From the Winter 2022 Issue

Cyber in Hybrid Threats – Acute and Present Danger to Our Society

Carmen Marsh
President and CEO | United Cybersecurity Alliance

Håkan Gunneriusson
Docent War Studies | Mid-Sweden University, Risk and Crisis Centre/Political Science

Josef Schroefl
Deputy Director, COI Strategy and Defence | Hybrid CoE

Madeleine Myatt
Doctoral Researcher/Research Fellow | University of Bielefeld, Germany

“The power of cyber in hybrid conflicts” was a hot topic at the recent European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) – “Cyber Power Symposium 2021” in Helsinki, Finland on November 10, 2021. This exclusive symposium brought together international experts to discuss critical subjects and share their insights about ways to counter hybrid threats. Research findings of “Countering Hybrid Threats and Securing Global Supply Chain with Help of AI” were presented to this group of global experts.

As we know it – the global supply chain is a lifeline for the international trade economy. Those who control the global supply chain also control the world’s economy. As part of this supply chain, commercial vessels and ports are vulnerable to hybrid threats in the form of sabotage, navigational spoofing, and cyber-attacks. So, what technologies could help us advance quickly in securing our physical and digital infrastructure? Artificial Intelligence (AI) and Machine Learning (ML) are at the moment the most promising and powerful technology for benefiting humanity with their “dual-use” capability. The reason being is AI and ML can be used for civilian and military purposes. The caveat is the same technology is now being leveraged for reckless or unethical uses of AI-enabled technologies by rogue states, criminals, or terrorists. The AI tools will become weapons of choice in future conflicts. Are we ready to harness the most powerful and world-altering technology for the good of all humankind? 

There is no one single defense tool to counter the numerous cyber threats posed to the global supply chain. We need to implement a combination of endpoint security, Identity, and Access Management (IAM), data-driven patch management, Privileged Access Management (PAM), and zero-trust frameworks. For example, improving the self-healing endpoints with AI-enabled bots is something that we should seriously invest time and money into. Some key takeaways about securing the global supply chain was to globally implement the use of big data and AI-based supply chain management, and focus on AI and ML innovation work specific to self-healing endpoint protection, as well as investing money into developing/upskilling the workforce.

We must unite our hybrid threats defense forces to establish an improved global strategy for protecting all attack surfaces against existing and newly discovered threats. It is no longer enough to only protect our platforms or countries because almost everything we do now is global and impacts everyone. We are tightly connected through the web of technologies. That is why the work of Hybrid CoE is so critical. Mr. Josef Schroefl – Deputy Director of Community of Interest Strategy and Defence (COI S&D) at the Centre, shared the vision and mission of his work strand ‘Cyber Power in Hybrid Warfare’.

“The objective and overarching goal of the CPH/Cyber Work Strand of Hybrid CoE is to raise awareness of identifying and addressing relevant strategic questions and issues regarding cyber power and domain in the context of hybrid threats/conflict/warfare” said Mr. Josef Schroefl. The Work Strand focuses particularly on identified research gaps with the interface between hybrid threats/conflict/warfare and the cyber domain. The topic of the Symposium on November 10, 2021 was “The power of cyber in hybrid conflicts: Cyber and new options for hybrid operations in the grey area of interfaces.”

We in the West choose our own well-being through supporting global trade, even if it supports anti-democratic regimes.

The resemblance between the science of conflict/warfare and science-fiction is becoming increasingly apparent. Technologies that were once confined to the vivid imaginations of forward-thinking politicians are becoming commonplace in future projections: smart cities, medical cryonics, robotics, drones, AI, or cloud computing – all of which are controlled by command-and-control systems based in cyberspace. This means that cyber is a domain rifle with wildcards, making anticipation a challenge. As a consequence, the future of hybrid conflicts will be increasingly influenced by digitalization and the use of new technologies. 

Again, we realized the connectivity between cyber and hybrid threats is something special: cyber power is an enabler and amplifier of hybrid threats. Then again, the hybrid without cyber threats is not conceivable. Another important topic discussed was the exploitation of the cyber domain including the emergence of new and disruptive cyber technologies. We talked about the means to limit or mitigate the exploitation of cyber domain by hostile actors in hybrid campaigns, touching upon appropriate cybersecurity measures including increased resilience and deterrence by the targets. Creating the need to provide a broader spectrum of skills and possibilities that come to use inside the “grey area” was less visible and the boundaries between them are blurring. The main trend from 2020’s Symposium has also been intensified where several nations with global or regional ambitions switched to using cyber power not only defensively, but to develop offensive capabilities.

Josef described the Symposium’s key take-aways as follows:

  • Cyber power has become integral for military and non-military reading of international relations. State-backed cyber-attacks are becoming the norm: Tech and cyber are within the geopolitical competition.

  • Cyber-enabled new technologies – if/when instrumentalized – are proving highly disruptive to traditional security, defense doctrines, and legal constraints in political and institutional contexts and modern battlefields.
  • There is only one internet, and cyber power is, therefore, an inherently international challenge that countries cannot tackle alone. Alliances, such as NATO and the EU, could and can give their member-states a cyber edge over their authoritarian challengers.

To learn more about the relation between Cyber-as part of Hybrid Threats, you can read more here and here.

“Challenges against democracy come in many forms,” said Mr. Håkan Gunneriusson, the Associate Professor in War Studies at Swedish Defense University and currently teaches Political Science at Mid Sweden University, was one of the expert speakers at the Hybrid CoE Cyber Power Symposium.  “Challenges against democracy come in many forms,” said Mr. Håkan Gunneriusson.

Mr. Gunneriusson stressed that in recent years there has been a rift between democratic values and economical liberal ones through the challenges presented by regimes such as Russia and China. Both are willing to participate in the global economic market while still being opposed to democracy. We in the West choose our own well-being through supporting global trade, even if it supports anti-democratic regimes. This proves political theorists who are critical of democracy right more than we want to admit.

Democracy accepts inequality as it defines some people as demos, while liberalism sees all people as equals. This is a difference which has shown itself more and more prominent in the last years. Having identified the problem here, we can see that the cyber arena can be a vehicle for these forces, as on the Internet, anyone can pretend to be anyone and it can be an unlimited number of individuals. This is problematic as the modern democratic system is more sensitive to opinions than ever before. 

Politicians are very much exposed to the narratives on the Internet and just as anyone else, can be more or less likely to be affected by such narratives. Some narratives are a part of the political discussion which would be discussed anyway. States and other actors with hostile agendas can communicate with citizens and politicians of other states, both freely and hidden. This was not the case when only diplomatic activities, spies, and flyers dropped over enemy states. With the Internet, there is a qualitative novelty in actors. Foreign states now have the ability to actually forward messages to voting citizens of other states. NGOs are also a category of actors to consider here. In a natural way, they are often seen as organizations fighting the good fight in an altruistic way, and are often financed by what can be seen as private donations. 

The cyber domain has, as we know, made economic transactions so easy, fast, and less prone to tracking that NGOs can be hijacked for purposes not always in the interest of democratic states. A state can fund any NGO under the cover of private donations and coerce them to engage in certain activities which benefits the funding state. For example, the EUs migration’s policies are founded on a democratic mandate; therefore, the EU represents the above-mentioned demos in this case. This is being challenged by NGOs who oppose the outcome of the democratic process, and in extreme cases want the EU to tear down its borders, which in the end would threaten the core of the EU, the inner market. This is an example of liberalism being opposed to democracy, as mentioned above. 

Regimes are benefitting from this and the extent of their involvement in different social actions, political actions, or financial actions on the internet might never be known. These phenomena deal more with the deniability which the cyber domain offers than the speed of it. The shutdown by cyber-attacks on Estonia in 2007 involved a great deal of deniability by the perpetrators. A feature then exported into real warfare. “The deniability has been an important pillar in the Russian hybrid warfare in Ukraine, said Håkan. It effectively projects a picture of the democracies in EU and NATO as weak, indecisive, and not standing up for democratic values even though they say so.”

Another Hybrid CoE Symposium expert speaker, Ms. Madeleine Myatt, the Cybersecurity & Digital Affairs Researcher, debated whether cybersecurity should be a shared responsibility. She spoke about fostering resilience through public-private collaboration and how cyber-enabled technologies offer new opportunities but also offers challenges and risks. She said, “Both public and private-actors are seriously affected by the impact of cyber-attacks, risks, and vulnerabilities. As technology and cyber threats are developing accordingly, individual actors rarely have a holistic overview of the entire threat landscape or its cross-cutting domain effects.

It is an appealing solution, framing cybersecurity as “shared responsibility” and highlighting the value of public-private partnerships and a whole-of-governance or whole-society approach. Seeking to develop structured collaboration to create a collective ecosystem of knowledge, expertise, and response mechanisms is a crucial factor for fostering resilience and accountability. 

Seeking to develop structured collaboration to create a collective ecosystem of knowledge, expertise, and response mechanisms is a crucial factor for fostering resilience and accountability. 

This covers not only optimizing information-sharing but also fostering R&D, innovation, capacity building, conducting exercises and training as well as rising cybersecurity awareness. One of the latest examples is the implementation of the EU Joint Cyber Unit. This is a new platform, aiming to strengthen cooperation among EU institutions, agencies, bodies, and member-state authorities as well as the new European Cybersecurity Network and Cybersecurity Competence Centre. In reality, most public-private partnerships pose certain challenges: different mobility of actors, needs and interest in knowledge transfer, different requirements for the use of data, different resource allocations, a lack of trust, and clearly defined roles and responsibilities.

Although there are no one-size-fits-all solutions, some countries are trying to go in new directions. To bring the whole-of-governance approach to life, Japan marks an interesting example with its distinct use of cybersecurity workforce training programs and staff rotation among ministries and its information security agency. The UK’s Defence and Security Accelerator (DASA) and the Defence Science and Technology Laboratory (Dstl) – both operating under the British MoD umbrella, offer new opportunities for SMEs, academia, and civil society through idea competitions on current and future security and defense challenges. Another idea from Germany is the Cyber Aid Agency, a network of civilian volunteers able to assist by the restoring of critical services in a case of a major cyber-based disaster or a large-scale emergency. The DHS Automated Indicator Sharing (AIS) points to the relevance of looking into emerging technologies for tackling the speed and acceleration challenge of cyber threats. Just as important, the adaption of public procurement processes in line with the speed and implications of the digital transformation.”

Madeleine further said: “The idea of sharing the responsibility for cybersecurity is not just limited to democracies. The benefit of public/private collaboration has also been recognized by states with hostile agendas and mindsets. From the use of non-state proxies like ‘patriotic’ hackers and organized-crime groups to the instrumentalization of private companies, research institutions, and think-tanks, the spectrum of exerting influence ranges widely. Advancing practices of offensive cyber operations remain an important issue, especially concerning Russia and China. But the export of digital surveillance technology, legislation, and policies, creating tech-dependencies through infrastructure projects and attempts to shape the normative order, including technical norms and standards, should also be on our radar. China’s Digital Silk Road Initiative and Huawei’s proposal for a NEW IP Framework are just two examples. Applying network analytics to monitor public/private relations of adversaries and their influence domestically and globally can help to foster resilience through awareness, patching vulnerabilities and mitigate cyber-enabled threats.”

In a predictive study by Pew Research Center about the world in 2025, several hundred innovators, developers, business, and policy leaders predicted that peoples relationships with technology will deepen as larger segments of the population come to rely more on digital connections, which also means bad actors will gain new attack surfaces.

Through discussions of the above topics, it becomes too apparent that we must no longer stay siloed in our approach to securing our digital and physical infrastructure; however, we must actively engage in serious conversations with our global cybersecurity/hybrid threats community. We acutely need an improved global strategy for countering hybrid threats.  lock

Carmen Marsh
Hakan Gunneriusson
Josef Schroefl
Madeleine Myatt

Leave a Comment