused Russia of trying to influence the election by releasing secret documents relating to post-Brexit trade relations with the United States. Kompromat activity has also targeted allied nations. During the 2016 U.S. presidential election, Wikileaks released email records of top Democratic Party officials seized by Russian GRU military hackers. The disclosure mired the party in controversy, possibly diminishing Democratic voter turnout on election day, thereby contributing to Donald Trump’s election victory.

Espionage in short has emerged from the shadows. Adversaries no longer seek to remain silent about the secrets they steal; instead, they attempt to use them to cause political disruption. To be sure, covert information theft is still a major concern. In September 2020, Raab warned about and condemned China’s theft of intellectual property targeting super computers and telecommunications companies.[2] But increasingly, foreign spies want some secrets to go public and that is the point: to sow discord within the polity in order to weaken other countries’ foreign policy assertiveness. The information contest also transpires within social media platforms such as Twitter and Facebook, which foreign agents opportunistically use to aggravate public divisions over contentious issues such as Brexit and its consequences.

A second change in the security landscape concerns cyberweapons: they have altered the nature of force and conflict. Information is no longer just a source of power and influence; it has become force itself. Weaponised code (that is, information stored as electrons) can destroy nuclear enrichment centrifuges, disrupt fuel supplies, interrupt hospital functions, and so on. Crucially, it can do so without ever exiting the “minds” of machines. Attackers can strike remotely, nearly instantaneously, and often under the cover of anonymity.

All future wars among technologically capable nations will likely feature information operations and destructive cyberattacks as an important component of the fight. But it would be misguided to view cyber threats primarily through the prism of interstate violence. Cyberspace enables new strategic behaviour more than enhancing old conduct. Some scenarios in cyberspace are difficult to conjure in physical space. The remote and non-violent interruption of financial systems or fuel supplies with computer code would not be possible with the use of missiles and tanks. Among the most worrisome conceivable scenarios in the near future is a series of computer born actions that impair the United Kingdom’s vital infrastructure while stoking public confusion via social media about the attack’s origin and aims or about appropriate responses to it.

 

 

Implications for UK Foreign Policy and Security Strategy

 

The cyber revolution in strategic affairs challenges basic assumptions of foreign policy and security strategy. Some old axioms to be sure still apply. Despite the proliferation of non-state threat actors (who for example interrupted almost half of fuel supplies in the U.S. East Coast with ransomware in May 2021), states – especially large ones such as the United Kingdom – retain their primacy in the new realm of conflict. Territorial integrity remains a principal concern of nations even as intangible security threats grow in salience. Nevertheless, changes in the threat landscape require adjustments in thinking. The very concept of security must change. Traditional security strategy privileges the physical world over the virtual world. Its chief aim is to protect the national soil against military incursion. But it is not the nation’s physical frontiers that face imminent threat today. Rather, the integrity of the nation’s basic political institutions and electoral processes is at stake. The pursuit of physical security cannot come at the expense of failing to develop doctrines to defeat intangible threats that propagate through a frontierless information space.

 

The Growing Relevance and Challenge of Information Security

 

The UK foreign policy and national security agenda must give greater prominence to information security, or efforts to protect the integrity of domestic information flows via the Internet, especially against attempts by foreign powers to manoeuvre within the polity. Information security is no longer the concern mainly of authoritarian nations such as China or Russia, whose regimes strive to preserve their legitimacy against the grievances of "confused" citizens (as Chinese authorities put it). It is also a legitimate and growing concern of liberal democracies. Its scope must expand beyond the normal concern of stemming illicit activity such as financial fraud. Containing malicious political and social content deserves greater attention.

The United Kingdom’s pursuit of information security confronts a double asymmetry that favours autocratic adversaries. On the defensive side, information control does not come naturally to a society that regards freedom of expression as a fundamental right. Russia’s recent information campaigns showed that the very openness which defines UK political culture makes it especially vulnerable to foreign intrusions. Democratic leaders struggle with a fundamental tension that spares the autocrats: how to protect the integrity of domestic political discourse without violating basic freedoms of expression. The challenge of online information regulation is complicated by the fact that social media platforms are designed, owned, and operated by private companies such as Facebook and Twitter; their platforms operate with little government oversite or control. The need to involve the private sector at the centre of regulatory efforts is another hurdle that autocracies do not face. Yet private sector interests will not always align with the government’s (as demonstrated in the contention between Apple and the FBI following the terrorist attack in San Bernardino, California in 2015).

On the offensive side, the United Kingdom and its allies have less opportunities to operate within adversaries information spaces to pursues foreign policy objectives. Closed political systems implement information control measures that are constitutionally unavailable in a democracy. China and Russia operate a vast apparatus of Internet surveillance and censorship (the two go hand in hand) that the authorities routinely use to stanch the flow of ideas which the regimes consider subversive. The United Kingdom, moreover, does not have a hundred years of doctrinal understanding of information warfare as Russia does. The question remains unanswered because it has not been seriously posed: should we and our allies develop our own concept and methods of information warfare that we can deploy abroad?

In brief, the United Kingdom’s open society, like that of other democracies, is susceptible to foreign information intrusion more than the closed information space of autocratic regimes. Their domestic Internet is not frontierless like ours. Because routers and servers occupy physical space, online communications are susceptible to the jurisdictional control of autocrats. By contrast, the porousness of our information borders upends the classical security paradigm. Traditionally, the main objective of security policy was to prevent adversaries’ intrusion into the core domestic terrain; today, their permanent and possibly undetected presence must be a starting axiom of security policy. The central challenge of cybersecurity, therefore, is figuring out how to limit foreign adversaries’ ability to cause harm from within the polity while respecting basic freedoms.

 

War, Unpeace, and the Punishment Problem

 

Repeatedly, adversaries use cyberspace to assail the United Kingdom’s political, social, and economic interests. Repeatedly, the country’s leaders warn about the gravity of such actions. For example, the head of MI6 warned in 2016 that the manipulation of social media by foreign powers during the Brexit referendum presented “a fundamental threat to our [nation’s] sovereignty,” adding: “They should be a concern to all those who share democratic values.[3] Following the Wannacry ransomware attack by North Korean military hackers that disrupted NHS hospital services in March 2017, a Foreign Office minister stated: “The United Kingdom is determined to identify, pursue and respond to malicious cyber activity regardless of where it originates, imposing costs on those who wish to attack us in cyberspace.[4]

And yet repeatedly, the government struggles to punish to deter the offenders. Like the West more broadly, the United Kingdom suffers a problem of under-proportionate response: it fails to punish technological aggression sufficiently hard to convince adversaries that the retaliatory costs outweigh the gains. Punitive measures such as targeted financial sanctions and public attribution of the attackers’ identity have not sufficed to prevent further ordeals.

Attempts to curtail cyber conflict have focused on the preferred methods of Western diplomacy: the fostering of laws and norms of international conduct. Officials stress the importance of existing international law and institutions to prevent hostile actions. They emphasise the value of forums such as the United Nations Group of Governmental Experts (UNGGE) or the Open Ended Working Group, which explore how existing legal conventions such as the UN Charter principles apply to the regulation of interstate cyber conduct. They stress the reasonableness of norms of conduct, as if the transgressors in Moscow or Pyongyang had failed for all these years to grasp their self-evident validity.

This policy approach has failed spectacularly. The current legal and normative framework is not adequate for the purpose that Western policymakers ascribe to it, because it does not provide sufficient grounds to credibly respond to actions falling short of war. Contrary to common opinion, contemporary security problems are not primarily normative or legal but doctrinal: figuring out how to punish activity – in order to deter it in the future – that international legal traditions and Western security strategy do not ordinarily recognise as punishable.

The roots of policy paralysis lie in a failure to grasp the changing tides of modern conflict. The relevance of war to historical transformation has diminished. War is no longer the principal force of change in international affairs. Relative to the rich history of warfighting during the last century, the most distinctive feature of modern conflict is the silencing of guns among large nations. Their leaders grasp that even a minor armed confrontation among them is almost inconceivable because its consequences would be economically and politically ruinous. In the present era, large powers threaten war primarily to avoid it.

Less war does not mean more peaceful means of rivalry, however. These too have waned in relevance. Major cyber incidents share a defining characteristic: despite their potentially grave individual or cumulative effects, their non-violent nature places them below the legal criteria of an armed attack or a use of force. Nevertheless, it is important to realise that the cyber incidents mentioned above and others like them violated the definition of peace, the state of restrained rivalry (if not comity) that statesmen normally aspire to achieve in the midst of international anarchy.

The absence of major war cannot obscure the fact that we live in a period of intense technological rivalry – one that the United Kingdom, alongside its Western allies, is losing against the main geopolitical rivals. Policymakers must grasp a central truth about contemporary security: much of modern interstate rivalry fits neither the destructive criteria of war nor the acceptable boundaries of peaceful competition. Rather, it is unpeace, or mid-spectrum rivalry that is more damaging than traditional peacetime activity (such as economic sanctions), but not physically violent like war. The technological methods of unpeace have become more relevant forces of change in international politics than war itself. Nations can use cyberspace to achieve some of the main political and strategic objectives of war without firing a single gun. The lack of deterring penalties betrays not tolerance of aggression but a failure to devise a response strategy commensurate with the legal and doctrinal peculiarities of unpeace, which the existing legal order and prevailing security strategy struggle to address.[5]

 


The Necessity for New Policy Approaches

 

Our challenge of adapting policy and strategy is greater than in previous eras because the main source of revolution in strategic affairs is technological. Western nations are losing the intensifying technological contest that defines the twenty-first century. Policymakers and analysts have not yet figured out – but figure out we must – how to achieve information security in a way that is consistent with our political values and which accommodates the important, sometimes decisive, role of the private sector.

Deterrence of unpeaceful actions meanwhile is failing. Opponents have developed a superior understanding of the new possibilities of modern conflict. They grasp better than us where our own thresholds of reaction lie. So long as the harmful effects of their actions do not meet the recognizable criteria of war, the punishment is likely to be minor. The failure to exact credible punishment produces pressures for further clashes. Observers who warn about the risks of spiralling conflict from sterner penalties fail to grasp that inaction or weak action can be more escalatory than decisive action.

In these circumstances of intensifying virtual conflict the absence of war no longer means the prevalence of peace. Geopolitical contests increasingly play out beneath the familiar threshold of war. Yet the rigid thinking about war and peace prevails in Western capitals. Although officials increasingly realise the realities of unpeace, the development of new policy and strategy to guide behaviour in the new genus of conflict remains primitive – precisely because we are so behind in doctrinal ingenuity. Because security doctrine still operates mainly within the bounds of the war-peace binary, yet much of security competition today is neither one nor the other, existing policies of conflict prevention produce seriously flawed results.

The attempt to develop more effective conflict prevention strategy is hindered by the very international legal system that makes it necessary. Because policymakers prioritise legal and diplomatic conventions grounded in traditional notions of armed conflict and physical violations of the national soil, they struggle to deal with aggression – no matter how politically or economically damaging – that falls below the recognizable threshold of war. The international rulebook prioritises war; so too does policy dogma based on adherence to a narrow interpretation of it.

What is to be done about this situation? Absent adequate legal and normative instruments to dissuade acts of unpeace, a solution must be found in a consequentialist logic of penalties, one that appeals to opponents’ considerations of material interests rather than a sense of normative appropriateness that has not yet formed and may never do so. The main objective is calculated deterrence: to convince the other side that the retaliatory costs of technological aggression are greater than its gains. In the new era of conflict we cannot afford to indulge in the conceit that old policy dogmas apply where events have ruled them out. The organization of UK foreign policy and national security strategy requires new departures in thinking.

 

 

June 2021

7

 


[1]Cyberspace” denotes all computer systems and networks in existence, whether or not they are connected to the Internet.

[2] Dominic Raab, ‘Press Release: UK Warns of Chinese Global Cyber Attacks’, GOV.UK, 16 September 2020.

[3] Ewen MacAskill, ‘Hostile States Pose “Fundamental Threat” to Europe, Says MI6 Chief’, The Guardian, 8 December 2016.

[4] ‘Foreign Office Minister Condemns North Korean Actor for Wannacry Attacks’, GOV.UK, 19 December 2017.

[5] My recent book, The Virtual Weapon and International Order (Yale University Press, 2017), introduced the notion of unpeace. Parts of this written evidence contain extracts of my next book, Striking Back (Yale University Press), which elaborates on the doctrinal challenges of unpeace and how to resolve them.