The Grand (Binary) Chessboard: Security, Geopolitics and Geoeconomics in the Cyber-era
For each age that we think to define, there are words that describe the aspects or characteristics that are thought to define it best. The mid-twentieth century was known as the ‘Atomic Age’, when the results of research into nuclear physics were brought to the forefront with the detonation of nuclear bombs. Shortly thereafter, it was succeeded by the Space Age, with the drive to explore outer space and the competition between the world’s superpowers to develop technology to that end. Somewhere from the 1970s, the Information Age is believed to have begun, sprung by the Digital Revolution, with information technology playing an increasingly greater role in human affairs on an ever-growing number of levels: the economy, society, culture, language and politics. Thus, geographic distance became less and less relevant in defining human interaction, and physical contact was no longer an imperative for relations between people.
Interestingly enough, this meant that the barriers between certain human phenomena were also diminished: access to a wide variety of information – news of events from faraway lands, different viewpoints and ideologies, a whole range of opinions being brought into direct contact with one another – all this meant that people could influence each other directly and indirectly from behind a computer screen without ever seeing each other face to face. Anonymity in its varying degrees somewhat accentuated this shift, offering people the chance to air their viewpoints without fear of reprisals and consequences, for better or worse. Speed became a matter of timing, and one of the many conveniences of online interaction.
Specialists have offered varying definitions of the terms cyberwarfare, cybersecurity or cyberterrorism, some focusing on their digital nature, while others focus more on the methods involved, and others still highlight the contingency of other human activities upon information technology.
The realm of cyberspace has thus become tightly entwined with human activity, influencing it while being defined by it, from online payments to online education, online support communities, e-governance and online public services, with libraries’ worth of books capable of being distilled on a flash drive. Cyberspace is the birthplace of many online communities with varying degrees of cohesion, numbering from hundreds to hundreds of thousands based not on nationality, but on commonly shared attributes or opinions giving them a sense of collective identity. It is another facet of the phenomenon of the rise of elective loyalties and affiliations, as opposed to inherited ones.
As human activity has come to rely ever more on software, digital technology and online media, a whole new dimension has also been added to human security, society, welfare and warfare. With new opportunities for growth and emancipation come new threats, to which responses need to be generated in an adequate framework of security. It is this that brings us to our enquiry: what does human security look like in the cyber-era, and what is its geopolitical and geoeconomic outreach?
The cyber prefix
Cyberspace allows attackers to conceal their identities and their origins, rendering an attack difficult to trace to its source, thereby providing stealth to the perpetrators and plausible deniability to their backers.
The terms cyberwarfare, cybersecurity or cyberterrorism are relatively new additions to the dictionary, but one must be careful not to fall into the trap of believing that they are merely the transportation into cyberspace of the terms they derive from: warfare, security and terrorism. Such a view would at best be marginally true, leaving out much of that which individualises them as concepts. Specialists have offered varying definitions of the terms, some focusing on their digital nature, while others focus more on the methods involved, and others still highlight the contingency of other human activities upon information technology. For the purposes of this essay, cyberwarfare may be defined as carrying out hostilities by use of information technology, selecting targets that are critically contingent upon IT; cyberterrorism can be defined as any action meant to cause harm to the population via subversive actions in cyberspace, to provoke terror and uncertainty and promote the attacker’s agenda. Finally, through cybersecurity we may understand all the measures and policies adopted in order to ensure the safety and integrity of critical digital assets and information systems.
Commonalities and differences
Better insights into their roles can be gleaned by comparing cybersecurity and cyberwarfare to traditional warfare and security. One important difference is that the former two are mostly confined to the cyberspace, while the latter two deal with the three classical planes of interaction: air, land and sea, to which we may add space as well. That is not to say, however, that cyberspace and the other planes are completely separated; quite the contrary. A cyberattack may well cause debilitating material damage, e.g. disrupting a drone’s targeting system that would render it highly unreliable and unpredictable when used in the field. Similarly, a cyberattack that causes a power outage in a wide area can lead to immense losses, both financial (i.e. financial institutions unable to operate) and human (e.g. traffic jams and accidents, hospitals during blackouts). Yet, cyberspace is unique in that it is governed by its own laws and offers various advantages that can be exploited. For instance, it allows attackers to conceal their identities and their origins, rendering an attack difficult to trace to its source, thereby providing stealth to the perpetrators and plausible deniability to their backers; for that reason, it is difficult to ascertain that a cyberattack can be classified as an act of state-on-state hostility, which makes cyberwarfare an extremely potent tool for sabotage and exploitation.
Furthermore, scale is a different matter altogether in cyberspace than it is in real space. The scale of an attack is not necessarily determined by its complexity, nor does it depend on the number of perpetrators involved, but by the system being targeted and the network to which it belongs, other systems that depend on it and the number of people affected, meaning that a simple coding error can be exploited to devastating effect by one person.
These three attacks show us the different potential uses of cyberattacks: to cripple a strategic asset of the target entity, in the case of Stuxnet, and to clandestinely retrieve highly sensitive information via cyber-espionage i.e. Flame and Agent.btz.
Can cyberwarfare be used for geopolitical purposes? Several documented incidents demonstrate that cyberattacks can have strong geopolitical consequences. An important factor that differentiates cyberwarfare from traditional warfare is that a combatant’s offensive and defensive capabilities are not influenced by physical assets or geographic positions. Another difference is that, whereas, in traditional warfare, alliances are used as means to compensate for a country’s limited outreach, the concealment possibilities that cyberspace boasts lead to reliance on a much looser network of agents and partners in order to avoid exposing one’s involvement in a cyberattack. Apart from that, cyber-espionage can lead to dire security breaches and the leaking of sensitive intelligence of strategic importance when highly classified information systems are hacked.
One of the most prominent international incidents involving an attack upon of an information network was the Stuxnet virus. Believed to have been jointly developed by Israel and the United States (both of which have denied all allegations), the virus targeted one of Iran’s main nuclear facilities in 2010. Such were the effects of the attack, that it was estimated to have destroyed a few years’ worth of progress for Iran’s nuclear programme. Other pieces of malware that were involved in high-profile data thefts and information corruption were Agent.btz that targeted classified US military intelligence documents, and Flame, which operated mostly in the Middle East, mainly Iran, and, due to its concealment as a Microsoft update, managed to spy on its targets for years before being revealed.
These three attacks show us the different potential uses of cyberattacks: to cripple a strategic asset of the target entity, in the case of Stuxnet, and to clandestinely retrieve highly sensitive information via cyber-espionage i.e. Flame and Agent.btz. In response to the damage caused by the latter, the United States have created the US Cyber Command, a military unit dedicated to cyberwarfare which has been dubbed a Unified Combatant Command on August 17, 2017.
The more people share it and endorse it, the more likely the next person is to accept it as fact without questioning its veracity.
Subversion via cyberspace, however, needs not involve thousands of lines of sophisticated code or clever exploitation of network security loopholes. In fact, it may rely on exploiting human nature and the role of online media as a source of information for many people. In short, propaganda and manipulation through disinformation can be carried out by using social media and social engineering, i.e. methods employed to influence the opinions and, consequently, behaviours of large groups of people. A very simple example is a piece of false or distorted information passed off as fact which is then propagated and shared via social networks by several individuals; the more people share it and endorse it, the more likely the next person is to accept it as fact without questioning its veracity; this effect is further enforced when said disinformation is shared within a community of people that share certain common attributes and identities, where individuals are inclined to adhere to the majority viewpoint as a means of preserving membership to the group in question. Through social media and its role in informing people and building communities of like-minded people, the critical mass required for mobilising parts of society can be reached, as evidenced by the significance of social networks and digital technology in generating and animating the Arab Spring. Hacktivism, a portmanteau of activism and hacking, is the digital and, at times, more subversive version of activism, with activities ranging from anonymous, censorship-free communication platforms to proactive sabotage of security networks and information leaks for the sake of political or social goals. In this form, it may be likened to guerrilla warfare.
Perhaps the most significant instance of the geopolitical dimension of this social phenomenon was in late 2016, when Russia was accused by US authorities of having heavily interfered in the US elections via an influence campaign meant to bolster President Elect Donald Trump’s image and chances of winning while damaging the reputation of his opponent, Hillary Clinton. Despite Russia denying these accusations, the incident brings to light the potential of coordinated online propaganda campaigns to attain far-reaching geopolitical consequences. Yet another case where the use of social engineering resulted in geopolitical consequences is the extensive use of online media by the terrorist group the so-called Islamic State to promote itself, spread its ideology and recruit candidates, which led to many people leaving for Syria to join Islamic State fighters. The aggressive campaign carried out by the Islamic State in its initial raids and the countless terrorist attacks perpetrated in several countries on four different continents are unfortunate testaments to the effectiveness of this method.
Last but far from the least, cyberattacks can be extremely crippling when directed towards the economy. The infamous WannaCry cyberattack in 2017 affected hundreds of thousands of people in four days. The software itself was a particular piece of malware known as ransomware, which encrypts the infected terminal’s files, rendering them completely inaccessible to the user who is then prompted to pay the attackers a certain amount in exchange for regaining access to their files. The cyberattack took place on a global scale, covering 150 countries and resulting in damage of up to $4 billion. A similar virus, Petya, discovered in 2016, was involved in another global cyberattack, with affected targets including the radiation monitoring systems at the Chernobyl Power Plant and several Western corporations, interrupting businesses and even shutting down India’s largest container port – the Jawaharlal Nehru Port. Cnet’s Alfred Ng named it “the most destructive cyberattack ever”.
The cyberattack took place on a global scale, covering 150 countries and resulting in damage of up to $4 billion.
When we speak of geoeconomic consequences, we need to take into account short-term and long-term consequences. Short-term effects typically include the immediate losses; depending on their scale and the efforts required to recoup these losses, they may translate into long-term consequences. In the long run, however, the strongest effects are on confidence, stability and reputation. Most developed economies rely heavily on integrating information technology in their economic activities; moreover, the quality of internet infrastructure and availability of IT assets are part of a country’s Competitiveness Index released by the World Economic Forum, so it follows naturally that they are also highly exposed to cybercrime. In a binary retelling of Bastiat’s broken window parable, cyberwarfare and cyberattacks fuel the growth of the IT security industry, which develops in response to an ever-growing palette of threats. The more an economy grows, the more it interacts with international partners and various state and non-state entities, thus the more it comes to rely on information technology to store, manipulate and exchange information, as well as carry out economic activities (financial transactions, invoices, client databases etc.), therefore the more it will depend on IT security to ensure its credibility towards its partners and the safety of its activities.
Cyberwarfare, cyberterrorism, cyberattacks, cybersecurity – all these are more than the trendiest words of the current era. They describe an extremely important part of the current geopolitical and geoeconomic arena. Information technology pervades human activity at all levels – social, cultural, political and economic. As information became an important geostrategic asset, part and parcel of the current world economy and even a commodity in its own right, its protection has become a necessity with important geopolitical and geoeconomic stakes. We can thus assert that ensuring cybersecurity is as important to today’s chessboard as ensuring safe trade routes, dominating geographic chokepoints or securing a militarily advantageous location used to be. Alongside Alfred T. Mahan’s sea power and Mackinder’s heartland-based theory of power, we can add cyberpower as a new form of power, with cyber defence and offence capabilities as new determinants of power.