Is Civil Military Complex the way forward in Cyber Governance ?
Updated: Aug 22
The cybersecurity environment encompasses a complex matrix of regional and global issues and challenges. As various regions worldwide develop their technological capabilities in every sector, we see a rise in the risk of cyberattacks that will directly or indirectly impact national security. This complicates the domain even further. For example, in India, post-liberalization, Information Technology (IT), electricity, and telecom sector in India have witnessed large investments by the private sector and foreign companies. However, inadequate focus on disaster preparedness and recovery in regulatory frameworks is a cause of concern. No single operator controls the IT, Telecom, or Power sectors, and, therefore, the responsibility to prepare for and recover from disasters is diffused.
Cyberspace poses various challenges to decision-makers. These challenges stem primarily from the heavy dependence of states and societies on such a vulnerable sphere. As investments in ICT infrastructure grow, our vulnerability to damage by natural disasters or attacks by insurgents/terrorists to immobilize and paralyze the nation's day-to-day activities is becoming significant. Such damage would cause short and long-term setbacks to the economy. But even with the growth of security vendors and the attendant rise in spending that has occurred, we have not, as an industry, delivered real progress, as evidenced by the continued exponential growth in the cyber risk cycle. Some say this is because we have historically underfunded information security," but while that may be true, it's only a contributing factor and not the full story.
The need for a civil-military complex in handling cyberattacks on national security concern
It has become a truism to say that the offense has the advantage over the defense in cyber conflicts. Attack tools are cheap and widely available. Attackers can mount their assaults with lightning speed from anywhere on the planet to anywhere else, disguising their origins and masking responsibility. Scholars of war and human nature have long understood that, in an offense-dominant environment such as this, the pressure is on to keep up or be left behind. Fear and insecurity increase, threats lurk everywhere, and rash decisions can lead to unexpected outcomes and chaos.
While this may sound ominous for most, it presents an irresistible market opportunity for those in the defense industry. A new cyber military-industrial complex is needed. Like Dwight Eisenhower's military-industrial complex proposed in the 1960s, this massive cyber-industrial complex is intimately connected to national militarization processes. The result of this complex has also led to major US corporate giants that arose in the Cold War, such as Boeing and Northrop Grumman, now repositioning themselves to service the cybersecurity market.
We also need to remember that the security industry profits from the insecurity of computing and, thus, at a macro level, has no real economic incentive to solve the problem. A fundamental reason why progress hasn't been made is because of the industry's financial incentives, as mentioned before. Dwight Eisenhower, an army general and President of the United States of America, warned back in 1961 that "we must guard against the acquisition of unwarranted influence by the military-industrial complex" and that "the potentially disastrous rise of misplaced power exists and will persist." He warned that "public policy could itself become the captive." Therefore, this challenge manifests today as the lack of progress resulting from the cyber-industrial complex because of a lack of the proper economic incentive to solve the problem.
The Cyber industrial-military complex could solve the challenge of the lack of economic incentives, but only if the industry is home-grown. Due to a lack of capital and dependency on economic reforms, it won't be easy to institute this. However, instead of industrial participation, if we have civil participation in national cybersecurity, we can solve this problem.
Analyzing the Baltic Nations
To analyze civil participation in national cybersecurity, we look into the research done by Sergei Boeke(2017), where three models of cybersecurity governance for national cyber crisis management are studied. This paper highlighted that the Netherlands uses a "participant governed network model" based on trust and equality; the Czech Republic and Estonia use a "network administrative organization, with an enforcement role for their national cybersecurity "center. These models involve a separate and external entity to govern the network activities specifically; Denmark uses the "lead agency model" for cyber crisis management, a more centralized and hierarchical approach, with the lead agency responsible for the coordination of activities and decisions within the network. The two binary choices highlighted in this paper are: First, the National Computer Emergency Response Team/ Computer security incident response team can be embedded inside or outside the intelligence community. Second, whether cyber capacity can be centralized in one Unit or spread across different sectors. These decisions fundamentally shape information-sharing arrangements and potential roles during a cyber-crisis.
Analyzing the US Cyber Structure
We also have many lessons from the US initiative to secure our cyber system while planning and implementing India's ICT infrastructure. Natural or insurgency/terrorist induced disaster increases pressure on available ICT systems exponentially to facilitate coordination between various agencies like fire brigade, medical services, police, media, and civil administration. This would entail rigorous technical analysis of current and emerging wireless and wired ICT systems.
Analyzing China's Cybersecurity Structure
In China, we notice a complete militarisation of the cybersecurity incident response. In 2015, the People's Liberation Army (PLA) initiated reforms that have brought dramatic changes to its structure, model of warfighting, and organizational culture, including the creation of a Strategic Support Force (SSF) that centralizes most PLA space, cyber, electronic, and psychological warfare capabilities. The reforms come at an inflection point as the PLA seeks to pivot from land-based territorial defense to extended power projection to protect Chinese interests in the "strategic frontiers" of space, Cyberspace, and the far seas. Understanding the new strategic roles of the SSF is essential to understanding how the PLA plans to fight and win informationized wars and how it will conduct information operations.
The SSF combines assorted space, cyber, electronic, and psychological warfare capabilities across the PLA services and its former General Departments. In addition to expected efficiency gains from this approach, the SSF was created to build new synergies between disparate capabilities that enable specific types of strategic information operations (IO) missions expected to be decisive in future wars. Despite a lack of transparency and the fact that the SSF is still in transition, a coherent picture has emerged of how the SSF's components fit together and the strategic roles and missions they are intended to fulfill. The SSF reports to the Central Military Commission (CMC) and oversees two co-equal, semi-independent branches: the Space Systems Department, which leads a space force responsible for space operations, and the Network Systems Department, which shows a cyber party accountable for information operations.
Analyzing Israel's approach to Cyber Incident Management
In the high-tech and cybersecurity world, Israel is often synonymous with innovation platforms, successful cyber and high-tech start-ups, and stable relations between the private and military sectors. According to "Start-Up Nation: The Story of Israel's Economic Miracle by Dan Senor & Saul Singer," Israel's technological success is based on Israel's mandatory military service, which influences its national culture, organizational culture, mindset, and overall cyber ecosystem. The literature on Unit 8200 - the Cyber Operations Division of the IDF, is divided into two strands. The first, more academic strand studies Israel's cyber defense policy, structure, capabilities, and operations in general, with some more specific examination of the role and place of Unit 8200. The second strand is comprised of media articles published in specialized or mainstream journals, along with some academic papers. These articles are mostly in the form of interviews with former Unit members, who discuss some anecdotes, processes, and lessons learned from their time there. Other items cover investigations of the Unit's alleged bases, missions, capabilities, and scandals surrounding it. The lessons are taken from some of this literature.
Unit 8200 - Major cyber-incidents that helped shape the best
The following list identifies the major cyber-related incidents attributed at least in part to Unit 8200:
Stuxnet Virus (2005 "2010): The virus successfully disabled the nuclear centrifuges in Natanz. According to some accounts, the virus was part of the joint Operation Olympic Games between the United States NSA and Israel's Unit 8200.
Operation Orchard (September 2007): Unit 8200 most probably jammed Syrian radar systems without alerting air defense operators to allow for a precise airstrike against a Syrian nuclear facility in Deir Ez-Zor. Unit 8200 conducted SIGINT to locate the facility and caused the anti-aircraft defense to malfunction during the attack, leveraging electronic sabotage.
Operation Full Disclosure (March 2014), in which an Israeli commando intercepted an Iranian ship in the Red Sea, which carried military arms and equipment destined for Hamas. The operation was made possible by the Unit's intelligence obtained through "advanced cyber and communications capabilities."
The Ogero Incident (May 2017), in which the Lebanese government blamed Israel for having launched a sophisticated cyberattack on the state's telecommunications company Ogero to spread disinformation through audio messages to over 10,000 Lebanese citizens, namely that Hezbollah's leader was behind the death of the group's top military commander
ISIS terrorist plot thwarted (February 2018): Unit 8200 discovered and prevented a potential terrorist attack by ISIS against a civilian airliner headed from Australia to the United Arab Emirates. It notably shared its intercepted communications with the Australian authorities to prevent the attack (IDF, 2018).
Therefore, is the civil-military complex structure in cyber the way forward?
After studying the cybersecurity incident management structure of the Baltic Nations, the US, China, and Israel, and considering resources, policy, and capability, it is crucial to initiate the civil-military complex structure.
It is important to note that human beings are the weakest link in maintaining cybersecurity, even if they are cyber-aware. The staff members cause the majority of data breaches in the organization. Therefore the cultivation of a cyber-security culture is the best approach to address human behavior in the cyber domain. Most military forces recognize the importance and challenges of cyber as an operational domain.
Compulsory military training inculcates 'national team spirit,' making a significant difference in the Cybersecurity Culture of a nation. For example, Israel and Singapore - the two highest power in the cybersecurity domain, have compulsory military training. Every Israeli citizen is entitled to defend its national borders by doing military service.
Lessons Learnt from this Military Culture Strengthening National Cyber Defence
Audacity: This feature is best observed in the tendency of Unit 8200 soldiers toward disruptive "sometimes rule-breaking "behaviors and their readiness to challenge the authority of supervisors if they believe they are right about something.
Leadership and Foresightedness: This feature is seen in the Unit's training - which strongly encourages and builds this analytical thinking, sense of initiative, and adaptability. Furthermore, these young soldiers are often pushed by their missions' circumstances "to take responsibility for and ownership of their projects. This is also seen in the Cyber Incident Response Capability of the Baltic Nations.
Preparedness, Vigilance, and Obsession for Improvisation: Within the Unit, this translates into a penchant for flexible thinking, innovation, and improvisation to crack challenges that some may consider impossible "with sometimes minimal resources and tight deadlines. The following quote by a member of Unit 8200 highlights this: "Unit members are taught that there's no such thing as impossible, while no is something temporary that can change by persistence and insistence, even if it's the Unit commander himself who said “no."
Strategic Innovation: Technical and strategic innovation is thus particularly well-regarded and actively encouraged throughout the Unit. To "preserve the madness" and avoid encroaching bureaucracy and complacency, the commanders of the Unit have established a separate department tasked with strategic innovation and set up various events and internal processes. These include, for instance, regular internal hackathons as well as so-called SOOB or "SIGINT out of the box" activities.
Focus on human resources: As shown above, the Unit's staff is estimated to number between 5,000 and 10,000 troops, of which 5,000 are on active duty at any given time. While this is inferior to its US-American counterpart, the NSA, it is on par with the British GCHQ. Furthermore, when one considers the Unit's size relative to Israel's population, its significance is immediately evident. In terms of competitive advantage, such a sizeable force allows the Unit to specialize and develop capabilities in various domains such as data mining, artificial intelligence, etc., and pursue a wide range of activities and missions. Possible effects of economies of scale may also come into play.