June 24, 2018

After Crimea: The Future of Nordic Defence Cooperation

20/06/2018 Håkon Lunde Saxi Defense

Image courtesy of Johannes Jansson/Norden.org. CC BY-NC-SA 4.0

This article was originally published by the Norwegian Institute of International Affairs (NUPI) in 2018.

Nordic Defence Cooperation (NORDEFCO) was originally about cost-effectiveness. The Nordic states sought to work together when training and educating their soldiers, procuring new equipment, and logistically supporting their forces. Faced with a relevantly benign security situation at home, with Russia regarded in principle as a partner, operational military cooperation was primarily about expeditionary operations far from northern Europe. Even if NORDEFCO never became the beacon of Nordic cooperation that some political speeches sought to paint it as, it nonetheless provided the Nordics with a flexible and non-bureaucratic framework through which various forms of defence cooperation could be pursued.

Russia’s annexation of Crimea in March 2014, and the subsequent deterioration of Western-Russian relations, changed this. NORDEFCO today is much more about meeting pressing security challenges in the Nordic region. This policy brief explores the potential for further Nordic cooperation. What are the opportunities and constraints? The study is primarily based on seven recent interviews with civilian and military officials,1 as well discussions with independent security scholars, from all the Nordic countries except Iceland.2

NORDEFCO before Crimea

In December 2009, the Nordic defence ministers established NORDEFCO as a cooperative structure by merging three existing Nordic frameworks for military cooperation. Its primary raison d’être was to ‘produce national military capabilities in a more cost-efficient way by means of multinational cooperation’.3 The framework was to complement cooperation in NATO and the EU.

NORDEFCO was the culmination of a process that began in 2007 with the publication of the Norwegian- Swedish ‘feasibility study’,4 and continued in 2008 with the Norwegian-Swedish-Finnish ‘progress report’.5 The underlying assumption in these reports was that these small countries were no longer able to sustain complete and balanced armed forces on their own. The solution was to procure the same materiel and trim down each country’s national base, support, and logistical structures in favour of more integrated solutions. Norway, Sweden, and Finland now aimed to cooperate closely on education and training, exercises, research and development, procurement of equipment, and participation in international operations.6 This was considered ‘a challenging approach’, demanding compromises and trade-offs, but it was argued that this was the only way to maintain ‘relevant and sustainable defence forces’.7

The approach proved even more difficult than anticipated, especially with regard to joint procurement. The Nordic countries made failed attempts to acquire a number of important equipment systems jointly. When Norway cancelled its order for the Swedish-Norwegian Archer artillery system in December 2013 – citing delays and technical dissatisfaction with the system – it arguably marked the end of the ambition of establishing similarly equipped and tightly integrated Nordic forces.8

NORDEFCO after Crimea: ‘A new normality’

All the Nordic states have today come to regard Russia’s revisionist challenge to the post-Cold War status quo as the greatest challenge to their security. The Nordic states generally perceive their security to have deteriorated mainly, but not exclusively, due to Russia’s illegal annexation of Crimea, military intervention in eastern Ukraine, and increasingly aggressive military behaviour.9 In a joint op-ed published in 2015, the Norwegian, Swedish, Danish, and Finnish ministers of defence and the Icelandic foreign minister argued that after Crimea it was ‘no longer business as usual’. The Nordic countries were now faced with ‘a new normality’.10 The ministers argued that their countries should meet this situation with solidarity and enhanced cooperation in order to improve their security, complementing NATO and the EU. They specified that they should work towards being ‘able to act together in a crisis’.11 Since then, Russian military activity in the Nordic-Baltic region has continued on a high level: Unannounced snap exercises, deployment of new weapons systems, and simulated air attacks all have contributed to a shared concern for Nordic security and stability.

Main driver of cooperation: The new security situation

It is today a shared opinion among Nordic security practitioners that the new security situation faced by the Nordic states is – and should be – a key driver for contemporary Nordic defence cooperation.12 Since 2014, the Nordic states have undertaken several new initiatives to address this deteriorated security situation.

NOREFCO has become an important forum for high-level intra-Nordic security policy dialogue on these developments.13 The Nordic states have also taken steps to exchange information regarding emergency planning and reediness.14 In June 2016, secure communications via telephone, video telephone, and computers were established between the Nordic defence ministries and armed forces headquarters.15 These secure lines of communication allow for more frequent and inexpensive day-to-day dialogue. They could also prove valuable in managing a fast-moving politico-military crisis in the Nordic region. In October 2017, NORDEFCO for the first time organised a table top exercise involving senior military and defence ministry officials, providing an informal setting for discussing simulated scenarios in the Nordic region. The aim was to strengthen NORDEFCO as ‘a forum for consultations and sharing situational awareness, also in a time of crisis’.16

Relations with the US: The pull of the West

Nordic officials stress the importance of strengthening transatlantic ties to meet the new security situation. This applies equally for militarily non-aligned Sweden and Finland and for NATO members Norway and Denmark.17 Nordic cooperation is not perceived in any country as a viable security policy alternative in and of itself, but only as a supplement to NATO, the EU, and strong ties with the US. This has made Nordic cooperation easier. Nordic cooperation can no longer be construed as neutralist, and it serves de facto as another vehicle for tying the militarily non-aligned countries closer to the US and NATO.

In practical terms, institutionally, this means having Sweden and Finland sign host nation support agreements with NATO and join the enhanced opportunities partnership of the Alliance. It also means contributing Swedish and Finnish troops to the NATO Response Force (NRF) and the UK-led Joint Expeditionary Force (JEF). This in turn aligns the Nordic states more closely, since Norway and Denmark already participate in these formats.

Strengthening transatlantic ties also means increasing US involvement in Nordic exercises. For example, the Norwegian, Swedish, and Finnish-led Artic Challenge Exercise (ACE), which is now one of the largest air exercises in Europe – in 2017 it involved more than 1,000 personnel and 100 aircraft – has seen a marked increase in US and Western participation.18 Recent major national exercises, such as Norway’s Cold Response and Sweden’s Exercise Aurora 17, have also seen large-scale participation not only from the Nordic states but also from the US and a number of European NATO states.

Nordic officials generally express satisfaction with training and exercises as something which both works well and which should be developed further. If they disagree on anything with regard to the US, is it perhaps the extent to which the ‘Nordic family’ should strive to act as a unified block and speak with one voice vis-à-vis Washington. While most agree that greater unity would give more presence and influence, the low-key ‘beauty contest’ to be Washington’s number one Nordic ally or partner makes this difficult.

Enduring security policy differences: Limits on cooperation

Many of NORDEFCO’s landmark agreements, such as the exchange of air surveillance data (NORECAS) and the easy access agreement, remain limited to peacetime. This limits their value for enhancing Nordic security.19 Nearly all Nordic officials interviewed expressed a strong desire to see the NORECAS agreement extended to apply in times of crisis and even wartime. However, Swedish and Finnish military non-alignment, and the Norwegian preference for formal treaty-enshrined guaranties, has thus far made this difficult.20 Sweden and Finland have found it somewhat easier to deepen their bilateral cooperation ‘beyond peacetime conditions’.21

The alternate landing base agreement is a similar case in point. By 2017 all the Nordic states had signed the agreement, allowing unarmed aircraft to use each other’s air bases, for example in case of poor weather conditions. There are currently ongoing discussions to extend the agreement to included armed aircraft,22 and there is a strong willingness among officials to explore the prospects for extending it into crisis and war. This would potentially generate important operational benefits, but could become politically challenging, particularly for non-aligned Sweden and Finland. Norwegian and Danish Quick Reaction Alert aircraft are directed by NATO headquarters as part of Alliance air policing.

The Nordic states struggle with fear of entrapment and abandonment.23 On the one hand, the Nordic NATO states worry about making themselves dependent upon these arrangements, only to see radar screens go dark and landing rights be withdrawn in a crisis. Conversely, Sweden and Finland worry about losing their national freedom of action to – at least theoretically – keep out of a conflict.24 By nevertheless establishing these arrangements in peacetime, the Nordic states aim to reap at least some benefits, build trust and familiarity, and slowly work towards extending them beyond peacetime in the future.

Failed driver of cooperation: Defence economics

Nordic officials unanimously expressed disappointment and regret with regard to the poor state of cooperation on the joint acquisition of materiel and the joint development of military capabilities. When NORDEFCO was established, ‘significant savings’ were expected to be generated as a result of bilateral, trilateral, and Nordic procurement projects and joint capability development.25 However, many of these projects either did not materialise or resulted in failures.26 Norwegian-Swedish joint projects proved particularly challenging, resulting in some hurt feelings on both sides.27 To date, the only successful Nordic armament project to emerge is an agreement to procure a Nordic Combat Uniform.

There are many reasons for the failed procurement processes. Some are legal-bureaucratic: the Nordic countries often have different procedures and requirements in terms of public tenders, transparency, risk management, repurchase agreements, etc. Furthermore, the organisations involved are not necessarily equivalent in terms of competencies, and decision-making processes may be more cumbersome in some countries than in others. On the other end of the spectrum are the political obstacles: strategic questions related to a potential preference for trade with NATO allies vs. a preference to support national industries. Taken together, these challenges have often proved insurmountable. Increased defence industrial cooperation within the EU, including the Permanent Structured Cooperation (PESCO), could prove a new challenge for non-EU member Norway’s cooperation with Sweden and Finland.

NORDEFCO’s present structure is a legacy from its inception at a time when the ambition was ‘system similarity’ by way of joint development, acquisition, logistics, and training.28 Some Nordic officials have suggested revising NORDEFCO’s structure to better reflect present day realities. The cooperation area (COPA) of ‘armaments’ could, for example, be discontinued or amalgamated with that of ‘capabilities’, thereby uncluttering and streamlining NORDEFCO. However, most argue that the present structure – and the COPAs – has established its own traditions and cultures and produces some value, that revising the structure would cost resources, and that discontinuing or amalgamating COPAs would result in little savings. However, all agree that joint procurement is not easy and that this area of cooperation has not progressed as desired.

Conclusions and recommendations

Nordic defence cooperation is today increasingly about cooperating in the Nordic region in peacetime, crisis, and war. Although NORDEFCO’s structure was designed in a different time, it is sufficiently agile that there is little desire to alter it. More use of secure videoconferencing (VTC) between the capitals could facilitate more seamless ‘out of cycle’ decision-making in NORDEFCO and advance the dialogue on security policy even further. Building on the successful scenario-driven table top exercise – which should be repeated – VTC could also be utilised by defence ministries and the operational headquarters to practice dealing with politico-military incidents in the Nordic-Baltic region. Routines for political and military consultations and information exchange could be established.

The Nordic countries should continue working to extend many of the agreements and arrangements that now only apply in peacetime into times of crisis and war. There is a strong will among Nordic officials to move in this direction. Swedish and Finnish membership in NATO, unlikely in the short term, would make this considerably easier. These countries could then take part in planning and preparations for Alliance collective defence. Opportunities for new agreements that improve cooperation in times of crisis in other areas, for example on military or civilian security of supply, should be explored and pursued.

Involving the US as well as other key countries – especially the UK and Germany – more in Nordic-Baltic security is a shared objective for all the Nordic states. These countries are therefore regularly invited to take part in Nordic military exercises. As far as it is practically possible, the Nordic countries should consider also involving these key countries in policy dialogue and table top exercises.

There is no desire for a standing NORDEFCO secretariat, which would potentially be costly, but the present model of rotational chairmanship suffers from limited institutional memory. Establishing a shared secure cloud storage for unclassified documents – a ‘Nordic Drop Box’ – could be one technical solution to improve matters.

Today’s Nordic Defence Cooperation is driven by a shared understanding of the increasing regional security challenges, a shared interest in jointly meeting them, and a shared recognition that the Nordic format can only complement cooperation in NATO and the EU and with the US. There is also a sense of community and closeness among the Nordic countries, and there is broad political and popular support for more Nordic cooperation. Security and defence cooperation is limited, however, by a factor unlikely to disappear tomorrow, namely these countries’ continuing security policy differences (NATO membership or military non-alignment).


1) Between 15 February and 22 March 2018, a total of seven interviews with 11 military and civilian officials were conducted in Stockholm, Helsinki, Copenhagen and Oslo. Interviewees were drawn from the Swedish Ministry of Defence, Swedish Armed Forces Headquarters, Finnish Ministry of Defence, Danish Ministry of Defence, the Norwegian Defence Staff and the Norwegian Ministry of Defence.

2) Uniquely among the Nordic countries – and in NATO – Iceland has no armed forces. Iceland therefore only participates in the political but not the military parts of NORDEFCO.

3) Arne Røksund, ‘A word from the MCC chairman’, in NORDEFCO Military Level Annual Report 2010, ed. NORDEFCO (Oslo: Norwegian Armed Forces, 2011): 4.

4) Norwegian and Swedish Chiefs of Defence, Ömsesidgt förstärkande försvarslösningar: Norsk-svensk studie av möjligheterna till fördjupat samarbete [Mutual reinforcing defence solutions: A Norwegian-Swedish study of the possibilities for strengthened co-operation] (Oslo and Stockholm: Norwegian and Swedish Armed Forces, 2007).

5) NORDSUP, Nordic Supportive Defence Structures (NORDSUP) – Progress Report (Oslo: Norwegian MoD, 2008).

6) Denmark, which did not share this view, stayed aloof. Håkon Lunde Saxi, Nordic Defence Cooperation after the Cold War, Oslo Files on Defence and Security no. 1 (Oslo: Norwegian Institute for Defence Studies, March 2011): 55–57.

7) NORDSUP, Nordic Supportive Defence Structures (NORDSUP) – Progress Report: 2.

8) Håkon Lunde Saxi, ‘Hvordan revitalisere NORDEFCO? En statusrapport og noen konkrete tiltak for å styrke samarbeidet i hverdagen’, in Nordisk Forsvarssamarbejde 2016: Vilkår og muligheder, ed. Mikkel Storm Jensen (København: Forsvarsakademiet, 2016).

9) On the last point, see Thomas Frear, Łukasz Kulesa, and Ian Kearns, Dangerous Brinkmanship: Close Military Encounters Between Russia and the West in 2014 (London: European Leadership Network, November 2014). https://www.europeanleadershipnetwork.org/wp-content/uploads/2017/10/Dangerous-Brinkmanship.pdf

10) Ine Eriksen Søreide et al., ‘Vi må forholde oss til Russlands handlemåte, ikke Kremls retorikk’ [We must deal with Russia’s way of acting, not the Kremlin’s rhetoric], Aftenposten Morgen, 10 April 2015.

11) Ibid.

12) All civilian and military officials interviewed stressed the new security situation as the key driver for contemporary Nordic military cooperation.

13) NORDEFCO, Annual Report 2014 (Oslo: The Norwegian chairmanship of NORDEFCO, February 2015): 7.

14) Annual Report 2015 (Stockholm: Swedish Ministry of Defence, January 2016): 7, 28.

15) Annual Report 2016 (Copenhagen: Danish Ministry of Defence, 2017): 10.

16) Annual Report 2017 (Helsinki: Finnish Ministry of Defence, 2018): 8. Emphasis added.

17) After joining the EU in 1995 Sweden and Finland utilised the term ‘military non-alignment’ in place of ‘neutrality’. Since 2007 Finland has ceased to use the term, stating only that Finland does not belong to any military alliance. Mats Bergquist et al., The Effects of Finland’s Possible NATO Membership: An Assessment (Helsinki: Ministry for Foreign Affairs of Finland, 2016): 10, 45.

18) NORDEFCO, Annual Report 2017: 3, 6, 18.

19) Ibid., 3, 6–7.

20) See footnote 16.

21) Krister Bringéus, Säkerhet i ny tid: Betänkande av Utredningen om Sveriges försvars- och säkerhetspolitiska samarbeten [Security in a new era: Report by the Inquiry on Sweden’s International Defence and Security Cooperation], SOU 2016:57 (Stockholm: Swedish Ministry for Foreign Affairs, 2016): 14-15.

22) NORDEFCO, Annual Report 2016: 6, 10; Annual Report 2017: 7.

23) Glenn H. Snyder, ‘The Security Dilemma in Alliance Politics’, World Politics 36, no. 4, 1984.

24) On the Swedish, but also Finnish, domestic (strategic) debate for continued military non-alignment, see Dalsjö, Trapped in the Twilight Zone. Sweden between neutrality and NATO (2017); Swedish studies have concluded that it is unlikely that Sweden could stay out of a NATO-Russian conflict. See Bringéus, Säkerhet i ny tid: Betänkande av Utredningen om Sveriges försvars- och säkerhetspolitiska samarbeten [Security in a new era: Report by the Inquiry on Sweden’s International Defence and Security Cooperation]: 13.

25) NORDEFCO, Annual Report 2010 (Oslo: Norwegian Armed Forces, February 2011): 4, 12.

26) Saxi, ‘Hvordan revitalisere NORDEFCO? En statusrapport og noen konkrete tiltak for å styrke samarbeidet i hverdagen’: 62–75.

27) Karsten Friis and Maren Garberg Bredesen, Swedish–Norwegian Defence Cooperation: New opportunities?, NUPI Policy Brief 7/2017 (Oslo: Norwegian Institute of International Affairs, 2017): 2; Norwegian-Finnish defence industrial relations have proven more successful.

28) The term ‘system similarity’ was used frequently in NORDEFCO’s ambitious early years, but is today no longer to be found in NORDEFCO’s annual reports and is seldom mentioned by Nordic officials.


Bergquist, Mats, François Heisbourg, René Nyberg, and Teija Tiilikainen. The Effects of Finland’s Possible NATO Membership: An Assessment. Helsinki: Ministry for Foreign Affairs of Finland, 2016.

Bringéus, Krister. Säkerhet i ny tid: Betänkande av Utredningen om Sveriges försvars- och säkerhetspolitiska samarbeten [Security in a new era: Report by the Inquiry on Sweden’s International Defence and Security Cooperation]. SOU 2016:57. Stockholm: Swedish Ministry for Foreign Affairs, 2016.

Frear, Thomas, Łukasz Kulesa, and Ian Kearns. Dangerous Brinkmanship: Close Military Encounters Between Russia and the West in 2014. London: European Leadership Network, November 2014.

Friis, Karsten, and Maren Garberg Bredesen. ‘Swedish–Norwegian Defence Cooperation: New opportunities?’ In NUPI Policy Brief. Oslo: Norwegian Institute of International Affairs, 2017.

NORDEFCO. Annual Report 2010. Oslo: Norwegian Armed Forces, February 2011.

———. Annual Report 2014. Oslo: The Norwegian chairmanship of NORDEFCO, February 2015.

———. Annual Report 2015. Stockholm: Swedish Ministry of Defence, January 2016.

———. Annual Report 2016. Copenhagen: Danish Ministry of Defence, 2017.

———. Annual Report 2017. Helsinki: Finnish Ministry of Defence, 2018.

NORDSUP. Nordic Supportive Defence Structures (NORDSUP) – Progress Report. Oslo: Norwegian MoD, 2008.

Norwegian and Swedish Chiefs of Defence. Ömsesidgt förstärkande försvarslösningar: Norsk-svensk studie av möjligheterna till fördjupat samarbete [Mutual reinforcing defence solutions: A Norwegian-Swedish study of the possibilities for strengthened co-operation]. Oslo and Stockholm: Norwegian and Swedish Armed Forces, 2007.

Røksund, Arne. ‘A word from the MCC chairman’. In NORDEFCO Military Level Annual Report 2010, edited by NORDEFCO. Oslo: Norwegian Armed Forces, 2011.

Saxi, Håkon Lunde. ‘Hvordan revitalisere NORDEFCO? En statusrapport og noen konkrete tiltak for å styrke samarbeidet i hverdagen’. In Nordisk Forsvarssamarbejde 2016: Vilkår og muligheder, edited by Mikkel Storm Jensen. København: Forsvarsakademiet, 2016.

———. Nordic Defence Cooperation after the Cold War. Oslo Files on Defence and Security no. 1. Oslo: Norwegian Institute for Defence Studies, March 2011.

Snyder, Glenn H. ‘The Security Dilemma in Alliance Politics’. World Politics 36, no. 4 (1984): 461–495.

Søreide, Ine Eriksen, Nicolai Wammen, Carl Haglund, Gunnar Bragi Sveinsson, and Peter Hultqvist. ‘Vi må forholde oss til Russlands handlemåte, ikke Kremls retorikk’ [We must deal with Russia’s way of acting, not the Kremlin’s rhetoric]. Aftenposten Morgen, 10 April 2015.

About the Authors

Håkon Lunde Saxi is Senior Fellow at the Norwegian Institute for Defence Studies (IFS) in Oslo.

Karsten Friis is Head of the Research group for security and defence at the Norwegian Institute of International Affairs (NUPI) in Oslo.

Contextualizing Cyber Operations

22 Jun 2018

By Robert Dewar for Center for Security Studies (CSS)

For Robert Dewar, there is something missing from many recent political and academic analyses of cyber operations. Such studies may address the ‘who’, ‘what’ and ‘how’ of cyber operations. However, they pay much less attention to the ‘when’ question, referring to the context of the incidents in which cyber operations are deployed. In response, Dewar here reviews a series of high-profile cyber incidents to help answer this overlooked question. In doing so, he also identifies five distinct socio-political and geopolitical contexts in which cyber operations regularly occur.

This article was originally published by the Center for Security Studies (CSS) in June 2018.

Executive Summary

Political and academic analyses of cyber operations provide extensive data on the actors conducting them, the tools they deploy and the methods or vectors they use to achieve their goals. These three aspects constitute the “who”, “what” and “how” of cyber operations. Less attention is paid to the socio- and geopolitical contexts in which cyber operations occur – the “when” aspect. By examining a series of well-publicized cyber incidents, as well as drawing on current cyber security and defense policy and academic literature, this Trend Analysis provides a contextualization of some of the most high-profile incidences of the use of cyber operations. It is important to note, however, that this Trend Analysis does not address cyber-crime. Instead, the focus is on cyber operations in international relations.

The analysis identified five distinct socio- and geopolitical contexts in which cyber operations regularly occur. These are: open international conflict; civil war; political tension; economic tension and strategic rivalry. In international conflicts cyber operations occur as part of military campaigns, deployed as governments and commanders see fit in order to achieve tactical or military strategic objectives. In civil wars, such as that occurring at the time of writing in Syria, cyber operations including disinformation campaigns, hacktivism and recruitment have been undertaken by both sides in order to further wider social and political goals. In situations of interstate political tension, such as that observed between Russia and Estonia in the early 2000s, cyber operations can be used in attempts to destabilize one or other of the states involved. This was the case with the distributed denial of service (DDoS) operations experienced by Estonia in 2007. Cyber operations in the context of economic tension have been found to include state-sponsored or supported cyber-crime activities, such as the theft of money or information from central banks, a feature of (alleged) North Korean cyber operations. The analysis found that operations occurring in the contexts of political and economic tension generally take place where there is an asymmetry between the states involved. The final context identified shows that cyber operations occur in situations of strategic rivalry, where the states involved share relative political, economic and military parity and conduct cyber espionage or target government networks. The cyber operations occurring between the US and China serve as examples of this. Within these five distinct contexts, actors of all persuasions and motivations utilize any and all cyber tools at their disposal to achieve their ends, taking advantage of any weaknesses or vectors of attack that they can find.

In addition to identifying these five contexts, two important trends were identified during the analysis. The first addresses a temporal aspect of the “when” question – at what point in a conflict or rivalry do cyber operations take place? It was found that such operations do not occur at a critical juncture in a given sociopolitical context. For example, an international conflict does not have to reach a certain point before cyber operations are deployed. Rather, there is a continuous undercurrent of activity in cyberspace between the actors involved, much of which is low level.

The second trend identified is that there are very few large-scale cyber incidents taking place. This finding runs counter to much of the rhetoric emanating from the media and policy publications about the imminent outbreak of a cyber war or cyber Pearl Harbor. While major and destructive incidents do occur – such as Estonia 2007 or the deployment of Stuxnet – operations of this scale are relatively rare. A degree of strategic restraint is therefore advisable and possible on the part of the victim given the constant level of activity occurring in the background.

The exercise of identifying and codifying these five contexts, and placing them alongside the actors, tools and vectors utilized in cyber operations, is beneficial to academics and policy-makers because it provides a clearer picture of when and how cyber incidents occur: what are the possible combinations of actors, tools and vectors, and in what contexts do these combinations occur? What this codification does not do, however, is provide a typology of cyber incidents, or facilitate the prediction of when cyber operations are likely to occur. The almost continuous use of such operations makes predicting their use in any given context difficult if not impossible. No two cyber operations are the same and competent actors will utilize whatever tools and vectors get the job done. What this Trend Analysis does do, however, is highlight the need for holistic, resilience-based cyber security and cyber defense policies in order to address the multiple combinations of contexts, actors, tools and vectors that are possible.


The data for this Trend Analysis was drawn from available open-source material which is of great value but is also problematic. Many incidents, both in the private and public sector, go unreported due either to their classified targets or fear of reputational damage. As a result, building a complete data set of international incidents is challenging. The incidents catalogued here are already in the public domain and are well documented in cyber security and defense literature. Extensive use was made of empirical Hotspot Analyses produced by the Center for Security Studies. As a result, the data set to be presented here is representative, but nevertheless comprehensive enough to draw the conclusions presented in the Trend Analysis.

1 Introduction

In 1993 Arquilla and Ronfeldt (1993) proclaimed that cyberwar was coming, a statement which has become a popular refrain among military strategists and government policy-makers. The prophesied cyberwar did not appear, however, and the debate is still ongoing as to whether such a situation will occur (Junio, 2013; Rid, 2012; Stone, 2013). From an academic perspective this debate is far from settled. However, the empirical reality facing policy-makers and legislators is that cyberspace is being considered as an operational arena. It is being used for strategic, tactical and political ends. Weaponized software such as viruses, worms and specially written pieces of code (Dewar, 2017) are being deployed with increasing frequency and increasing effectiveness.

It is therefore becoming commonplace for international and regional conflicts, political and economic tensions or strategic rivalries to include a digital or cyber component. These cyber operations have a number of important characteristics: they demonstrate ever-increasing technical capabilities on the part of the actors who use them; the technological sophistication of the tools themselves is becoming more and more advanced; and the number of actors who have access and recourse to those tools is also growing. Furthermore, as shown by the deployment of Stuxnet in 2010, cyber operations have evolved to the point where their deployment can have physically destructive consequences. As a result, there is a growing body of evidence pointing to the effective use of cybertools and cyberweapons by technologically advanced state and non-state actors and to the growing use of automated systems such as botnets to perpetrate large-scale digital disruption (Dewar, 2017; Goldman, 2012; Patterson, 2017; Rowe, 2012). Targets for such operations range from national critical infrastructures such as energy and communications networks to the hearts and minds of opponents through sophisticated cyber-influence campaigns. Recent studies analyzing the increasing numbers of cyber-competent actors, the increasing technical sophistication of malicious digital tools they are using and the vectors they exploit – the “who”, “what” and “how” of cyber operations – have shown that they are increasing in number and complexity. There has been a quantitative and qualitative growth in the numbers of attackers (who), the use of machine learning to perpetrate attacks (what) and the number of failures and systemic weaknesses that they can exploit (how).

What is absent from much of this commentary, particularly in the policy-development sphere, is a contextualization of the incidents in which cyber-operations occur: in what geo- or socio-political circumstances are cyber operations taking place? Are they stand-alone events or are they one part of a larger, ongoing conflict or incidence of strategic rivalry? Are they internal to a particular state or region - such as in a civil war - or are cyber operations being deployed in international conflicts between sovereign states? This is the "when" question – when do cyber operations occur?

The goal of this Trend Analysis is to supplement the “who”, “what” and “how” of cyber operations by answering this "when" question, providing the geo- and socio-political context in which cyber-operations occur. The examination of data gathered using a series of high-profile case studies, relevant academic literature, policy analyses and private sector reports demonstrates that cyber operations occur within five socio-political contexts:

Established international conflict;Internal civil war;Political tension between states;Economic tension between states;As a feature of wider strategic rivalry.

The Trend Analysis also examines another, temporal, aspect to this "when" question: at what point in any of these particular contexts do cyber operations occur? Do actors begin using cybertools at the commencement of, for example, a civil war or tension due to economic competition, or are they used as tools once a conflict or strategic rivalry becomes established? In seeking to answer this question the Trend Analysis identified two trends. The first is that there is an ever-present undercurrent of small-scale, low-level cyber operations occurring at all points in a given socio-political context. There is no critical point in a conflict or civil war at which cyber operations begin to be used by one or both sides. Instead, all sides deploy their full range of cyber capabilities, be that influence operations such as fake news or election manipulation or larger scale, more destructive acts such as those targeting critical national infrastructure.

The second trend is that there are very few major cyber incidents. For the purposes of this Trend Analysis a “major cyber incident” is one which could be classified as an armed attack under international law. According to the Tallinn Manual, in order to meet this qualification, the cyber operation or tool used must have the same destructive capability or effect as a conventional, kinetic operation (Schmitt, 2013). Very few of the incidences examined in this Trend Analysis meet this criterion. This demonstrates the trend for the constant undercurrent of cyber operations to be one of low-level, almost background operations.

The trends identified in the contextualization of cyber operations have important consequences for the development of defense and security policy. It makes predicting or prognosticating on the likely point at which cyber operations will occur almost impossible. If such operations are conducted at any and all points in a conflict or rivalry, then it is not possible to identify markers or signs pointing to an imminent cyber operation. The anonymizing effects of the cyber domain and the speed at which cyber capabilities can be deployed further complicate this predictive activity. Nevertheless, the findings set out in this Trend Analysis should facilitate policy decisions regarding resource allocation and management as well as the development of resilient infrastructures.

The Trend Analysis will proceed as follows. The following section will briefly set out which actors, techniques and vectors are most commonly identified in cyber operations; this will establish the "who", "what" and "how" of such operations. The third section will focus on a number of important events in the historiography of cyber conflict. This examination will show that these events can be divided into the five socio- and geo-political contexts of open international conflict, internal civil war, political and economic tension and strategic rivalry. Throughout this analytical section, extensive use will be made of specialized, empirical Hotspot Analyses produced by the Center for Security Studies. The fourth section of the Trend Analysis will set out the two important trends discernable in this analysis and contextualization, while the fifth and final section will provide conclusions of use to practitioners and policy makers.

2 Actors, Technologies and Vectors: the “who”, “what” and “how” of cyber operations

Due to the ubiquitous nature of the Internet and the ease with which information and tools can be shared the number of actors involved in malicious cyber incidents is increasing year on year. Not only are criminal actors increasing in number, but so too are incidents alleging state involvement. There are two sides to such involvement. On the one hand, state actors such as security agencies and military personnel, are engaging in cyber operations. This was the case in such incidents as the deployment of Stuxnet in 2010 and the ongoing Sino-American rivalry (Baezner and Robin, 2017a). In both of these contexts, government agencies are conducting cyber operations either to hinder rival activities (Stuxnet) or to gain a strategic or competitive advantage over their rivals (the Sino-American situation). On the other hand, non-state actors are increasingly being identified engaging in activities designed to have an effect at the national, state level. Analyses of the Syrian conflict, elections in European Union Member States between 2015 and 2017 and the conflict between Russia and Ukraine have shown that non-state actors supporting one or other side in a conflict have the capability and willingness to engage in sophisticated cyber campaigns with national consequences.

The increasing number of actors and level of resources at the state level are also translating into an increase in the sophistication of the tools and techniques being deployed. The digital payloads of cyberweapons have increased to the point where such devices can cause physical damage (Dewar, 2017). This was the case in 2010 when the aforementioned Stuxnet worm caused Iranian nuclear enrichment centrifuges to spin out of alignment and be damaged beyond repair. While the attack vector was alleged to have been “low tech” – an infected USB stick was used to cross the air gap in the enrichment facility’s computer network – Stuxnet’s payload demonstrated that the technological sophistication of cyberweapons has crossed from the digital to the real world, with real world applications. During the Russo-Georgian conflict of 2008, Georgian government and military communications were targeted as part of the Russian military’s offensives, with the intention of disrupting the enemy’s capacity to co-ordinate and respond effectively to a ground assault.

Not only are such tools having real-world effects, the technology has progressed to the point where effective attacks are being undertaken at the national level using automated systems. In 2007 Estonia suffered a series of sustained distributed denial of service (DDoS) attacks. According to Gaycken (2011, p. 110), these attacks were conducted using networks of infected computers – botnets – to flood Estonian servers with requests for information. These large botnets were able to sustain the DDoS requests for a period of several weeks through extensive use of automation.

There is evidence, however, of the involvement of both state and non-state actors in non-state activities. Recent analyses of North Korean, Chinese and American cyber operations highlight not just routine or commonly expected intelligence-gathering activities, but also point to increasing evidence of industrial or corporate espionage. State security and military agencies are deploying tools to enable a country to gain an edge in an increasingly competitive global economy. This shows that the gap between malicious state and corporate activities is closing and beginning to cross over. This has implications not only for securing digital assets against concerted attempts at intrusions but also for legislators and policy-makers who will need to develop legal and policy responses to state institutions engaging in corporate and/or commercial malicious activities.

Despite the increasing complexity of the relationships between state and non-state actors, the activities in which they engage and the increasing sophistication of the tools they are deploying, the vectors used by malicious actors to effect these operations center on exploiting systemic weaknesses in network architectures and digital systems. Hack records – lists of known and identified software vulnerabilities – can be found online. These are exploited due to the time delay between identifying the vulnerability, software developers issuing a corrective patch and end-users installing the patch. Zero-day exploits – where the vulnerability is unknown to developers and users – also remain a popular entry point for cyber operations (Ablon and Bogart, 2017). Such software vulnerabilities are not the only vectors for successful malicious cyber operations, however. Large scale data thefts, such as the theft of 3million user accounts from the PlayStation network in 2011, can be used to extract security information for further thefts or identity breaches. Cyber sabotage operations, such as the ransomware NotPetya (Henley and Solon, 2017), can also be conducted to hinder or prevent the use of networked systems, causing large-scale disruption.

The most popular vector for malicious intrusions remains, however, the human factor. Successful phishing campaigns, insecure passwords, oversharing of personal information on social media and the use of USB memory sticks remain popular methods for inserting malware into secure networks (as was the case with Stuxnet) or extracting personal, proprietary or classified data.

The examination of the technology used by actors undertaking cyber operations and the vectors used to deploy those tools also points to some areas where current vulnerabilities are being identified but could increase in the future. As more and more everyday devices are being connected to the Internet, the absence of a systemic security architecture and infrastructure in the emergent Internet of Things (IoT) makes this phenomenon an attractive target, particularly for criminal activity. Incidents such as TRITON, where a Trojan horse was used to install malware in Schneider industrial control software used in critical infrastructures (Hay Newman, 2018; Johnson et al., 2017), demonstrate that the wired world may be moving from a position of hyper connectivity to one of hyper vulnerability. The drive to connect critical national infrastructures such as utilities and transport to the Internet could serve to increase the vulnerability of those critical assets.

This examination shows that the range and interrelation of actors, technologies and vectors is both large and complex. The main issues are summarized in Table 1 below. There are two features of this tabulation which are immediately clear. The first is that a typology or correlation between actors, technologies and vectors is not possible to produce. Particular actors do not employ particular tools in a particular manner. Malicious actors develop bespoke solutions for their activities, seeking to use the tool and vector best suited to their specific needs. This will make predicting the precise combination of actors, tools and vectors challenging for defenders. The second feature highlighted by this tabulation is that very little contextualization in academic or policy analyses of when such tools and vectors are utilized. This raises the question: in which socio- or geo-political contexts do cyber operations and incidents take place? In short, we know the “who”, “what” and “how”, but not the “when”.

Table 1: Summary of Actors, Technologies and Vectors of Cyber Operations


3 Providing context: When do cyber operations occur?

One of the most significant contexts in which cyber operations occur is criminal activity. The Hackmageddon aggregator1 posts data on a full range of incidents and, statistically speaking, the vast majority intrusions, extractions and deployments of malware occur with the object of criminal gain. However, a sizeable minority of incidents occur with socio- or geopolitical objectives. This section of the Trend Analysis will explore and set out these non-criminal contexts.

Three of the cyber incidents with the highest profile and greatest impact in the historiography of cyber security and cyber conflict occurred within a span of only three years. These were the Estonian DDoS intrusions of 2007, the use of cyber operations in combat during the Russo-Georgian conflict of 2008 and the discovery of the Stuxnet worm and its effects in 2010. While these incidents raised the profile of cyber operations in the public and political consciousness and raised the bar for the impact of malicious cyber activities, these incidents also provided non-anecdotal evidence of state involvement and activities in cyber conflicts.

These incidents also shared one important feature: they were not isolated or standalone events. Each of the three incidents occurred within or as part of a specific, ongoing geopolitical context. The DDoS attacks on Estonia in 2007 were part of an escalation in political tension between Estonia and Russia. This tension reached a diplomatic zenith with the decision of the Tallinn city council to move a Soviet war memorial from the center of that city to its outskirts. This decision sparked an angry response from Russians living in Estonia and from the Russian government.

In 2008 Russia and Georgia were engaged in a military conflict over the disputed region of South Ossetia. The use of cyber operations in this conflict is well documented. Of interest is the fact that these operations were put to direct strategic use. They were designed to weaken the Georgian government and military’s resolve and ability to communicate just prior to a Russian conventional campaign. In this sense cyber operations were used in much the same way as an artillery bombardment prior to an infantry maneuver. The context here is that cyber operations were used as part of a state military’s arsenal during an open international conflict.

Finally, the Stuxnet worm was deployed to halt or at least hinder the Iranian nuclear weapons program. Although it was not part of an existent international conflict as was the case Georgia, the Stuxnet deployment was part of ongoing political tension between the US and Iran.

The point here is that these three incidents occurred within two types of recognizable and identifiable geopolitical context. The Georgian incident occurred within the context of an open international conflict, while the DDoS attacks on Estonia and the deployment of Stuxnet occurred within the context not of conflict but high political tension. This implies that cyber incidents, at least those which do not have criminal gain as their objectives, do not occur in a vacuum. They are not isolated, standalone events but are part of a longer, larger chronology or context. By analyzing the events and political landscapes surrounding the various events outlined in Sections 1 and 2 of this Trend Analysis, it is possible to identify a total of five distinct socio- and geopolitical contexts.

3.1 Context 1: Open International Conflict

This is perhaps the least surprising socio- or geopolitical context in which to find instances of cyber operations. Governments and militaries have always used the latest tools, techniques and capabilities to gain a tactical or strategic advantage over an adversary in a military conflict. In 2008 Russia and Georgia engaged in such a military conflict. As part of their military campaign, Russian forces targeted Georgian communications networks in order to restrict that state’s ability to use the Internet, both to coordinate their forces but also to restrict the Georgians’ capacity to communicate with the international community (Hagen, 2013, p. 196). The vectors and techniques involved included DDoS attacks and website defacement, techniques similar to these deployed against Estonia a year earlier. By 2008, however, these techniques were more robust and sophisticated, indicating a degree of maturation. Of particular note is that the cyber component of Russian operations took place a matter of weeks before land and air assaults (Joyner, 2012, p. 161).

Another international conflict in which cyber operations played a prominent role was that between Russia and Ukraine which began in earnest in 2013. Both sides in the conflict deployed cyber tools and undertook cyber operations (Baezner and Robin, 2017b). DDoS campaigns, patriotic hacking and the propagation of malware was undertaken by both pro-Russian and pro-Ukrainian actors.

Setting aside the fact that Russia appears as an actor in both instances, and also setting aside the fact that state authorization or involvement in these operations cannot be definitively or categorically proven due to the attribution problem, cyber operations are being routinely used in interstate conflicts, and used to good effect. However, the conflicts in which cyber operations take place need not be inter-state. As evidenced by the large-scale use of hacking tools, data breaches and website defacement in the Syrian conflict, cyber operations are also a significant component of intra-state civil wars.

3.2 Context 2: Civil War

The ongoing conflict in Syria provides an example of an internal, civil conflict which combines both conventional, kinetic hostilities between the actors involved and extensive use of cyber operations. The conflict itself arose as one of a series of violent and non-violent anti-government actions in the Middle East between 2010 and 2012, known collectively as the Arab Spring. In the Syrian situation, the Arab Spring manifested itself as a series of protests against the government of Bashar al-Assad which escalated into a full-scale civil war between numerous anti-government actors and the Syrian military loyal to Assad. The cyber component of this internal conflict consisted of social media propaganda campaigns, website defacements and limited cyberespionage activities (Baezner and Robin, 2017c, p. 6).

While cyber activities were conducted by both sides in the conflict, the majority of operations were conducted by pro-regime actors such as the Syrian Electronic Army. The Syrian government itself carried out the interception of email communications and on at least two occasions shut down the Internet itself in Syria. Nevertheless, anti-government actors such as the Free Syrian Army and Hackers of the Syrian Revolution were able to utilize online capabilities to infiltrate government communications networks and to promote their respective causes, publish details of alleged government atrocities and as platforms for recruitment (Baezner and Robin, 2017c, p. 11).

Two aspects of the Syrian conflict are of particular note. First, while the kinetic aspect of this context was largely contained within Syria’s borders2, the cyber component of this conflict spilled over to have effects outside the country. Not only did this involve internal actors targeting external entities such as media outlets unsympathetic to one side in the conflict or the other, it also included external actors such as US citizens targeting pro-regime networks to render cyber aid to the insurgents (Baezner and Robin, 2017c; Grohe, 2015). Cyber operations have therefore become an important feature of the Syrian civil war, and it is not unreasonable to assume that such activities will be a key facet of other such internal conflicts should they occur in the future.

The second aspect of note is that cyber operations were used throughout the conflict, and are still being employed by both sides. The fighting did not reach a certain point or critical mass after which the use of cyber tools became a viable option. Almost from the commencement of the Arab Spring, cyber tools and operations were used by all sides to gain followers, spread dis- or misinformation or attempt to gain tactical advantages over adversaries.

Cyber operations are not only being conducted as part of a physical, kinetic conflicts, however. Although the Estonian DDoS attacks of 2007 were described in some circles as an act of state-on-state aggression, armed conflict between Russia (the alleged perpetrator) and Estonia did not occur. Although relations between these two countries at the time could not have been described as warm, there was no open military conflict. There was, however, a situation of severe political tension.

3.3 Context 3: Political tension

As discussed above, the background to the DDoS attacks on Estonia in 2007 was grounded in a cooling of relations between that country and Russia which reached a low-point following the city of Tallinn’s decision to move a Soviet-era memorial to the Second World War. The ensuing weeks of DDoS attacks on Estonian government and banking systems was and is still seen as the first incidence of state-on-state cyber-attacks in the public domain. While this cannot be categorically verified3, the key point here is that, despite the hostile political relationship between the two states, the cyber activities were not part of, or a precursor to, any kind of conventional warfare such as the use of ground troops or airborne assaults, as would be the case a year later in Georgia. The cyber operations were, however, part of a continuous state of distrust, suspicion and diplomatic tension on the parts of these two states. Relations have waxed and waned between Estonian independence from the USSR but the underlying political tension has not improved.

The same can be said of the USA’s relationship with Russia. Since 2008 allegations have ping-ponged back and forth regarding state or state-sanctioned cyber operations on both sides of the Atlantic. These operations and allegations reached a high point during the 2016 US elections, when allegations were made of Russian interference in that election with the goal of encouraging a victory for Donald Trump. Investigations into these allegations are still continuing, but the point here is that the simmering undercurrent of political tension, distrust and malicious cyber activity has continued but not escalated to the point of kinetic conflict.

Those cyber operations occurring in the context of political tension need not be limited to hacktivism or political interference, but can have concrete effects. Such an example is the political context in which the Stuxnet worm was deployed. In 2002 President George W. Bush declared Iran to be part of an “axis of evil” alongside North Korea and Iraq. Since that time, concerns were raised in the international community when the Iranian government confirmed that they were enriching uranium at Natanz for civilian purposes. Such an activity is one of the initial steps towards developing nuclear weapons. The international community, led by the US, sought to pressure Iran into abandoning its nuclear program. This political context led to the development of alternative measures to halt or hinder that program. In 2010 the Stuxnet worm was found to have infected a large number of devices world-wide, but 60% of these were located in Iran (Baezner and Robin, 2017d), and the majority of those locations were in supervisory control and data acquisition systems (SCADA) associated with nuclear enrichment centrifuges. It is noteworthy that one of the most sophisticated cyber operations, one which involved a cyberweapon causing physical damage, was not deployed as part of an open international conflict but in the context of a political tension. In this context, cyber operations need not therefore be restricted to propaganda and influence campaigns or espionage. They can include actions which have kinetic, real world, destructive consequences.

Tension between states is not restricted to political interaction, however. It occasionally manifests itself in commercial and industrial competition, i.e. as economic tension. This is the fourth geo-political context in which cyber operations take place.

3.4 Context 4: Economic Tension

Competition for resources and markets for trade has been a feature of international conflict and diplomatic tension for centuries. In the 21st century such economic considerations are becoming more complex due to the highly interrelated and interdependent nature of globalized commerce. Ideologically opposing states nevertheless trade openly with each other.

However, the ubiquitous nature of the Internet and online commercial activity means that inter-state economic tensions are also manifesting as (alleged) direct theft of resources, not just the acquisition of proprietary data. This is particularly the case where there is a distinct asymmetry in political, economic or military capabilities and capacities. The relations between the US and the Democratic People’s Republic of Korea (DPRK) serve as an example of this. Despite the DPRK government’s rhetoric, it is fair to assume that US political, economic and military capabilities far exceed those of North Korea. Nevertheless, there is a concerted cyber campaign being conducted by DPRK agents. A forthcoming study of DPRK cyber operations has identified a number of campaigns designed to achieve direct, discreet thefts of funds from national central banks (Baezner and Robin, In Press, p. 11). Hacker groups with alleged links to the North Korean government conducted a number of spear-phishing attacks targeting financial institutions with the objective of long-term infiltration, not just one-off “heists”.

Such activities are difficult to corroborate or confirm with information in the public domain. What can be confirmed is the monetary impact of such economic tension, particularly in the case of alleged Chinese activities against the US. Although figures for Chinese financial losses due to cyber industrial espionage are difficult to acquire, a US Intellectual Property Commission report estimated the US and Western losses to be around $300bn per year (Kihara, 2014). It should be pointed out, however, that this figure includes losses attributed to cybercrime, a phenomenon deliberately omitted from this Trend Analysis. Nevertheless, the nature of the economic tension between these and other important commercial states is such that the line between state-sponsored cyber espionage targeting foreign industries and criminal activity is becoming increasingly blurred thanks to the anonymizing effect of cyberspace. While it is fair to say that competition for resources and markets is manifesting itself in cyber operations, it remains to be seen whether such economic tension will escalate. Thus far, in the economic context, the incidents and incidences of cyber operations have remained an action apart from activities which could have political or military ramifications.

3.5 Context 5: Strategic Rivalry

The final context in which cyber operations can be frequently observed and which have an effect is in strategic rivalry between major international powers. Strategic rivalry differs from political and economic tension in that the latter is symptomatic of asymmetric interstate relationships. Rivalry by contrast emerges where there is a level of parity between the states in either the political, economic or military spheres. It involves states with similar levels of international influence and similar capacities for exercising that influence. A rivalry is described by Vasquez (1993) as:

“A relationship characterized by extreme competition, and usually psychological hostility, in which the issue positions of contenders are governed primarily by their attitude towards each other”.

This means that, while not engaging in military hostilities, relations between rival states remain cold with a number of actions carried out by both sides as they jockey for position in a given situation. The relations between China and the US provide an effective example of such strategic rivalry. Both states have a degree of parity in political, economic and military capabilities and power. They are the two largest economies in the world, both have large military resources and both are recognized nuclear powers. While not engaged in direct military action against one another, both states are targeting the same developing markets in South and South-East Asia and Africa (Reynolds, 2015).

In terms of cyber operations Baezner and Robin (2017a) describe the relationship between China and the US, for example, as one replete with diplomatic spats, proxy confrontations, antagonistic messages and tit-for-tat acts of malicious cyber activity. Such activities in cyberspace this situation has been in existence at least since the initiation of China’s so-called “Great Firewall” in 1996 (Brown and Yung, 2017). The cyber activities themselves involved primarily cyberespionage – including attempts to acquire or access classified files on government servers or the networks of government contractors – and instances of industrial espionage. What sets these activities apart from political or economic tensions is the nature of that which is being targeted and by whom. American technology and pharmaceutical companies are routinely being targeted by hackers with alleged connections to the Chinese state (Baezner and Robin, 2017a, p. 10). Other popular targets for such activities are Western aerospace companies, particularly those with government contracts. One example of alleged Chinese hacking and industrial espionage was the swift development of the J-20 stealth fighter jet for the Chinese air force. The US alleges that this was made possible only after a Chinese hacker obtained plans for the American air force’s F22 and F35 jets, enabling the Chinese military to produce their “version”, an allegation strongly denied by Beijing. Despite these denials, the targeting of American military contractors by agents conducting cyber operations raises these incidents above those found to be occurring in “simple” economic tension.

A final point to make is that, as with civil war and international conflict, cyber operations do not occur at any specific, predictable point in the chronology of a strategic rivalry. Such operations can be found throughout that chronology. Relations do not need to deteriorate to a specific level or experience a specific flashpoint for cyber operations to commence. There is instead an almost constant undercurrent of cyber activity occurring at all points in the rivalry.

Table 2: Actors, Technologies, Vectors and Geopolitical Contexts of Cyber Operations


3.6 Contextualizing Cyber Operations

Given the evidence for the existence of five distinct contexts in which cyber operations occur, the table produced for Section 2 of the Trend Analysis – the summation of actors, technologies and vectors – can be updated. Adding these contexts provides a more complete picture of the state of play of cyber operations (see Table 2 below).

It is tempting at this point to declare that a typology for cyber operations can be developed now that the four geopolitical contexts in which cyber operations are deployed and utilized have been explored and set alongside the actors, tools and vectors involved in the operations themselves. However, if the analysis of context, actors, technologies and vectors of cyber incidents and operations does nothing else, it shows that there is no standard pattern or combination of these four elements. While one incident occurring in the context of open international conflict may demonstrate an increased involvement of private, non-state actors using sophisticated AI technology to target critical infrastructure, another example occurring in the same context may have a completely different combination of actors, vectors and technologies. This exercise of contextualization cannot therefore be taken as predictive or as a means to prognosticate on the types of actors involved or the vectors expected to be utilized in any given context. The four columns in Table 2 below represent features common to all manner of cyber operations.

An important reason for this lack of consistency or standard pattern is the wide variation in the goals of the actors themselves. Within each geo- and sociopolitical context, there are numerous goals the actors seek to achieve, ranging from undermining trust in a national government to foment insurrection and regime change to acquiring intelligence on an enemy state’s military capability. This range of goals has a direct impact on the tools and vectors chosen by those actors to achieve those goals. Actors choose specific tools – such as DDoS attacks or spear-phishing – to achieve specific outcomes within a particular context. The lack of a standard patter of cyber operations within a context, coupled with the range of possible goals and motivations of the actors deploying those cyber operations means that it is not possible to create a formal, working typology or predictive combination of these four elements. That being the case, however, there are two important trends which have been identified in this analysis.

4 Trends in the use of Cyber Operations

4.1 Trend 1: An almost constant undercurrent of cyber activity

As set out in Section 3 above, it is not possible to create a standard model or predictive typology for cyber incidents and operations. Actors – malicious or otherwise – use all technologies and vectors available to them to achieve their goals, no matter the context. That being said, there are two identifiable trends which arise from this analysis.

The first is that there is no tipping point in a given context when cyber operations begin to be used. A context such as an open international conflict or situation of economic tension does not need to reach a critical juncture in its chronology before one side or the other decides to use its cyber capabilities. Instead, the data shows that there is an almost perpetual undercurrent of cyber operations occurring continually throughout the timescape of a given context. This undercurrent can be seen in the extract from Baezner’s forthcoming synthesis of hotspot data provided in Appendix 1 (Baezner, In Press).

As Appendix 1 shows, in the 12 months between October 2014 and October 2015, 33 cyber incidents occurred across five specific historical examples representing instances of all five geopolitical contexts. The examples themselves were at various stages in their timescapes. Some had recently commenced (Ukraine), while others had been going on for some time or had settled into a pattern of retaliatory rivalry (US-Russia). There is no one event within a specific context which sparked the initiation of cyber operations. Instead, such were deployed almost immediately and continued to be used throughout the relationship between the actors. The only factor contributing to timing of any sort was an actor’s access to particular capabilities or resources. Such capabilities were widely accessible only from the mid-2000s.

Such a constant use of cyber capabilities in all contexts demonstrates that these capabilities rarely if ever are used in isolation. There is no event or context in which cyber capabilities were the only resource deployed. Rather, an actor deploys them as part of a full spectrum or arsenal of available tools. Similarly, there is no geopolitical context in which cyber operations are the only feature of actor interaction. Stuxnet is an example of this. The defining feature of the political tension between Iran and the USA (and arguably the rest of the world) over Iran’s nuclear program was the damage caused by a sophisticated piece of malware. Yet the situation of tension had been going on for years by 2010, the year Stuxnet was identified and publicized. By this point there had been discussions and debates at the United Nations and its Security Council, bilateral and multilateral attempts to stop the Iranian program and several rounds of international sanctions. These tensions, however, reached a zenith (or nadir depending on perspective) with the deployment of Stuxnet as a direct, active but plausibly deniable attempt to hinder Iran’s enrichment capabilities. Therefore, not only do cyber operations occur constantly in a particular context, but they occur rarely, if ever, in isolation.

4.2 Trend 2: There are very few large-scale cyber operations

The example of Stuxnet also highlights a feature of the second identifiable trend in the contextualization of cyber incidents and operations. Of the global events where cyber operations occurred, there are very few where the cyber component of the event constitutes a major incident. This Trend Analysis accepts the position of the Tallinn Manual, where, under international law, a cyber operation can rise to the level of an armed attack if the effects of the cyber operation, or the cyber component of an operation, are equivalent to those of a kinetic attack, i.e. the damage caused is the same as would have been caused were a conventional, physical attack undertaken. By way of example, Stuxnet, under international law, can be classified as an armed attack because physical damage occurred which could have been caused by kinetic weapons (Dewar, 2017, p. 6). If this not unreasonable metric is adopted and applied to the numerous cyber incidents which have occurred, then relatively few incidences of the use of cyber operations qualify as armed attacks, or “large scale incidents”.

There are two important points to make here. The first is that this confirms the first trend identified: the other incidences of cyber operations constitute an undercurrent of almost perpetual cyber activity, some of which is malicious. Second, none of those other incidents of cyber operations escalated into an armed attack. The incidences which were of a scale to qualify as armed attacks under international law were singular events. They may have been part of an escalation of a wider contextualized conflict, but the cyber component of that conflict did not gradually increase in complexity, number or severity. This is important because it provides evidence which runs counter to some of the arguments and positions of those proponents of an imminent cyber apocalypse or cyber Pearl Harbor. A great deal of hype surrounding the devastating effects of cyber operations has been and continues to be published (Hansen and Nissenbaum, 2009). Such fears and prognostications of doom have thus far not materialized. Furthermore, the evidence set out in this Trend Analysis shows that such an event is unlikely ever to materialize.

5 Conclusions

The analysis of important incidents in the historiography of cyber operations has enabled five broad socio- and geopolitical contexts to be identified. This provides insights into when cyber operations are used, not just how or by whom. It should come as no surprise that actors with increasing access to cyber capabilities should seek to deploy sophisticated technologies via a variety of vectors in the contexts of kinetic conflict such as interstate or civil war. Similarly, where states are engaged in rivalries, cyber operations are undertaken as part of intelligence-gathering campaigns. A legal grey area occurs when such techniques are employed in the context of economic tension given that industrial espionage is proscribed but recent events have alleged a certain level of state involvement in activities normally associated with crime. This is an issue of which policy-makers are, and should be, aware.

Another aspect of significance for policy-makers is one of timing. The analysis has found that there is no one specific point in a political tension, international conflict or strategic rivalry at which cyber operations commence. Instead there is an almost constant undercurrent or susurrus of activity in cyberspace, much of which is criminal in nature, but some of which may be carried out by malicious, or enemy, state actors. Policy-makers and those responsible for responding to cyber incidents should be aware of this undercurrent and not simply wait for a singular flashpoint triggering the commencement of cyber operations.

The aggregation of cyber operations into four distinct categories – contexts of occurrence, actors involved and their attributes, the technology employed and the vectors utilized – provides a useful summary and distillation of the key features of those operations, features to be expected in any given context. While a predictive typology has not proved feasible, having the core components of cyber incidents and operations clearly defined, and the contexts in which one would expect such operations to occur, can be of benefit to policy-makers and researchers wishing to identify important and relevant cyber security policy areas on which to focus their efforts. The research undertaken for this Trend Analysis may not provide a predictive framework, but should enable more effective and efficient resource management when attempting to develop policy and technical solutions. Particular attention should be paid to the context of economic tension. Given the fuzzy legal situation surrounding cyber operations in this context precise solutions may be challenging from a diplomatic perspective, but maintaining a position of observation on emerging or ongoing tensions or strategic rivalries may increase preparedness and hence improve defense.

That being said, a measure of perspective and self-control should also be exercised. As stated above, this Trend Analysis found that there is an almost constant undercurrent of cyber operations and activity taking place in all four contexts where such activities are to be found. Maintaining a watchful eye on this undercurrent is therefore beneficial and to be advised, but knee-jerk responses and constant reaction to every identified threat or action should be avoided. Not all cyber activities are successful or effective and policy decisions need to be made as to the best use of defensive resources given not all operations can be or require to be responded to directly. This strategic restraint is particularly important given the trend identified in Section 4.2, that very few cyber operations are of a scale or severity that warrants a national security or military response. Just as cyber operations come with a measure of plausible deniability on the part of the perpetrator, this deniability makes restraint a reasonable and acceptable response on the part of the victim.

The final takeaway from this research and contextualization is that no two cyber operations are the same. Such activities are defined by opportunism and the bespoke nature of the operation itself. Canny actors choose the best combinations of technology and vectors for a specific purpose in a specific operation regardless of the wider geopolitical context. This demonstrates a “whatever works” mentality which makes cyber operations challenging to defend against and even more challenging to predict. The tabulation provided here in Section 3.6 of context, actors, technologies and vectors – the “when”, “who”, “what” and “how” of cyber operations – is designed to facilitate preparedness and resilience on the part of those seeking to defend digital and real-world assets. To date this is still the optimum cyber defense posture.


1 www.hackmageddon.com

2 Setting aside the humanitarian and refugee crises which occurred in neighbouring countries such as Turkey.

3 Due to the attribution problem  

6 Appendix 1

Table representing the chronology of all the cyber-related events observed in five Hotspot Analysis reports. Taken from Baezner and Robin’s forthcoming Hotspot Synthesis


7 References

Ablon, L., Bogart, A., 2017. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Rand Corporation.

Arquilla, J., Ronfeldt, D., 1993. Cyberwar is coming! Comp. Strategy 12, 141–165. https://doi.org/10.1080/01495939308402915

Baezner, M., In Press. 2017: Cyber Conflicts in Perspective - Hotspot Synthesis.

Baezner, M., Robin, P., 2017a. Hotspot Analysis: Strategic stability between Great Powers: the Sino-American cyber Agreement.

Baezner, M., Robin, P., 2017b. Hotspot Analysis: Cyber and Information warfare in the Ukrainian conflict.

Baezner, M., Robin, P., 2017c. Hotspot Analysis: The use of cybertools in an internationalized civil war context: Cyber activities in the Syrian conflict.

Baezner, M., Robin, P., 2017d. Hotspot Analysis: Stuxnet.

Baezner, M., Robin, P., In Press. Hotspot Analysis: Cyber disruption and cybercrime: Democratic People’s Republic of Korea.

Brown, G., Yung, C.D., 2017. Evaluating the US-China Cybersecurity Agreement, Part 2: China’s Take on Cyberspace and Cybersecurity [WWW Document]. The Diplomat. URL http://thediplomat.com/2017/01/evaluating-the-us-china-cybersecurity-agreement-part-2-chinas-take-on-cyberspace-and-cybersecurity/ (accessed 7.10.17).

Dewar, R.S., 2017. Trend Analysis 2: Cyberweapons: Capability, Intent and Context in Cyberdefense.

Gaycken, S., 2011. Cyberwar: Das Internet als Kriegsschauplatz. Open Source Press, Munich, Germany.

Goldman, D., 2012. Gauss: State-sponsored cyberweapon targets bank accounts [WWW Document]. CNNMoney. URL http://money.cnn.com/2012/08/09/technology/gauss-cyberweapon-bank-accounts/index.html (accessed 4.19.17).

Grohe, E., 2015. The Cyber Dimensions of the Syrian Civil War: Implications for Future Conflict. Comp. Strategy 34, 133–148. https://doi.org/10.1080/01495933.2015.1017342

Hagen, A., 2013. The Russo-Georgian War 2008, in: Healey, J. (Ed.), A Fierce Domain: Conflict in Cyberspace 1986-2012. CCSA, USA, pp. 194–204.

Hansen, L., Nissenbaum, H., 2009. Digital Disaster, Cyber Security, and the Copenhagen School. Int. Stud. Q. 53, 1155–1175. https://doi.org/10.1111/j.1468-2478.2009.00572.x

Hay Newman, L., 2018. Menacing Malware Shows the Dangers of Industrial System Sabotage [WWW Document]. WIRED. URL https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/ (accessed 3.15.18).

Henley, J., Solon, O., 2017. “Petya” ransomware attack strikes companies across Europe and US [WWW Document]. the Guardian. URL http://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe (accessed 3.15.18).

Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N., Glyer, C., 2017. Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure « Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure [WWW Document]. FireEye. URL https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html (accessed 3.15.18).

Joyner, J., 2012. Competing Transatlantic Visions of Cybersecurity, in: Reveron, D.S. (Ed.), Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World. Georgetown University Press, pp. 159–172.

Junio, T.J., 2013. How Probable is Cyber War? Bringing IR Theory Back In to the Cyber Conflict Debate. J. Strateg. Stud. 36, 125–133. https://doi.org/10.1080/01402390.2012.739561

Kihara, S., 2014. A rising China: Shifting the economic balance of power through cyberspace. Naval Postgraduate School, Monterey, CA, USA.

Patterson, D., 2017. Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas [WWW Document]. TechRepublic. URL https://www.techrepublic.com/article/cyberweapons-are-now-in-play-from-us-sabotage-of-a-north-korean-missile-test-to-hacked-emergency/ (accessed 10.24.17).

Reynolds, B., 2015. The Economics of U.S.-China Rivalry [WWW Document]. URL https://www.chinausfocus.com/foreign-policy/the-economics-of-u-s-china-rivalry

Rid, T., 2012. Cyber War Will Not Take Place. J. Strateg. Stud. 35, 5–32.

Rowe, N.C., 2012. The ethics of cyberweapons in warfare. Ethical Impact Technol. Adv. Appl. Soc. 195.

Schmitt, M.N. (Ed.), 2013. Tallinn Manual on the International Law Applicable to Cyber Warfare. CUP.

Stone, J., 2013. Cyber War Will Take Place! J. Strateg. Stud. 36, 101–108. https://doi.org/10.1080/01402390.2012.730485

Vasquez, J., 1993. The War Puzzle. Cambridge: Cambridge University Press.

About the Author

Dr Robert Dewar is a Senior Researcher in the Cyber Defense Team of the Center for Security Studies. Robert’s research interests cover cyber security and defense policy, security studies, the European Union and historical institutionalism.

Is the UN Security Council Losing Legitimacy?

22/06/2018 Anjali Kaushlesh Dayal 

Image courtesy of JD Lasica/Flickr. (CC BY 2.0)

This article was originally published by Political Violence @ a Glance on 7 June 2018.

The UN Security Council (UNSC) is at a precipice. The Trump administration’s recent announcement that the US would no longer abide by the Joint Comprehensive Plan of Action (JCPOA) – the multilateral agreement to restrict Iran’s ability to acquire and develop nuclear weapons – breaks both a UNSC agreement and UNSC procedure. Breaking the JCPOA has the potential to undermine the UNSC’s legitimacy and the important functions it serves; the value the permanent five members of the UNSC (P5) place on the UNSC as a deliberative, policy-producing body in international politics is unlikely to persist amidst repeated, major violations of UNSC agreements and procedures by the P5, with downstream consequences for a broad swathe of international peace and security outcomes.

The UNSC occupies a unique place in international politics and holds unparalleled legal authority. Charged with maintaining international peace and security, it is the sole international body that can authorize the use of international force and enact multilateral sanctions. Its P5 have the largest militaries in the world and can unilaterally veto any action; while they often have divergent interests and foreign policy objectives, they value the UNSC itself as a coordinating venue for resolving complicated multilateral problems, and for the status it accords them in international politics.

The JCPOA is a UNSC-backed agreement: it is not an arrangement between the US and Iran, but an agreement between Iran, the P5 (the US, the UK, Russia, China, and France), Germany, and the High Representative of the European Union (the E3/EU+3). The agreement passed into international law through UNSC Resolution 2231 (2015), which calls on all member states to support the deal’s implementation, and legally binds UN member states to arms and technology embargoes on Iran which mostly pre-date the JCPOA.

Compliance with UNSC resolutions is an obligation of UN member states—but absent an enforcement mechanism, compliance is ultimately voluntarily. UNSC resolutions’ importance therefore rests on how important member states believe these resolutions are, and how much weight the P5 accord the body itself: seeking out the UNSC’s approval for actions, and then abiding by its resolutions, is a social norm that is instantiated, reinforced, and reproduced by repetition by powerful states.

Although news coverage of the UNSC frequently highlights disagreements among the P5, my researchwith Lise Morjé Howard reveals that agreementbetween the P5 has actually been the norm since the end of the Cold War, at least on peace operations. The UNSC has repeatedly agreed to authorize peace operations and to authorize peace operations to use force. Even amidst substantial disagreement on Ukraine and Syria between 2013 and 2016, for example, the P5 agreed to all proposed new peacekeeping force authorizations.

We argue that in reaching these peacekeeping agreements, the P5 privilege reaching an agreementover the content of the agreement, sometimes producing outcomes that are neither clearly in the interest of any P5 state nor appropriate to the conflict context. This, we argue, is the result of dynamics that reveal the importance the P5 have accorded the UNSC chamber. The P5 have collectively invested in maintaining their individual status vis-à-vis other states, which is enhanced by their permanent membership on the UNSC. Accordingly, they have an incentive to keep the locus of international decision-making on the use of force within UNSC chambers, to issue decisions on the use of force, and to invest the body with enough legitimacy to ensure other states believe the UNSC’s decision’s ought to be obeyed.

Indeed, even in disagreement, the P5 have until recently adhered to UNSC procedures. For instance, despite their deadlock on the Syrian conflict, neither the US nor Russia sought to entirely bypass the UNSC in their decision processes. US military action against Syrian targets in April 2017 and April 2018, ostensibly as retaliation for the Assad regime’s use of chemical weapons against civilians, took place after extensive UNSC debate and amidst competing draft resolutionsreflecting different ideological positions. These debates pitted norms about chemical weapons useagainst norms about UN authorization to use force, allowing the US – with support from the UK and France– to claim its actions affirmed one set of UN-supported norms while transgressing another. Indeed, going to the UNSC to request authorization to use force despite being able to act unilaterally accords the chamber importance.

Breaking the JCPOA abrogates a UNSC decision the US itself previously agreed to. The US already has a tool—the veto—allowing it to unilaterally block any resolutions. Transgressing regular UNSC practice to retroactively break an agreement it helped orchestrate calls into question future American compliance with any UNSC decision—which, in turn, may affect other states’ willingness to comply with UNSC decisions. If the UNSC’s legitimacy rests on powerful states according it importance, then breaking UNSC agreements erodes social norms of complying with UNSC resolutions and weakens the importance of the body itself.

The distrust with which key Trump administration officials view the UN is no secret—for them, weakening the UNSC may be a desirable side-effect of breaking with the JCPOA, one more blow to the multilateral structures they view as unacceptably constrainingAmerican power and interests. Indeed, the Trump administration has also heightened other areas of US disagreement with UN member states—the US decision to move its embassy to Jerusalem, for instance, also contravenes past UNSC resolutions; the US’s blocking of a UNSC investigation into the killing of Palestinian protestors in Gaza on the same day as the embassy move, and subsequent votes and vetoes on the issue, have also amplified the discord.

The UNSC is an unrepresentative, deeply flawed body that can produce suboptimal decisions—but it is also an important body that has fostered cooperation between superpowers. Forged out of the devastation of two world wars, the UNSC was designed to constrain, engage, and force into cooperation the great military powers of the day in the service of preventing another direct conflict between them. On that front, it has succeeded. A world without an authoritative UNSC is one in which collective responses to humanitarian and security crises will be less efficient, less likely, and less likely to be diplomatic. With powerful states unbound from even nominal fidelity to international norms of agreement and cooperation, it is also likely to be a more violent world.

About the Author

Anjali Kaushlesh Dayal is an assistant professor of international politics at Fordham University and a research fellow at Georgetown University’s Institute of Women, Peace, and Security.