Skip to content
Unit 19Cyber Conflict and Cyber StrategyChapter 4: Offence and Defence of Major Cyber Powers
All chapters
  1. 1. A Message from the Authors
  2. 2. What is Cyber Warfare?
  3. 3. Cyber arms control
  4. 4. Offence and Defence of Major Cyber Powers
  5. 5. Cyber Terrorism and the Protection of Critical National Infrastructures
  6. 6. The European Union’s Role in Cybersecurity
  7. 7. Summary and Further Reading
Your bookmarks

When you add chapters to your bookmarks they'll appear here.

Chapter 4

Offence and Defence of Major Cyber Powers

How To Watch and Read This Chapter

The main objective of this chapter is to make you understand what it means for a country to be cyber capable and to give you an overview of major powers’ cyber defence and offence strategies.

Cyber Military Capabilities: Which Countries Have Offensive or Defensive Doctrines?

This map shows the countries that have issued a cyber security military doctrine. Cyber military strategies typically explain governments’ views on issues such as offensive and defensive cyber operations and norms of behaviour in cyber space, among other things. They are usually produced by countries’ ministries of defence.

This map is based on the Global Cyber Strategies Index (TK alive link) developed by the Center for Strategic and International Studies.

The Index also includes a list of existing cyber strategies and laws by country and includes civilian and military cyber defence, digital content, privacy, critical infrastructures, e-commerce and cyber crime policies and regulatory frameworks.

Measuring Cyber Defence Capabilities: the Methodology of the IISS I

For the first time in their 2020 edition of the Military Balance, the International Institute for Strategic Studies (IISS) has systematically outlined the significant factors that are useful to understand the cyber military capabilities of a country.

The Institute developed a taxonomy that focuses on enablers and indicators. These are derived from both the civilian sector and the armed forces (see learning unit 12, page 13) and, because of that, the IISS notes the assessment of capabilities is more challenging as the lines between military and civilian capabilities, assets and operations are often blurred.

As of now, the IISS has made available only the taxonomy of cyber defence capabilities. In the near future, the institute will make available national case studies that will highlight national cyber military capabilities.

The IISS’s taxonomy is a useful analytical framework that puts in perspective what it means to have “cyber power” in the military realm and to draw comparisons among countries.

The next slide shows all enablers and indicators that make up a country’s cyber capability.

The main enablers are:

  • strategy and doctrine
  • command and control
  • cyber empowerment and dependence
  • cyber security and resilience
  • global leadership in cyberspace
  • military capability for cyber coercion

Measuring Cyber Defence Capabilities: the Methodology of the IISS II

Military Strategy/Doctrine – command and Control and Integration

  • cyber defence related documents
  • national- and command-level formations
  • integrating bodies, such as national-security councils
  • military cyber intelligence capacity

Protection and Resilience of Military Networks

  • automated joint-force cyber situational-awareness system; military computer emergency response teams (MIL CERTs)
  • military cybersecurity exercises

Military Capacity for Cyber Coercion

  • decision-making framework
  • recent reported used of cyber military forces

Military Research and Development and Human Capacity

  • research institutes (governments and military affiliated)
  • military exercises in cyber defence or offensive actions
  • active recruitment

Extent of a Military Force’s Digital Dependence/ Enabling

  • space-based intelligence, ISTAR capability
  • global operations and therefore reliance on global communications capabilities
  • significant investments in digitally enabled technology
  • ability to independently access and manoeuvre in space

Tracking State-Sponsored Cyber Incidents

Distribution of Cyber Operations (total, over time)

Source: Cyber Operations Tracker, own calculations

The Cyber Operations Tracker of the Council on Foreign Relations (CFR) is a database of the publicly known state-sponsored incidents that have occurred since 2005.

The tracker includes only attacks that are perpetrated by a nation state or an entity that is affiliated with a nation state.

It includes 6 types of operations: DDoS, espionage, defacement, data destruction, sabotage and doxing.

The main takeaways so far:

  • 28 countries have been suspected of launching cyber operations.
  • Countries have reacted by imposing sanctions and using indictments.
  • State-sponsored cyber operations have caused power outages; as in Ukraine in 2015 and 2016.

The Cyber Defence Policy of Selected Major Players: The US and the UK

These videos explain:

  • the United States cyber defence policy, including the new concept of “Persistent Engagement”
  • the United Kingdom cyber security policy, including new data on the “Active Cyber Defence” programme

The Role of NATO

Allies are responsible to protect their own networks and systems, but NATO supports them by:

  • sharing real time information
  • deploying rapid-reaction cyber defence teams
  • developing common targets to strengthen cyber capabilities
  • organizing exercises such as Cyber Coalition

One important actor is the NATO Communications and Information Agency (NCIA) which provides cyber security services throughout NATO, including by handling and reporting incidents through its NCIRC Technical Centre in Belgium. It has a team of 200 experts.

In 2023, the new Cyber Operations Centre will be operational. Its tasks will include providing situational awareness to inform operations and coordinating the Alliance’s operations in cyberspace.

NATO argues:

NATO and its Allies rely on strong and resilient cyber defences to fulfil the Alliance’s core tasks of collective defence, crisis management and cooperative security. The Alliance needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats and attacks it faces”

nato.int

NATO has also defined its own Cyber Defense Policy which has been evolving since 2008.

The next slide gives an overview of NATO guiding principles in cyberspace, a chronology of the policy evolution as well as the main actors involved in the Alliance’s cyber decision-making.

NATO Cyber Defence Policy

Main Principles

  • Cyber defence is part of NATO’s core task of collective defence.
  • NATO affirmed that international law applies in cyberspace.
  • NATO recognises that Allies stand to benefit from a norms-based, predictable and secure cyberspace.
  • NATO’s main focus in cyber defence is to protect its own networks (including operations and missions) and enhance resilience across the Alliance.
  • NATO reinforces its capabilities for cyber education, training and exercises.
  • Allies are committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyberattacks.

For details, study main principles on nato.int website

Policy Evolution

  • 2008: NATO approves first cyber policy
  • 2011: NATO approves second cyber policy
  • 2014: Wales Summit: new cyber policy and action plan
  • 2016: Warsaw Summit: NATO recognizes cyber space as a domain of operation and Cyber Defence Pledge
  • 2017: updated Cyber Defence Action Plan
  • 2018: Brussels Summit: new Cyberspace Operations Centre
  • 2019: new NATO guide setting out a number of tools for responding to cyber attacks

Main Actors

  • North Atlantic Council provides high-level political guidance
  • Cyber Defence Committee is the lead committee for political governance and cyber defence policy in general
  • NATO Cyber Defence Management Board is responsible for coordinating cyber defence throughout NATO civilian and military bodies
  • NATO Consultation, Control and Command Board consults on technical and implementation aspects of cyber defence
  • NATO Military Authorities (NMA) and the NATO Communications and Information Agency (NCIA) identify operational requirements, acquisition, implementation and operating of NATO’s cyber defence capabilities

The Cyber Capabilities of Russia and China

Russia

Russia has been investing significantly in developing tactics and tools to strengthen its cyber arsenal. According to some estimates, the Kremlin invests $300 million per year and has a dedicated 1,000 strong cyber army.

Russian intelligence has been integrating network with information operations.

Russia has used cyberspace to:

  • prepare for military kinetic operations
  • engage in direct cyber operations as in Ukraine
  • enable influence operations

China

China’s cyber capabilities and skills are comparable to those of Russia. China uses cyber capabilities in both peace and wartime to enhance its overall strategic objectives. Cyber is incorporated in the Diplomacy Information Military and Economic (DIME) operation spectrum.

China has used cyberspace to:

  • advance diplomatic claims
  • improve its own international perception
  • bolster military capabilities
  • advance economic interest

Cyber Operations as a Tool in Influence Operations? Similarities and Differences in Russian and Chinese Approaches

Differences: Russia

  • Geopolitics: Russia is economically declining and aims at reversing the current international system.
  • Ethos: Russia cares less about its international reputation.
  • Targets: Russia targets the general population in deeply divided and polarized societies.
  • Narrative: Russia supports the message of a declining, weak and divided West, discrediting its enemies.

Therefore, Russia employs more aggressive techniques in the information environment.

Similarities

  • Influence and information operations are “business as usual” in the conduct of domestic and foreign policy.
  • Information operations are used domestically, albeit in two different ways: in Russia to manipulate, in China to censor.
  • There is some degree of dysfunctionality in the administration and implementation of information and influence operations.
  • China is adopting some techniques from Russian playbook in Taiwan and Hong Kong: it is using cross platforms and coordinated networks of fake and automated accounts to amplify its messages and with the overall goal to generate favourable offline effects.

Differences: China

  • Geopolitics: China is an emerging global power aiming at shaping the world with its own norms.
  • Ethos: China wants to portray itself as a good global citizen.
  • Targets: China mainly targets the “overseas Chinese community”.
  • Narrative: China wants to promote the idea of a great, but non-threatening, China.

Therefore, China is considered less risk averse in cyber operations and does not engage in hack-and-leak operations like the Russian kompromat.

Quiz

The EU Non-Proliferation and Disarmament eLearning Course aims to cover all aspects of the EU non-proliferation and disarmament agenda. It's produced by PRIF with financial assistance of the European Union. The contents of individual learning units are the sole responsibility of the respective authors and don't necessariy reflect the position of the European Union.