HIKMA SUMMIT
OF INTERNATIONAL RELATIONS

In his story, Gibson described cyberspace as “a consensual hallucination experienced daily by billions of legitimate operators […] Lines of light ranged in the nonspace of the mind, clusters, and constellations of data”. Today, such a smoky definition is of no help to understand this concept. What is “cyberspace”, then? While there is still no universally accepted definition, we can shed light on some core elements of it and distinguish it from other concepts. In public debate, for example, the terms cyberwarfare and information warfare are frequently used interchangeably. While there are some overlapping features between the two concepts, and some countries (e.g. Russia) use the two kinds of operation in interconnected and fuzzy ways[2], these are nevertheless separated concepts: info operations, intended as the willing attempt to influence and manipulate another actor’s infosphere, can be said to be as old as propaganda, which one may argue to be in its turn as old as politics itself. Cyber operations, instead, are necessarily a recent phenomenon as they are inevitably linked to digital technology and the web. While info operations are intended to affect the target actor in indirectways (e.g. by destabilizing democracy, spreading fake news, affecting elections, etc.), cyber warfare also includes direct, physical disruption of infrastructure and networks (e.g. by provoking blackouts, stealing personal information, or even causing explosions). Info ops in themselves are more of a “cold war” instrument; cyber warfare, instead, may have no different impact than a bombing campaign[3].

But how does cyberspace differ from physical space concerning international security? Even though this new domain has existed for a relatively short time and hasn’t hosted any great wars yet, we can still find some unique features which make this security environment different from the others. The first one is the great level of anonymity enjoyed by cyber-actors. When a missile strikes a state’s territory, identification of its source is oftentimes immediate; in cyberspace, instead, the problem of attribution is in most cases a headache for security apparatuses, and it’s common for experts to require months before attributing an attack to an actor with an acceptable degree of certainty.

The problem is amplified by the second unique feature of cyberspace: the affordability of even advanced cyber weapons, which widens the range of malicious actors who can access this domain. Informatic tools allowing ransomware (e.g. blocking data and requesting a ransom to return or to not share them) or even spyware (i.e. getting into a device and spying on whatever is typed, recorded, etc.) operations are getting cheaper, with a huge black market[4] providing for the know-how and instruments to anyone wanting to pay a fixed price and/or a percentage of the revenue of the cybercrime committed. The amounts requested for the most sophisticated weapons vary from the tens of thousands to the hundreds of thousands of dollars: in any case, these are sums that even a small non-state actor can afford to get informatic weapons capable of causing economic, social, and infrastructural disruption to a target. In most cases, however, great cyberattacks are conducted by state-sponsored actors: the sophistication is extremely high, and the attribution problem is even more complex (e.g. Russia may move a cyberattack to the U.S. using an anonymous young hacker sitting on a beach in Malaysia, making it a conundrum to trace).

A third feature of cyberspace is its lack of international regulation. At this date, we have no certainty over what constitutes a cyberattack according to international law, whether it is comparable to the physical use of force, and what would be a proportionate response to it. The two attempts at regulating this domain (the 2001 Budapest Convention on Cybercrime and the two editions of the NATO Tallinn Manual of International Law Applicable to Cyber Warfare) are both inadequate since they’re ambiguous and subject to different interpretations[5]. The management of cyber threats is therefore left to the declarations of politicians, which are often vague or instrumentally pronounced in the aftermath of major cyberattacks: to our current knowledge, cyberattacks never provoked a retaliatory reaction outside cyberspace – although it would theoretically be possible.

The three aforementioned observations give rise to a significant difference between cyber and physical space: in the digital environment, deterrence doesn’t work. Deterrence consists of discouraging an action by a hostile actor by instilling the fear that the potential negative consequences would be higher than the potential achievements. In a world where the hostile actor could be everything from a teenage hacker to a great power, where it is not clearly identifiable, and where international law is not clear about the potential consequences of an attack, there could be no such thing as an international order based on deterrence.

Other unique characteristics of cyberspace concern cyber defense in particular. Firstly, the most likely target for a cyberattack will never be the military (as it happens most of the time in conventional wars), but rather civilian infrastructures, like electricity networks or, even more worryingly, hospitals. The reason is simple: military targets are most likely to be better equipped for defending against potential attacks; moreover, the aim of the attacker could be precisely to cause social havoc. The consequence of this feature is something every state, enterprise, and military official should keep in mind: in cyber warfare, the civilians are at the front, not the soldiers. This means that civilians are the first who would potentially suffer from the consequences of a large-scale cyber-attack, but also that they are the first line of defense. A great majority of successful cyberattacks actually originated from what is called “human vulnerabilities”: normal employees, distracted workers, doing their everyday job, find themselves opening the wrong e-mail and inadvertently introducing malware in their workplace, which will then infect every computer, ready to be activated by the hackers at the right moment. Training workers, employees, and managers about the risks of phishing (i.e. using messages and e-mails to deliver infected material) and other cybersecurity practices should be the priority of every cyber-aware state and organization.

The metaphor of the “civilians at the front” can be useful to remind the importance of cybersecurity literacy in workplaces and everyday life contexts, but could be misleading about the localization of a cyber conflict: an additional feature of cyber defense compared to conventional defense, in fact, is that there is no front. There is no such thing as a border to patrol, no front to focus efforts on: cyberspace is not a place. The front is potentially every infrastructure or potential target using digital devices and data for its management, which means virtually everything. In addition, the moment a cyberattack starts is not the moment in which the attacker intrudes behind the target’s defense: the delivery of a cyberattack implies that the attacker is already behind the target’s defense line. A cyberattack always comes from within, in some sense: the attacker managed to intrude malware in the target’s system maybe even months before the attack starts, and it has total control over when to get the ball rolling.

The two characteristics of cyber defense above illustrated lead us to a last consideration on this new domain: the classic assumption of traditional warfare that the defender has the advantage over the attacker is here reversed. In cyberspace, the attacker has a wide array of choices on the network to target, the weapons to use, and the moment of the attack, and this is all available with very low expenses while enjoying anonymity. On the other side, the defender faces the impossible problem of defending virtually every single infrastructure on the national territory, using people who can’t be trained militarily (normal employees, workers, etc.) and systems of cybersecurity which are much more costly and need constant updates. The cybernetic domain is one in which the defender is always in an unfavorable position: it could be defined asthe domain of asymmetric conflicts par excellence.

The debate about the characteristics of cyberspace and its dangers, however, is open and wide. Some authors and politicians maintain that the hazardousness of this new domain should be resized[6]. After all, we haven’t experienced any great war predominantly fought with cyber weapons yet, and this could already be a sign that digital technology is far from substituting physical violence in conflicts. Moreover, “hot” wars like the one that broke out in 2022 after Russia’s invasion of Ukraine show that even the more expert cyber-powers (Russia) consider hybrid operations like cyber campaigns not sufficient to reach their political goals. The attention should nevertheless stay high on cyberspace: digital technology becomes every day more pervasive in our daily life, no informatic system will ever be immune from vulnerabilities, and cyber warfare must be watched out by military officials not only as a self-standing way of warfare to defend against but also as an additional domain to combine with other kinds of traditional operations. Our security of tomorrow relies on our efforts of today toward cyber awareness and adaptation to the complex, multi-faceted “consensual hallucination” that is cyberspace.

[1] A. Segal et al., The Future of Cybersecurity across the Asia-Pacific, in Asia Policy, vol. 15, n.2, pp. 57.114, 2020

[2] ivi, cap. Russia’s Cyber and Information Warfare, pp. 67-75

[3] A. Giannuli, A. Curioni, Cyber War: La guerra prossima ventura, Mimesis, Milano, p.47, 2019

[4] C. Frediani, Spyware LTD, 2021, available at https://guerredirete.substack.com/p/spyware1

[5] K. Min-hyung, North Korea’s Cyber Capabilities and Their Implications for International Security, in Sustainability 2022, 14, 1744, p. 4, 2022.

[6] R. Jackson, J. Møller, G. Sorensen, Relazioni Internazionali, Egea, Milano, pp. 408-416, 2020