Written evidence submitted by Brigadier (Rtd) Anthony Paphiti, former ALS officer and Dr Sascha Dov Bachmann, Associate Professor in International Law

Introduction

"Hybrid threats" as a military term was coined in US military specific literature as a result of the review of the military conflict between Israel and Iran-supported Hezbollah during the second Lebanon war of 2006. Hybrid threats in the context of asymmetric conflicts consist of a blend of unconventional and conventional means of warfare, their tactics and methodology.

Hybrid threats outside the context of conventional military conflict can be influenced by a variety of factors, which are deliberately provoked by different actors, and can be exploited. Hybrid threats are the result of a new enemy (state and non-state actors) and a new action spectrum. Hybrid threats pose new challenges to policy and rule of law.

NATO Recognized as early as 2010 hybrid threats were a new security risk and designed a new NATO Bi-Strategic Command Capstone Concept, describing hybrid threats as threats emanating from an adversary who combines both conventional and  also unconventional - military methods to achieve its goals. Hybrid threats refer to ‘those posed by adversaries, with the ability to simultaneously employ conventional and non-conventional means adaptively in pursuit of their objectives’

Consequently NATO worked on a related global approach (Comprehensive Approach) in order to counter these risks. This approach envisaged involving State and non-State actors in a comprehensive defence strategy that combines political, diplomatic, economic, military technical and scientific initiatives. Despite intensive work on this approach as part of a "Countering Hybrid Threats " experiment in 2011 the NATO project work in 2012 had to stop due to lack of support from their members.

Given the Russian aggression in Ukraine since 2014, the question arises whether the cancelling of this project was not premature. Since 2014 NATO has recognised Russia’s action as constituting Hybrid Warfare and has begun to work on the Hybrid warfare project with the aim of determining whether this form of warfare requires a redefinition of Western military doctrine (as a new category in Full Spectrum Operations).  Whether the application of hybrid warfare by Russia will result in a return of the Cold War against the background of its Eastern European hegemonic ambitions, remains to be seen.[1]

Multi-dimensional warfare

Forms Hybrid Warfare Could Take

There are many forms a hybrid attack might take, such as those mentioned below:

• Cyber Attack on

    Military command and control

    Air traffic control systems

    Hospital power supplies

    Electricity Grid

    Water supplies

    Nuclear power (Stuxnet attack)

    Satellite communications

    Internet

    Banking System

    Dams/Water Supply and other Eco threats – deforestation (Agent Orange)

• Foreign investors gaining a controlling interest in essential services, such as energy supplies, water supplies, airports, sea ports;
• Electronic Warfare
• Espionage and Surveillance
• Propaganda/Misinformation/Psy Ops
• Use of Special Forces  - “Little Green Men” – denial of existence – Crimea/Donetsk (Ukraine)
• Migration
• State-to-state aggression behind the mantle of a "humanitarian intervention"
• Terrorism.

Some of these hybrid methods are examined in more detail, together with an assessment of the threat level.

How Russia has used hybrid:

In a Keynote speech at the opening of the NATO Transformation Seminar on 25 March 2015, NATO Secretary General Jens Stoltenberg remarked:

"Russia has used proxy soldiers, unmarked Special Forces, intimidation and propaganda, all to lay a thick fog of confusion; to obscure its true purpose in Ukraine; and to attempt deniability.  So NATO must be ready to deal with every aspect of this new reality from wherever it comes. And that means we must look closely at how we prepare for; deter; and if necessary defend against hybrid warfare.

[…]

Michael Kofman and Matthew Rojansky described Russia's 2010 Military Doctrine of modern warfare

"...... as entailing “the integrated  utilization of military force and forces and resources of a non-military character,” and, “the prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favourable response from the world community to the utilization of military force."[2]

The employment of hybrid methods has been evident from Russia's activities in Crimea and the Donbas region of Ukraine, with its deployment of "little green men", namely, soldiers wearing unmarked uniforms that make direct state attribution difficult. According to Mark Galeotti, Professor of Global Affairs at New York University’s Center for Global Affairs, 

"The conflict in Ukraine has demonstrated that Moscow, in a bid to square its regional ambitions with its sharply limited resources, has assiduously and effectively developed a new style of ‘guerrilla geopolitics’ which leverages its capacity for misdirection, bluff, intelligence operations, and targeted violence to maximise its opportunities."[3]

While there may be limitations to the way in which these methods were used in Ukraine, the use of unattributable military personnel provides expert assistance to an enemy and, even if not directly engaged in hostile acts, provides advice and assistance to those who carry out such acts. Nevertheless, the seriousness of the threat posed by such forces should not be under-estimated. General Breedlove, currently Commander, US EUCOM and the Supreme Allied Commander Europe (SACEUR), is reported as saying, "if Russia does what it did in Crimea to a NATO state, it would be considered an act of war against the alliance."[4]

In Ukraine, Russia employed a hybrid strategy by combining irregular warfare and cyber warfare to achieve its strategic objectives. Reuben F Johnson, writing in IHS Jane's Defence Weekly, on 26 February 2015, considered that "Russia's hybrid war in Ukraine 'is working'." They had combined a substantial ground force of 14,400 Russian troops supported by tanks and armoured fighting vehicles, backing up the 29,300 illegally armed formations of separatists in eastern Ukraine. In addition, they used electronic warfare (EW) and

"what appear to be high-power microwave (HPM) systems to jam not only the communications and reconnaissance assets of the Ukrainian armed forces but to also disable the surveillance unmanned aerial vehicles (UAVs) operated by ceasefire monitoring teams from the Organisation for Security and Co-operation in Europe (OSCE). Russian EW teams have targeted the Schiebel Camcopter UAVs operated by the monitors and 'melted the onboard electronics so that drones just fly around uncontrolled in circles before they crash to the ground'.

Russian EW, communications and other units central to their military operations are typically placed adjacent to kindergartens, hospitals or apartment buildings so that Ukrainian units are unable to launch any strikes against them without causing unacceptable and horrific collateral casualties."[5]

These EW activities probably amount to a use of force constituting an armed attack. As such, an international armed conflict would exist. Consequently, positioning such equipment close to civilians and civilian objects is a breach of the laws of armed conflict, in particular articles 51(7) and 58 of API,[6] which prohibits the presence or movements of the civilian population or individual civilians in order to render certain points or areas immune from military operations (use of human shields).

The commentary to article 58 points out that this extends to the need for care in particular during the conflict to avoid placing troops, equipment or transports in densely populated areas.

Cyber Attack

Cyber Attacks which resemble examples of the fifth dimension of warfare, refers to a sustained campaign of concerted cyber operations against the IT infrastructure of the targeted state, including and leading to mass web destruction, spam and malware infection.[7]

The almost ubiquitous access to the internet and the interconnectivity of critical systems, makes this form of hybrid warfare a serious and very real threat. The effectiveness of cyber attack was graphically demonstrated by the sophisticated STUXNET virus attack on the Iranian nuclear plants. STUXNET was described as

"[o]ne of the most sophisticated pieces of malware ever detected [and] was probably targeting "high value" infrastructure in Iran... It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units". [8]

STUXNET has also been described as “the world’s first digital weapon".[9] This cyber attack was also a clear demonstration of the difficulty of attribution. While there were suspicions about which nations in the world possessed the technical competence to develop and insinuate such a worm, there was insufficient proof. The virus consisted of a "500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. Although a computer virus relies on an unwitting victim to install it, a worm spreads on its own, often over a computer network."[10]

Lawfare as part of Hybrid Warfare - Legal Action Against the Armed Forces

Lawfare is using law as a weapon with a goal of manipulating the law by changing legal paradigms. [11]  Lawfare can be defined “[as] the strategy of using - or misusing - law as a substitute for traditional military means to achieve an operational objective.” [12]  In the case of the current situation in Russia and Ukraine, lawfare has its roots in an undefined situation, i.e., the lack of definition of the conflict - international armed conflict, non-international armed conflict, or civil unrest. This ambiguous situation creates patent confusion as to the source or paradigm of applicable law and any eventual action to identify and assign legal responsibilities and demand accountability. The aim is to deny the existence of the roots, causes and realities of the Russian operations in Crimea and Eastern Ukraine; this deniability of reality in fact does gives the Western nations the possibility to avoid taking responsibility by deferring a decision on the grounds that the situation in Eastern Ukraine was not independently verified; that no Russian direct involvement was evident etc.. . This deniability (often supported by acts of misinformation), the lack of definition of the conflict, or civil unrest make it hard to qualify the nature of the conflict and with it to agree on the appropriate course of action in response.

The current volume of claims against the MoD flowing out of UK military involvement in operations in Iraq and Afghanistan, alleging breaches of human rights by members of the armed forces, is classic lawfare. The expense and volume of claims has the ability to

1. Portray our servicemen and women in an adverse light, lowering them in the esteem of the public. This could have an impact upon recruiting – who would want to join an organisation that disrespects human rights?
2. Adversely affect the operational effectiveness of the military by leaving few options open (Serdar Mohammed).[13]
3. Have a wider negative propaganda effect outside of the UK, again impacting the UK's reputation;
4. Tie up the Ministry of Defence for months and even years, responding to legal claims ;
5. Impact adversely morale in the armed forces with the concern that every aspect of a serviceman's conduct will be open to scrutiny. This is believed may cause them to hesitate to act when decisive action is required; [14] 
6. Effect the slow drip of operational modus operandi and intelligence into the public arena, by which an enemy understands restrictions/limitations placed upon the force, which it can then exploit;
7. Damage the "control Principle" by which classified intelligence is imparted to our security services by an "owner" nation to assist with our national security  (Binyam Mohammed[15]) on a confidential non-disclosure basis.

The process of lawfare has been described as " legal mission creep" abetted by  "significant judicial figures" who "give little or  no hint of any pull back by the Bench from the 'judicialisation of war'." 

The legal implications of the Russian military and multi-dimensional warfare

General

Any response to a hybrid threat will, perforce, depend upon the type and severity of it. Overtly hostile acts, such as the deployment of special forces on UK territory, would entitle a kinetic response by NATO. However, falling short of such overtly hostile acts, our options are regulated by both domestic law, for acts committed within this country, and/or international law, for acts committed on our forces or our interests abroad.

International Law

As a member of NATO, any attack upon the United Kingdom would invoke Article 5 of the NATO Treaty.[16]  Importantly, for the purpose of Article 6, an armed attack on one or more of the Parties is deemed to include an armed attack on the territory of any of the Parties and on the forces, vessels, or aircraft of any of the Parties. Unfortunately, the term "armed attack" is not defined. But it was considered in the case of Nicaragua v. United States (1987)[17] when it was stated:

195.              There appears now to be general agreement on the nature of the acts which can be treated as constituting armed attacks. In particular, it may be considered  to  be agreed that an armed  attack must  be understood  as including not merely action by regular armed forces  across an international border, but  also "the  sending  by or on behalf of a State of armed bands,  groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to" (inter alia) an actual  armed  attack  conducted by regular  forces, "or its  substantial involvement therein". […]

In the view of the Court, this is to be understood as meaning not merely action by regular armed forces across an international border, but also the sending by a State of armed bands on to the territory of another State, if such an operation, because of its scale and effects, would have been classified as an armed attack had it been carried out by regular armed forces. The Court quoted the definition of aggression annexed to General Assembly resolution 3314 (XXIX)[18] as expressing customary law in this respect.

The court also considered that providing weapons or logistical or other support falls within "armed attack" and such support may be regarded as a threat or use of force.

The Nicaragua judgment sets out very helpful guidance on the definition of "armed attack" and "aggression". So how does this translate to acts which are less easy to identify as a use of force, such as cyber attacks? It is suggested that disruption of a military national defence facility could easily cross the threshold where, for example, those systems were disabled. But, an attack disabling the banking system, while disruptive, may not.

Under international law, a nation is entitled to use force in three situations:

1. When it is authorised by the United Nations Security Council, pursuant to article 2(4)[19] & (7)[20] of the UN Charter;
2. In self defence of itself, under article 51[21] of the UN Charter; and
3. In response to the lawful request by the government of an ally for assistance, or collective self defence (as per the NATO Treaty) also under article 51 (and a matter of customary law).

Whether any form of hybrid attack, alone or cumulatively, amounts to a use of force and, if so, reaches the threshold of an "armed attack" to justify a military response under art 51 - and what form that response would take - are very difficult questions to answer. They are situation/fact specific. Moreover, attribution may be problematic. Devastating cyber infiltration can be achieved by a single operator who would be difficult to track and even more difficult to lay attribution to any particular state.  In relation to the STUXNET worm, attribution has been elusive. [22]

The Tallinn Manual discusses the legal framework applicable to cyber warfare and, in particular, what constitutes a use of force (rule 11),  what constitutes a threat of force (rule 12),  the permissible responses (rules 13-15), based upon article 51 of the UN Charter, and the applicability of the law of armed conflict (Part II).

A cyber operation constitutes a use of force when its scale and effect are comparable to non-cyber operations rising to the level of a use of force including, for example, acts of the intelligence services, under the principles of state responsibility and attribution.[23]  A fortiori, if conduct is directed or controlled by a State.[24]  However, according to the commentary to rule 11 of Tallinn (use of force),

"non-destructive cyber psychological operations intended solely to undermine confidence in a government or economy do not qualify as uses of force."  (Ibid, § 3)

Moreover,

"merely funding a hacktivist group conducting cyber operations as part of an insurgency would not be a use of force"

The authors consider that, under the principles of the Nicaragua case,

"providing an organised group with malware and the training necessary to use it to carry out cyber attacks against another state "  (Ibid, § 4)

would constitute a use of force.

In considering  whether an act constitutes a 'use of force' and amounts to an 'armed attack' the authors determined that the Nicaragua judgment set out the applicable criteria. (Ibid, § 6).

Tallinn acknowledges that  the question of what actions short of an armed attack constitute a use of force is still unresolved (ibid §8).  Where the harm caused is significant (rule 13), then there is clearly an armed attack. This is, however, still an evolving area of law and it is difficult to assess what a given nation would regard as 'significant' for the purposes of such a classification.

Domestic Law Options

Operations by our police, intelligence and security services are subject, inter alia, to the legal constraints of the Regulation of Investigatory Powers Act 2000 and the Acquisition and Disclosure of Communications Data: Code of Practice) Order 2015, the Security Service Act 1989, as amended by the Intelligence Services Act 1994, and copious anti terror primary and subordinate legislation.  These provisions ensure that security measures are constrained by law and, in particular, post-98, are compliant with the Human Rights Act 1998. Section 7 of the 1994 Act (the "James Bond" provision), coupled with immunities under the Vienna Convention, provides exemption from liability for any act committed

"outside the British Islands...which is authorised to be done by virtue of an authorisation given by the Secretary of State under this section".

Electronic Communications Act 2000, as they relate, inter alia, to Cryptography, Public key cryptography, encryption  and electronic signatures, which are important for electronic transactions. The act provides for the legal recognition of electronic signatures and the process under which they are verified, generated or communicated.

Diplomatic Privileges Act 1964 (applying the Vienna Convention to domestic law) and granting immunity to diplomats from criminal jurisdiction, under article 31. Any member of a diplomatic mission may be expelled by the receiving state, without explanation, and declared persona non grata (article 9).

Diplomatic and Consular Premises Act 1987, regulating embassy property.

Consular Relations Act 1968 (applying the Vienna Convention on Consular Relations 1963) which provides no immunity from prosecution for a "grave crime", ie one where on conviction of a first offence the punishment is 5 years or more imprisonment (section 1(2)). Moreover, privileges and immunities can be withdrawn under section 2, by Order in Council.

5 February 2016