The integration of cyber operations with kinetic warfare, including the alarming scope of cyberattacks on civilian and military targets since Russia’s full-scale invasion of Ukraine, represents the latest troubling development in armed conflict. While we cannot predict precisely how digital technologies may be weaponized in the future, the international community today faces an urgent, complex challenge: identifying how to bolster cyber defense strategies and best regulate and respond to cyber operations in the lead-up to or alongside military operations. This third installment from FP Analytics in the Digital Front Lines special report builds upon two earlier issue briefs, The Evolution of Cyber Operations in Armed Conflict and Cross-Cutting Responses to Strengthen Ukraine’s Digital Resilience, to explore a way forward.
This final issue brief brings a sharpened focus on matters that need to be addressed through multisector collaboration, including how cyber operations in contemporary armed conflicts are challenging rules of engagement and lessons that can be drawn from existing approaches to risk mitigation for dual-use technologies to help ensure international stability. Three key insights emerge from this analysis. First, cyberattacks on critical infrastructure not only threaten civilians’ safety but also impose significant socioeconomic costs and require greater public–private partnerships to deter reckless behavior online and uphold a rules-based international system. Second, it is critical to clarify how international law applies to cyber operations surrounding armed conflicts. Finally, coordinated and complementary action by governments, multilateral institutions, tech companies, academia, and civil society will be crucial to developing strategies for defending against the destructive impacts of hybrid warfare.
Protecting Civilians and Critical Infrastructure from Cyber Operations Through International Law
Both independently of and in combination with kinetic attacks, critical infrastructure has become a recurring target in hybrid warfare. The digitalization of operations systems has exposed new vulnerabilities while states have pursued disparate approaches to attribution and accountability in the aftermath of a cyberattack on critical infrastructure. Among cyberattacks carried out by state-affiliated actors globally, the share on critical infrastructure increased from 20 percent to 40 percent between 2021 and 2022. In 2022, for example, amid growing geopolitical tensions and proxy warfare, an Iran-linked group targeted the network of an Israeli logistics company, causing a system shutdown and disrupting the company’s supply chain operations. These types of attacks are unlikely to abate soon: The World Economic Forum’s Global Risks Report 2023 projects that cyberattacks on key sectors will only become more prevalent. And because critical infrastructure sectors are largely interdependent, an attack on a power grid, for example, can have magnifying effects, disrupting other vital sectors such as communications and health care. Such cyber operations heighten not only the risk to public safety but also the potential for kinetic retaliation or escalation of conflict amid worsening political tensions.
The widespread and complex impacts of hybrid warfare underscore the need to identify effective cybersecurity and deterrence strategies as well as defined pathways for legal recourse. To that end, encouraging progress is being made: In 2021, United Nations member states agreed to the principle that international humanitarian law is applicable to cyberattacks during armed conflict. Member states also adopted the norms recommended by an Open-ended Working Group reaffirming the need to safeguard critical infrastructure at all times, including peacetime, such as by improving the cybersecurity of infrastructure operating systems. There is much more to be done, particularly as chemical, biological, radiological, and nuclear materials and capabilities—as well as outer space assets—are increasingly managed and monitored digitally, heightening their vulnerability to cyberattack or cooptation.
A Cyberattack Could Cost Economies Billions
As the digitalization of jobs and services has increased, so has the world’s vulnerability to an attack that shuts down the internet.
Note: For the 2020 results, the authors utilized the NetBlocks Cost of Shutdown Tool (COST). COST provides rough estimates of the economic impacts of internet shutdowns, drawing on methodologies from both the Brookings Institution and CIPESA. The selected countries were based on available data from 2009 regarding internet contributions to their economies (McKinsey, 2011).
In situations of armed conflict, there is growing acceptance that state-affiliated cyber operations that cause physical damage could be classified as “armed attacks” under international law. Such “armed attacks” would then be covered by the same established international legal regime that regulates kinetic operations, like missile strikes. Despite this emerging consensus, the nature of cyberspace can blur the distinction between civilian and military targets and complicate the protection of civilians from attacks by warring parties, which is enshrined in international humanitarian law (IHL). Much of the infrastructure of the internet, for example, serves both civilian and military users and is a key site of economic activity. Unless IHL on this point is clarified, attacks on civil–military infrastructure could be deemed justified by some actors, despite negative impacts on civilians.
Like nuclear assets, cyber technologies that can be used as weapons can also be powerful tools for improving lives. Considering their dual use, cyber technologies warrant carefully crafted normative and legal responses, rather than blanket bans, to enable their beneficial uses while limiting their destructive potential. The establishment of an international body similar in function to the International Atomic Energy Agency could provide oversight and investigation to promote the safe use of cyber capabilities. Similarly, the U.N. Secretary-General recommended in his July 2023 policy brief on “A New Agenda for Peace” the creation of a multilateral mechanism for accountability to address malicious cyber activity. Relatedly, while artificial intelligence is still in the early stages of regulation and international governance, there is much to be learned from recent attempts to encourage its responsible development, such as the U.S. State Department’s 2023 Political Declaration on the Responsible Military Use of Artificial Intelligence and Autonomy. Another domain of dual-use technology from which lessons can be drawn and applied is outer space, where—similar to the cyber realm—international consensus and governance are complicated by the presence of an increasing number of both public- and private-sector operators engaged in activities that span the military and commercial spheres. As regulations, laws, and norms are developed, it is vital that technical experts, policymakers, and industry leaders take into account—and build resilience against—cyberattacks, which pose a threat across these areas of dual-use technology.
Mitigating Damage and Escalation with Clear Standards and Norms on Attribution
In addition to the debate around the protection of civilians and civilian infrastructure, there is a need to reach consensus around accepted norms of behavior and response in the event of a state-perpetrated cyberattack. Currently, with no clearly defined international legal and governance process in place, states wishing to retaliate against a cyberattack are responsible for provable attribution, which is sufficiently challenging to sometimes allow aggressors to act with impunity. For example, while the United Kingdom attributed the 2017 WannaCry malware attack to North Korea within weeks, it took seven months for the United States, New Zealand, Canada, and Australia to concur. Demonstrating the lack of guidance around attribution, none of these five countries publicly presented evidence for their claims. In response to this general lack of clarity, experts have proposed various guidelines—for example, a U.N. Group of Governmental Experts’ 2015 recommendations and the Organization for Security and Co-operation in Europe’s 2016 compilation of best practices. However, these proposals have yet to be widely reflected in public attribution statements.
Establishing standards for evidence is further complicated by the difference in process for technical versus political attribution: While the former is relatively straightforward, using digital forensic tools to ascertain what software and hardware was used in an attack, the latter is more challenging, as states often use cyber mercenaries and other proxy actors to perpetrate attacks while maintaining plausible deniability. An approximately $12 billion industry, cyber mercenary services have been used by at least 74 governments since 2011. More recently, governments have begun to take action on cyber mercenaries, with 36 member states of the Freedom Online Coalition developing and signing the Guiding Principles on Government Use of Surveillance Technologies, which launched in 2023. These principles seek to delineate the lawful use of cyber mercenaries by governments to protect human rights and privacy. Guidance includes implementing clear and transparent processes for decision-making regarding digital surveillance and providing access to ongoing legal training for all government employees involved in these processes. Multilaterally, NATO’s updated cyber defense posture—announced during the July 2023 Vilnius summit—may provide a model for enhanced cybersecurity in the face of rapid change. The announcement included calls for allies to regularly update their own cyber-related strategies and laws and a commitment to better civil–military cooperation on cybersecurity, including during peacetime. These initiatives and recommendations, while promising, still fall short of a universal consensus let alone binding international laws. These are crucial areas that need to be explored by future collaborations among stakeholders, including multilateral institutions, civil society organizations, tech companies, and states.
National and Multilateral Bodies Have Been Working to Regulate Cyberspace for Two Decades
Despite increased attention paid to cyber operations and their impacts, applicability of international law to cyber remains vague and unclear.
The U.S. Naval War College convenes the first major legal conference on cyber operations.
The first U.N. Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security is convened.
The U.S. and U.K. national security strategies cite cyber threats as one of the most serious national security challenges to their nations.
Russia releases a cyber concept for the armed forces: Conceptual Views Regarding the Activities of the Armed Forces of the Russian Federation in Information Space.
Publication of the non-legally binding Tallinn Manual on the International Law Applicable to Cyber Warfare.
NATO CCDCOE launches initiative to expand Tallinn Manual’s scope to include cyber operations during peacetime.
NATO CCDCOE convenes new International Group of Experts to adopt additional rules for peacetime cyber activities.
U.N. Group of Governmental Experts recognizes the applicability of existing international law to information and communications technologies (ICT).
The African Union adopts the Malabo Convention on Cyber Security and Personal Data Protection.
China releases its first National Cybersecurity Strategy.
The Tallinn Manual 2.0 on International Law Applicable to Cyber Operations is published.
The U.N. General Assembly adopts resolution on “Advancing responsible State behaviour in cyberspace in the context of international security.”
UNGA creates Open-ended Working Group 2021–2025 on ICT to develop rules, norms, and principles related to cyberspace.
The EU Council introduces a framework for a coordinated EU response to hybrid campaigns.
Timeline Sources: African Union, Carnegie Endowment for International Peace (2021a), Carnegie Endowment for International Peace (2021b), Council of Europe, Digital Watch, Lawfire, National Institute of Standards and Technology, NATO, NATO CCDCOE, People’s Republic of China State Council, Tallinn Manual, Tallinn Manual 2.0, U.N. General Assembly (2013), U.N. General Assembly (2019), U.N. Office of Disarmament Affairs, U.S. Cyber Command.
Collaborating Across Sectors: States, Industry, Civil Society, and Academia
The use of cyber operations in armed conflict calls for an international system with agile multilateral institutions able to adapt in the face of new developments and capable of engaging with academia and nongovernmental organizations, as well as the private sector. Amid what has been dubbed a “new digital order”—as established power dynamics among nations shift based on their access to and use of cyber capabilities—tech companies are playing a growing role in detecting and defending against cyberattacks, as they own and operate much of cyberspace. Finding themselves on the digital front lines of conflict, more than 150 tech companies have become signatories to the Cybersecurity Tech Accord since its 2018 launch, providing a corresponding voice for the industry on matters of peace and security online, including the use of cyber mercenaries and digital surveillance.
The act of detecting and responding to national security threats, such as the China-linked 2023 hacking of U.S. government email accounts, warrants close collaborations across the public sector, NGOs, and private companies. One strategic opportunity for cooperation is cybersecurity workforce development; the inclusion of diverse voices and expertise across government, industry, academia, and civil society can not only strengthen technical know-how but also establish broad-based support for future approaches. As the evolution of new cyber threats and information operations outpaces existing digital infrastructure and security protocol, “expertise gaps” expose critical vulnerabilities. Additionally, the global demand for employees in cybersecurity outpaced supply by 3.4 million workers in 2022, with the widening gap attributed to a lack of interest, diversity, and skills in the pipeline, and high barriers to entry.
To address these challenges and in the interest of international security, educational institutions, the tech industry, NGOs, and the public sector can pursue various strategies to improve the workforce and strengthen cyber resilience. These include developing foundational digital skills among young people and traditionally underrepresented groups, reskilling the non-cybersecurity workforce, establishing trusted accreditation, and incorporating digital literacy and cybersecurity into the training of defense, diplomatic, and multilateral professionals. Lessons learned from past technological transitions can be leveraged to prepare for the possibility of future cyber-integrated hybrid warfare across all sectors and industries, and would benefit from the expertise and resources of various stakeholders, including international financial institutions, trade and development organizations, and global infrastructure investors and insurers.
Pursuing Cyber Peace and Preparing for Potential Cyber Conflict
The emergence and integration of cyber operations into warfare and conflict has brought to the fore challenges to international governance and stability, but it has also amplified existing issues and underlying tensions that threaten to undermine global peace and prosperity. These issues will change over time as technology evolves, new uses for cyber capabilities emerge, and theaters of war expand. Institutions therefore need to focus on creating, expanding, and clarifying regulations, norms, and international humanitarian laws so that they can grow and adapt as technology does, or risk becoming outdated and obsolete.
A whole-of-society approach is needed to anticipate, mitigate, and address potentially catastrophic risks to critical infrastructure, human security, and the global economy. To help meet this challenge, the public and private sectors need to scale their partnerships, invest in minimizing vulnerabilities in cybersecurity, and develop a high-skilled cyber workforce. Creative collaborations, in the spirit of the Digital Front Lines project, can bring together experts from across the spectrum—cyber, international humanitarian law, diplomacy, the military, civil society, and more—to envision what a stable, peaceful future looks like in the digital era.
By Isabel Schmidt (Senior Policy and Research Analyst), Angeli Juani (Senior Policy and Quantitative Analyst), Avery Parsons Grayson (Senior Policy and Risk Analyst), and Dr. Mayesha Alam (Vice President of Research).
This issue brief was produced by FP Analytics, the independent research division of The FP Group, with financial support from Microsoft. FP Analytics retained control of the research direction and findings of this issue brief. Foreign Policy’s editorial team was not involved in the creation of this content.
A Q&A with Hanno Pevkur
A Q&A with Ambassador Sorin Ducaru
Dr. Cordula Droege
Civilians must be protected from—and should not participate in—military cyber operations.
Karim A.A. Khan KC
We must renew our efforts to ensure that justice is not outpaced by the changing character of war.
A Q&A with Peter Micek
A Q&A with Ambassador Bonnie Jenkins
Russia’s success in establishing and maintaining a media foothold in Latin America highlights how important worldwide influence campaigns are to hybrid warfare.
A Q&A with Izumi Nakamitsu