Who Defends the Web?
Militaries are Launching Cyber Commands, but Their Role is Still Being Debated
Throughout history, technological advances and new discoveries have led to military reorganization. Eight years after the first flight, planes flew in combat in World War I. Shortly thereafter, the first air forces were formed. Similarly, the advent of submarines led to underwater warfare, and space travel has spurred discussions on how to defend space.
Militaries have always adapted to changing threats. Their latest challenge is cyberspace.
Militaries typically are charged with defending the nation against foreign threats while police and other security agencies handle domestic issues.
But cyber threats are foreign and domestic. Attacks can originate from anywhere on the globe and infect information systems inside the country. Attackers can be states, terrorists, petty criminals or activists. Solutions to this problem vary, but nearly all nations agree the military has a role to play.
“The potential consequences of a major cyber attack in terms of damage to the economy and to the ability of the country to function are such that this should be regarded as part of the defense domain,” said South African defense analyst Helmoed Romer Heitman in a defenceWeb article. “This is an intelligence-heavy area, so the requisite intelligence and protection/defense capabilities, and the development or pre-emptive and counterstrike capabilities, should … lie with defense intelligence.”
In many nations the military has advantages in terms of resources and know-how that make it the natural candidate to protect against cyber crime. South Africa and Nigeria are launching standalone cyber commands, and many other African nations are beefing up their training and capabilities within existing command structures.
Given this, it is important to examine the roles and limits on what the military can do to meet the cyber threat.
1. Protecting Military Communications and Hardware
In most nations the military is responsible for signals intelligence and operates a variety of communications equipment such as satellite phones and radios. Defense equipment and weapons are becoming more sophisticated and reliant on information systems. Global positioning systems can track everything from bombs to jeeps to Kevlar suits. Disrupting this information flow could be catastrophic.
“The ability to protect those systems becomes absolutely essential,” said Ian Wallace, co-director of the Cybersecurity Initiative at the New America Foundation. “It’s not even necessarily that those systems might be prevented from being used effectively but also that they might be penetrated by adversaries for information or even spoofed.”
The cornerstone of any cyber defense operation must be to protect its own assets and information.
The military secures reams of information that could imperil lives if accessed. Some of this is obvious, such as a battle plan or theater strategy, but other information, such as military health records, can be equally important. In a hypothetical attack, Wallace said, cyber adversaries could breach military health records and alter the blood types listed in order to disrupt care at hospitals.
2. Maintaining an Offensive Capability
Defeating cyber threats requires the ability to disrupt an attack before it reaches its target. Skilled professionals can go to the source of a threat and degrade it rather than waiting for the enemy to launch an attack. In a war, this offensive capability also can be used to shut down parts of an adversary’s infrastructure.
This is a controversial aspect since it leads to charges of “weaponizing cyberspace” and could prompt retaliatory attacks. But some have argued it is necessary. Lt. Col. Michael Aschmann of the South African National Defense Force co-authored a paper outlining why he believes that African nations need to invest in “cyber armies.”
“A cyber army [cyber command] for an African nation state will be an extension of the nation’s military power to close the gap of the fifth dimension, the info sphere,” Aschmann wrote. “It will enhance the defensing and protection of the technological realm and the cyberspace of the nation and be able to offensively fend off a cyber-onslaught from an adversary nation.”
This capability is still in its infancy in many countries. Debate about where and when it should be used is robust.
3. Protecting Critical Infrastructure
A cyber attack on critical national infrastructure can cripple a country. Assets such as roads and bridges, energy production, commercial air travel, water, and health systems are key to national defense.
Because of this, the military must be prepared to respond to an overwhelming cyber attack against critical infrastructure. However, Wallace cautions against making the military the first line of defense in this realm.
“If your country is under a sustained, all-out cyber attack against key institutions, you would want to call on all the aspects of national power, including the military,” he said.
But having the military take the lead against the numerous, smaller cyber incidents that regularly crop up can be a problem in two ways. First, the military could crowd out the private sector, stifling cyber security development there. Second, the military could become overextended and divert resources from other missions.
Wallace recommends a “lock your own door” approach in which the private sector, backed by police, takes the lead in responding to most cyber attacks. The military would only be called in as the last line of defense to thwart a major attack.
“Given the ubiquity of information systems through society, if the military were solely responsible for defending those systems, then you would be introducing the military into many parts of society where, for the good of the country and for the good of the military, it is probably better that they’re not engaged,” Wallace said.
To protect critical infrastructure, many countries are setting up computer emergency response teams (CERTs) with experts from a range of backgrounds. Often backed by government funding, these specialists have intimate knowledge of key national systems and can serve as first responders after an attack or suspicious activity.
Dr. Benoit Morel, an information and communications technology expert, argued that African nations particularly need to develop CERTs. He pointed to Morocco and Egypt as success stories. “African countries should not wait. They should build expertise at home, now,” Morel wrote. “At the moment, the best experts in cyber security tend to be the cyber criminals. Building that kind of expertise at home, when it comes to Africa, means doing something different from the actions taken in advanced economies. A kernel of expertise has to be developed … a group of people (it does not need to be very large) whose mission is to take responsibility for cyber security in the country.”
Pros and Cons
As militaries prepare to play a role in national cyber security, they are confronted with the benefits and drawbacks of stepping onto this new battlefield.
Capacity to Help
Pro: Militaries typically are well-resourced and mission-oriented. In less-developed countries, the military might be the only institution capable of marshaling resources against a large cyber threat.
Con: If the military takes the lead in cyber security, it might crowd out the private sector and stunt its cyber security development.
Within the Mission
Pro: Cyber security fits the mission of defending the homeland from foreign adversaries.
Con: Chasing all instances of cyber crime can overextend the military and lead to accusations of overstepping its legal mandate.
Pro: Attacks against critical infrastructure, such as electric grids or air traffic control, can cripple a nation. The military has a duty to protect against such attacks.
Con: Defending the cyber networks that control critical infrastructure requires special expertise. Cyber experts employed by the private sector, local governments or as part of a computer emergency response team are better suited to study and defend these networks.
On the Offensive
Pro: Offensive military cyber attacks can hit adversaries before they strike. In some cases these attacks can disrupt enemy weapons programs or damage infrastructure.
Con: The weaponization of the web could prompt an escalation in the conflict and invite retaliation.
Nigeria Forms Africa’s First Cyber Command
Nigeria has been one of Africa’s most proactive countries in fighting cyber crime — and with good reason. The Nigerian Communications Commission says that Nigeria ranks third globally in cyber crimes, behind the United Kingdom and the United States.
Nigerian interests are plagued by ransomware, cyptocurrency scams, cyber Ponzi schemes and other crimes. For years, computer viruses have been common. The extent of the problem is unknown, because an estimated 80 percent of Nigeria’s cyber crime is unreported.
The country’s 2015 Cybercrime Act imposes punishments, up to the death penalty, for cyber crime convictions.
The country’s military decided in 2016 to take on cyber crime, but it wasn’t until August 2018 that the Cyber Warfare Command was established, beginning with 150 Soldiers pulled from the ranks and trained in information technology. Their mission is to monitor and defend cyberspace and attack cyber criminals.
In February 2019, Nigerian Lt. Gen. Tukur Buratai said, “I have directed the Nigerian Army Cyber Warfare Command to disrupt terrorists’ propaganda activities by embarking on robust counternarratives to neutralize efforts aimed at misleading and misrepresenting the situation on the ground.”
Buratai has said that cyber warfare is the fifth domain of warfare after land, sea, air and space. He contends it is the most dangerous form.
“The intrinsic features of cyberspace can be easily exploited for information warfare by actors with malicious intent to plant and disseminate fake news and instruct paid users to spread online manipulated content,” Buratai said, as reported by the Nigerian newspaper Leadership.
Buratai said he has assigned the command to routinely survey and analyze suspicious online activity to help the Army become proactive in dealing with cyber crime. Africa Independent Television reported that the command will address issues such as cyber terrorism, extremist propaganda, terror recruitment drives, fake news and data theft. “It will also enhance digital monitoring of all ongoing operations, especially the war against Boko Haram in northeast Nigeria,” the network reported.
Temporary headquarters for the command will be in Abuja, with regional stations added as needed. A permanent office complex has been authorized for construction. Nigeria also has been in talks with South Africa to work together against cyber crime.