Cyber aggression

"A key requirement to determining if there is an armed conflict taking place would be the deliberate intervention of members of a state’s armed forces."

This is from a reply to a parliamentary question (and other parts of the reply may be of interest as well), and a likely unintentional admission of very far-reaching consequences:

Offensive "cyber" ('hacking') activities would rather be considered an act of war (armed conflict) if done by a (para-)military bureaucracy than by a civilian bureaucracy or mercenaries.
There are many reasons why armed bureaucracies trying to develop a 'cyber' arm look a lot like a typical bureaucracy trying to grow in power and size, but this one is in my opinion a knock-out to the idea of offensive 'cyber' capabilities in armed service.

You would simply get away with offensive actions more likely if you are known to not have such a (para-)military cyber arm. The armed services are systemically disadvantaged in this regard.

Let's assume our government or alliance definitely doesn't like how some other country of significance is run by a tyrant, and we want to tip the scales towards  an ousting as for example against Ceaușescu in Romania. A great or superpower backs this tyrant, though - and we don't want a much more intensified conflict with them. Maybe we could disrupt the censorship, reshuffle banks' funds towards dissenters, dig into bureaucracy files and expose/publish appalling corruption, maybe we would even want to distribute a call to every adult to go on strike the next day, or rise up. 
All of this would create much more backlash if the entire world knew that we had this capability in the armed services than if instead we merely employed mercenaries - many of which would probably not even live in our country or not even be fellow citizens.
This isn't even about the technical ability to trace malicious activity to a source; we know that eventually the usual suspects would be blamed quickly (see Stuxnet), but evidently it makes a great difference whether this source is a (para-)military bureaucracy or not.
This also means we would likely get less often falsely accused if we have no institutional, (para-)military ability for such offensive actions.



  1. I'm not sure you would really want your countries cyber abilities to be dependent upon individuals who's allegiance/motivation are in doubt. Unless you keep your offensive cyber abilities separate from your defensive measures which is sub-optimal. This is even more important if your the nation being attacked rather than being the aggressor. They may end up not supporting you or worse backing your opponent. If you are following the scenario you played out it still would be unlikely to stop said superpower to accuse you and potential expose your connections, assuming an actual cyber attack rather than just stealing technological advancements. Would you consider having cyber activities as part of your intelligence services(not military intelligence) part of the military?


  2. IMO there are two possibilities: 1 the enemy cannot track the origin of the attack: so it does not matter if it is a military facility or not. 2 the enemy can track it down - and then it does not matter (practically) if the origin of the attack was a military facility or a civilian contractor etc

    And the MoD would not care about what it claimed now, it would only depend if the attack can be tracked down to a specific origin.

    So the most important thing would be to fake a false origin, not to export such activities to civilian contractors etc

    Your "russian" strategy of denying your involvment would only work against european western democracies and their ritualiced warfare. Every serious enemy would not care if the origin is military or civilian.

    And you need such abilities under the direct control of the military because of efficiency and control.

  3. So, I have an official statement from a Western government. Where's supporting evidence for the claim that other governments etc. have a different stance? That's an unsupported hypothesis.

    I'd like to add that mercenaries would leave a different fingerprint than the government, since the latter would be tempted to use its power to make the job easier, such as demanding fake authorization, using regular software updates to insert malware, demanding backdoors in software etc.
    'Cyber' soldiers would rather not use open WLAN in another country as mercs could and if asked would do.

    "So the most important thing would be to fake a false origin"
    It's not nearly enough. Obscuring the origin is but the official layer of security against backlash. A government that doesn't show any interest in offensive 'cyber' stuff, doesn't pay a single bureaucrat much less soldier for it - such a government isn't a "usual suspect" when malware strikes.

    Keep in mind the civil society (instead of government) could be the origin of such actions (unless the actions required government powers), which would leave the government off the hook mostly.

    1. I think this is more about your distrust of the state and your fear about a big brother state / lost of civil rights and so on and not about military neccessities. Cyber warfare must be a part of the military branch to exploit the possibilities of it to the fullest.

      And it does not care if one gouverment says now: in the case of situation A we will do B and in Case of situation C we will do D.

      I wonder that someone like you with a healthy distrust in the gouvernment in the opposite trust such statements. They are absolut worthless. The state can and will act like he wants whatever he may claim now, it does not matter.

      It would not protect you to outsorce such abilities. But increase the risks.

  4. Are you saying you would have no state organised cyber security, because how can you separate offense/defence, and be 100% reliant upon other actors?

    Your last point is an interesting question how much responsibility does the government bear of an individuals actions. Citizens can be opposed to a war but be dragged in by their government and pay the costs. How true is the reverse equation.


    1. The government's efforts for 'cyber' security tend to become compromised by the same government's desire to have access to computers it isn't meant to control. There#s also a weird phenomenon; the German conservatives had a EU election platform in which their only idea of 'cyber' defence was protecting the German businesses. They were utterly disinterested in protecting privacy, and were the only major party with this bias.

      Private, even for-profit, companies are incredibly more efficient, more effective and more trustworthy.
      Kaspersky Lab has only 3,000 employees. That's a fraction of what the German ministry of defence plans for its own IT/software branch.
      I don't think anyone would claim that the German authority BSI with its 600 personnel is at least 20% as effective as Kaspersky Lab.

      Kaspersky Lab is Russia-based, and one would want a Russia-independent defence, but the way to go for defence of the nation against malware are no doubt the non-government efforts.
      Governmental self-protection with cryptology (a move towards one time pads is overdue), guidelines etc can be done by institutions like BSI and MAD, though they shouldn't dismiss civilian resources either.

      The point of this article was all about offensive actions.