Max Smeets is a cybersecurity fellow at Stanford University Center for International Security and Cooperation (CISAC). He is also a non-resident cybersecurity policy fellow at New America. You can follow him @SmeetsMWE
Europe is finally starting to talk more publicly and candidly offensive cyber operations.
Two weeks ago, the Dutch Ministry of Defense hosted the Third International Cyber Operations Symposium. In conference hand-outs, the commander of Dutch Defense Cyber Command, Hans Folmer, said he hoped to “foster a shared and realistic understanding of the role of cyber capabilities in future operations, while facilitating the opportunity to develop and strengthen relationships among all participants.” One senior participant at the conference observed: “speaking at NATO about offensive cyber was blasphemy a few years ago. We have advanced.”
At the same conference last year, former UK Defense Minister Michael Fallon acknowledged that states “must have the capability to project power in cyberspace as in other domains” and confirmed that the United Kingdom was using “offensive cyber” against the self-declared Islamic State group. This year, participants discussed lessons learned from those operations, and explored how and when cyber tools could be the most useful against an adversary.
However, based on the discussions this year, there seemed to be less excitement about the potential of offensive cyber tools. In Europe, cyber capabilities were once seen as a silver bullet for Europe’s defense problems—chronically low defense budgets and outdated materiel could be replaced with an asymmetric capability that could improve Europe’s ability to deter adversaries and project power. Now, as one participant said, “cyber is no longer something special.” There was a more honest and open debate about how cyber capabilities can be used, the challenges with developing and maintaining them, and understanding their strategic effects.
Nevertheless, Europe will continue to struggle with at least three issues.
First, not all European cyber commands are created equal. In fact, the diversity of capability in Europe makes it difficult to compare them in theory, and probably even more difficult to coordinate efforts in practice. Whereas Germany is said to have thousands of ‘information and cyber officers’, you can count the people working at cyber defense units in other European countries on two hands. Also, all states are in need of technical personnel, but not all have the resources to attract them. Although many European countries started building a cyber offensive capability almost a decade ago, many states are still far away from a meaningful capability.
Second, Europe is still searching for a strategic objective for its offensive cyber capability. Every scholar or policymaker at the conference noted that deterrence was a flawed strategy to pursue in cyberspace—either partially or completely. Yet, there remains a lack of alternatives and policymakers at the conference seemed unaware of ideas raised in the academic literature about the strategic value of offensive cyber capabilities, such as Kello’s cumulative deterrence, Harknett’s notion of persistence, or Lindsay and Gartzke’s discussion of deception.
Third, Europe lacks a common doctrine on the use of offensive cyber operations. NATO recently finished a first draft of its own cyber operations doctrine, and is going through the process of addressing comments made by member states and invited observers. Europe will need a common doctrine, or at least a common lexicon that can be used by military planners, if it wants to take a coordinated approach to cyber operations. Doctrine normally tries to link theory and practice. Yet, cyber operations in a military context are still fairly new and the lack of practice means that policymakers tend to concentrate primarily on theory, making the development of doctrine a difficult exercise.