Cyber conflict short of war: a European strategic vacuum

ABSTRACT

Cyber conflict short of war plays an increasingly important role in contemporary security politics. Dedicated to a study of three European NATO members – the Netherlands, France and Norway, this article expands the existing focus of the study of cyber conflict short of war beyond its dominating US context. It compares and assesses how the countries perceive and respond to a changing strategic environment characterised by increasing cyber conflict short of war. The analysis demonstrates that all three countries acknowledge that cyber operations short of war alter the strategic environment and challenge the idea of deploying offensive cyber capabilities as purely a warfare matter. However, it also identifies a strategic vacuum, as none of them have formulated strategies that describe in detail how military and intelligence entities are supposed to approach and manage the new strategic environment. The article asserts that the current lack of strategic guidance is a fundamental challenge that puts European societies at risk and undermines democratic governance as navigating the new space of strategic cyber competition is a significant challenge to contemporary European statecraft. It concludes by noting three avenues for how to ameliorate this situation and fill the vacuum.

KEYWORDS:

• Cyber security
• European security
• strategy
• conflict short of war
• cyber operations

Introduction

In global cyber security 2018 marked a fundamental shift. In a vision statement, the US Cyber Command described a strategic cyber environment in which adversaries continuously operate against the US below the threshold of war by undertaking cyber campaigns to weaken US democratic institutions and gain economic, diplomatic, and military advantages (U.S. Cyber Command 2018, p. 3). In response, the US suggested a new strategic approach based on persistent engagement and defending forward in order to achieve and maintain cyber superiority (U.S. Cyber Command 2018, p. 6).¹ The US thereby took a much-discussed first step in developing a novel perception and strategic approach to cyber conflict short of war. One group of cyber security scholars has helped build the conceptual foundations for the US strategic shift (Hartnett and Goldman 2016, Fischerkeller and Harknett 2017, 2019). Whereas others have critically assessed its strategic implications, institutionalisation and chances of success (Healey 2019, Smeets and Lin 2019, Klimburg 2020, Smeets 2020, Lindsay 2021). While these studies offer valuable insights, they all centre on US policy and strategy.²

This article makes a contribution to redressing that imbalance by developing a comprehensive understanding and assessment of how three European NATO members – the Netherlands, France, and Norway – perceive and respond to cyber conflict short of war.³ In doing so, the article answers recent calls to expand the focus of studies of cyber conflict short of war beyond the US context (Healy 2019, p. 12, Devanny and Stevens 2021).

Drawing on written public sources, such as policy documents, strategies and speeches, as well as background interviews with military personal, civil servants, and scholars, the article demonstrates that the three countries – to different degrees and explications – acknowledge that malicious cyber operations short of war form part of the contemporary strategic reality. However, it also identifies a strategic vacuum as none of them have formulated strategic frameworks that map to the current strategic environment. They have neither spelled out in detail the strategic implications of cyber conflict short of war nor how military and intelligence entities are supposed to navigate and coordinate in this strategic space. The article asserts that the current lack of strategic guidance is a fundamental challenge to contemporary European statecraft, puts societies at risk, and undermines democratic governance.

Assessing the implications of the strategic vacuum, the article insists on the importance of formulating strategic approaches to deal with cyber conflict short of war. This is not to deny that the three countries are already engaged in countering hostile cyber operations short of war. Nor is it to say that strategy making is a panacea or one-size-fits-all process. Instead, it is to argue that European countries should make the implications of cyber conflict short of war comprehensible and actionable by being explicit about its strategic and international political implications and clarifying the role of military and intelligence agencies in this space. European countries should not blindly adopt the American strategy of persistent engagement and defending forward, but they should move beyond the current standstill and design strategic frameworks as to how to prevent, discourage, and respond to continuous adversarial cyber behaviour short of war. This is crucial if they engage with the broader political and democratic difficulties related to increased strategic cyber competition.

The article is structured as follows. Section II unpacks the existing scholarly engagements with cyber conflict short of war. Thereby, it provides the foundation for the analysis. Section III brings in the investigation of how the Netherlands, France, and Norway perceive and respond to cyber conflict short of war. Section IV concludes and offers three basic directions for how policy-makers and academics can fill the vacuum.

Cyber conflict short of war: strategic and institutional challenges

In the past decade, cyber security scholars have paid increasing attention to how cyber hostilities – be it espionage, subversion or disinformation – that do not live up to the legal definitions of armed conflict and war influence central strategic concepts such as deterrence, coercion and offence–defence balance (Gartzke and Lindsay 2015; Nye 2016; Borghard and Lonergan 2017; Slayton 2017; Valeriano et al. 2018; Garfinkel and Dafoe 2019). While authors agree with these forms of cyber hostilities – accumulated and over time – cause significant harm to liberal democracies, they disagree whether it represents evolution or a revolution in strategic affairs (Gartzke 2013, Kello 2013, Lindsay and Kello 2014, Hoffman 2019).

Recently, the scholarly discussion on cyber conflict short of war has centred on the US strategic approach based on persistent engagement and defending forward.⁴ The strategy was laid out in the 2018 vision statement by the US Cyber Command and the Cyber Strategy from the US Department of Defense. The vision statement recognises that the strategic environment has changed. It stresses that “adversaries direct continuous operations and activities against our allies and us in campaigns short of open warfare to achieve competitive advantage and impair US interests” (US Cyber Command 2018, p. 2). The Cyber Strategy similarly underscores that China and Russia have expanded that long-term strategic competition “to include persistent campaigns in and through cyberspace that pose long-term strategic risk to the Nation as well as to our allies and partners” (US DoD 2018, p. 1). The US Cyber Command perceives cyberspace as “a fluid environment of constant contact and shifting terrain” (US Cyber Command 2018, p. 4). The long-term strategic competition, the increase in series of malicious cyber activities short of war, and the character of cyberspace demand continuous operational activity to maintain US superiority in cyberspace. The strategy of persistent engagement entails that the US will infiltrate computer networks in other states pre-emptively, searching for planned attempts to conduct cyber-attacks against US targets and actively prevent these plans from being executed.

As we shall see below, scholars of one group support the US strategy and have helped develop and specify its conceptual building blocks (Harknett and Goldman 2016, Fischerkeller and Harknett 2017, 2019). Others, however, are less enthusiastic (Healey 2019, Klimburg 2020, Smeets 2020, Lindsay 2021). In the rest of this section, I unpack these differing views by zooming in on the strategic and the organisational level, respectively, thereby laying the foundation for the analysis of how European countries perceive and respond to cyber conflict short of war.

Strategic challenges: a new strategic environment conditioned on contact, connectedness and persistence

Prior to the 2018 US strategic shift, Fischerkeller and Harknett suggested that the US replaced its strategy of cyber deterrence with one of cyber persistence to accommodate better and navigate a strategic “environment of constant activity” in which “states and other significant actors continually are seeking to exert their influence in cyberspace through cyber operations, activities and actions” (Fischerkeller and Harknett 2017, p. 382). Consequently, they argue, “if the United States is to shape the development of international cyberspace norms, it can do so only through active cyber operations that begin to shape the parameters of acceptable behavior” (Fischerkeller and Harknett 2017). Developing their argument, following the 2018 strategic shift, Fischerkeller and Harknett conclude that “tacit and formal agreements to compete robustly short of armed conflict may be the grand, strategic consequence of cyberspace” (Fischerkeller and Harknett 2019, p. 283). They reach this conclusion by arguing that the “fears that persistent engagement in cyberspace will result in spiralling or uncontrollable escalation are not warranted because advantage can be gained through competitive interactions, rather than through the pursuit of escalation dominance” (Fischerkeller and Harknett 2019, p. 268).

Jason Healey acknowledges that “cyber forces are in constant contact” and “persistent engagement is a reasonable response” (Healey 2019, p. 12). He argues, however, that “there seem to be far more ways for the new strategy to exacerbate cyber conflict than to dampen it” (Healey 2019, p. 2), because the US strategy makes some fundamental assumptions about adversary behaviour that might be mistaken. Besides the risk of misinterpretation, retaliation, and escalation (Buchanan 2016), publicly embracing a strategy that sanctions preventive or pre-emptive takedowns of servers in foreign countries can lead to an increase in the exploitation of vulnerabilities in commercial software used by citizens, companies, and public authorities globally. This arguably increases cyber insecurity and renders citizens and business globally more susceptible to cybercrime, surveillance or disruptions of everyday services (Klimburg 2020, Jacobsen 2021).

Broadening the scope of the debate, Harknett and Smeets have recently argued that cyber campaigns, comprising linked cyber operations short of war aimed at achieving strategic outcomes, are the central way key actors operate in cyberspace. They emphasise that “cyberspace has opened a new dimension of power politics in which cyber campaigns could potentially become a salient means, alternative to war, for achieving strategic advantage” (Harknett and Smeets 2020, p. 2). Moreover, they perceive cyber activities short of war as “persistent responses to the structural imperatives of cyberspace” and expect these to be “the central mechanism of state and semi-state competition in this realm as long as the core structure of cyberspace endures” (Harknett and Smeets 2020, p. 1–2). In other words, the nature of cyberspace requires researchers to study cyber means as the strategic alternative to war (Harknett and Smeets 2020, p. 25).⁵

It is evident that the questions of whether and how dynamics of cyber conflict short of war demand a reorientation in strategic thinking are paramount in contemporary cyber security scholarship. The present analysis advances this discussion by investigating how the Netherlands, France, and Norway perceive and respond to cyber conflict short of war.

Institutional challenges: military or intelligence problem/solution

The boundary between military and intelligence operations is fundamental to cyber security discussions. It is integral for determining “under which normative and legal framework cyber operations should fall” (Boeke and Broeders 2018, p. 74), and many of the most noteworthy cyber operations – including Stuxnet, the Sony hack, NotPetya, and Solarwinds – are allegedly the work of intelligence agencies. However, the boundary drawing between military and intelligence is paved with challenges. These include, but are not limited to, the ambiguity surrounding attribution, intention and effect of cyber hostilities (Rid and Buchanan 2014, Buchanan 2016). Relatedly, cyber operations are often tailor-made combinations of intelligence, intrusion, and attack (Smeets 2017, 2018). Thus, it is rarely distinct where one phase ends and another begins. Moreover, the world has witnessed an expansion of intelligence activities beyond traditional espionage, with tasks and responsibilities ranging from protecting government networks to executing offensive cyber operations abroad. This has led scholars to conclude that cyber competition is primarily an intelligence contest (Gartzke and Lindsay 2015, Rover 2019, 2020, Lindsay 2021).

Following the US strategic shift, the discussion, concerning military and intelligence cyber tasks, logics, and responsibilities, has been granted new attention. On an institutional level, the discussion relates to separation between the US Cyber Command (CYBERCOM) and the National Security Agency (NSA), including the question of applying a traditional military-strategic logic or an intelligence-logic to conflict and competition in cyberspace (Rover 2019, 2020, Gioe et al. 2020, Lindsay 2021). Pertaining to this debate, 2018 marks not just a strategic shift. It also saw the promotion of CYBERCOM to a fully independent combat command releasing US military cyber capabilities from the NSA. According to the current commander of the US CYBERCOM, General Paul Nakasone, CYBERCOM “evolved its strategic concept and operational approach from a response force to a persistence force” (Nakasone 2019, p. 4–5). This is in line with the overall strategic shift in US cyber posture.

However, Jon Lindsay argues that “CYBERCOM's actual operations – penetrating adversarial networks for clandestine reconnaissance and discrete influence while protecting friendly networks from the same – bear more than a passing resemblance to intelligence and counterintelligence activity, albeit at an industrial scale” (Lindsay 2021, p. 261). Lindsay finds that the concepts of persistent engagement and defending forward have been “exceedingly helpful in bureaucratic combat” (Lindsay 2021, p. 273). He concludes that the US “is in the process of building a major institutional investment on a category mistake” (Lindsay 2021, p. 261), which can lead to “inadvertent escalation of international rivalries, the politicization of national security organizations, the distortion of democratic discourse, embroilment in criminal law enforcement, and the compromise of legitimate intelligence objectives” (Lindsay 2021, p. 273).

These discussions show that conceptualising cyberspace primarily as a domain of warfighting, persistent engagement or intelligence contest has significant implications for how competition and conflict in cyberspace are understood, and how the boundary drawing between intelligence and military institutions is done. The rising academic debate on how conceptualisations and institutionalisations unsettle and challenge the traditional military and intelligence tasks, logics, and responsibilities testify to that.⁶ This debate motivates the present examination and assessment of the strategic development and institutional set-up in the Netherlands, France, and Norway.

Cyber conflict short of war: identifying a European strategic vacuum

The following analysis complements the existing scholarly debate on cyber conflict short of war by demonstrating how the Netherlands, France and Norway perceive and respond to a cyber conflict short of war. Adding a European perspective to the debate on cyber conflict short of war is not simply a question of “add Europe and stir”.⁷ The promotion of empirical sensitivity is a particular methodological and analytical move based on the idea that bringing in novel empirical perspectives develops our understanding of cyber security as our object of study (Cavelty 2018, Stevens 2018a). This is in line with the understanding that cyber security as our object of study is not predetermined by the existing theories and categories (Balzacq and Cavelty 2016, Liebetrau and Christensen 2021). Instead, cyber security is taken to be situated and contextual. The importance of which should not be underrated, as “cybersecurity is notoriously hard to pin down and is contested politically in both national and international arenas” (Cavelty and Egloff 2019, p. 37). For this reason, neither the content of cyber conflict short of war nor its strategic implications are defined prior to the empirical analysis. This methodological starting point allows the analysis to provide an empirically sensitive exploration of perceptions of and reactions to cyber conflict short of war.

The study of security and defence policy and practice is entrenched in secrecy (de Goede et al. 2019). Documents are classified, information is confidential, and doors are hermetically sealed. Consequently, the analysis relies on public written sources and accounts, such as policy documents, speeches, newspaper articles, and academic papers.⁸ In addition, the analysis draws on 9 interviews with military personnel, civil servants and scholars from three countries.⁹ Due to the sensitive nature of the issue, the interviews served primarily to clarify, stress test, and substantiate observations based on the document studies. It is recognised that all three countries have published cyber security strategies focusing on international law, critical infrastructure protection, public-private partnerships, cybercrime, education, awareness, and global internet governance, but it zooms in on sources pertaining to the role of military and intelligence entities in managing and countering adversarial cyber operations short of war. Similarly, it is recognised that NATO and the EU form an important context for cyber security policy and strategy in three countries, but countering hostile cyber operations short of war by means of military and intelligence continues to be primarily a member state issue outside of their respective mandates. The analysis, therefore, focuses on the three states but brings in the role of NATO and the EU in the concluding discussion.

The three countries have been purposefully selected, as they represent a large-, a medium- and small-sized European NATO member that have all expressed ambitious digital and cyber policies and all hold advanced cyber capabilities. Following Flyvbjerg (2006), they are perceived as paradigmatic cases. They are chosen because they “highlight more general characteristics of the societies” (Flyvbjeg 2006, p. 234). Characteristics that are not meant to be fully generalisable, but rather to be explored and questioned in further research on European engagements with cyber conflict short of war. I come back to this point in the conclusion when drawing out the potential for future scholarly and political engagements. The analysis unfolds in three parts: one for each country. Each part provides an overview of the development in the country by examining the political-strategic reactions to cyber conflict short of war before addressing the institutional military-intelligence set-up.

The Netherlands: “Inaction is not an option”

The first Dutch Defence Cyber Strategy published in 2012 recognises cyberspace as the fifth domain of warfare and proclaims that the Netherlands needs to develop offensive cyber capabilities (Dutch Ministry of Defence 2012, Claver 2018). It states that “The Defence organisation must have sufficient knowledge and capabilities at its disposal to be able to conduct offensive operations in cyberspace, with a view to conducting an effective defence and to support operations” (Dutch Ministry of Defence 2012, p. 11). This was reiterated in the 2015 update of the Dutch cyber defence strategy. As the then Minister of Defence Jeanine Hennis-Plasschaert stressed, “the development and the deployment of cyber capabilities as an integral part of military action (defensive, offensive and intelligence gathering)” (Hennis-Plasschaert 2015, p. 2). The 2018 Defence Cyber Strategy made explicit that “the operational capabilities of the Defence Cyber Command contribute to the arsenal of deterrence means available to the government” (Dutch Ministry of Defence 2018, p. 8). In addition to deterrence, two central features of the 2018 Dutch cyber strategy continue to be international norm development and multilateral public attribution (Bunk and Smeets 2021). All three strategies suggest that the development and deployment of cyber capabilities have been envisioned primarily in the context of armed conflict.

However, the 2018 cyber security agenda stresses that “more and more frequently, state actors employ digital resources for espionage, influencing and sabotage objectives as an integral part of their range of instruments to exert power, or in concrete conflict situations” (National Coordinator for Security and Counterterrorism 2018, p. 23). In a similar vein, the 2018 Defence Cyber Strategy (Dutch Ministry of Defence 2018, p. 6) states that

cyber incidents have become the order of the day. They can no longer be treated as isolated incidents. More and more frequently, they are connected events which together form a campaign by state actors and their proxies, intended to undermine a country's economic revenue model, vital infrastructure, military capabilities or democratic order

Here we see a description of a strategic environment dominated by constant and accumulated grey-zone cyber activity. The emphasis on the importance of continuous cyber campaigns resonates with Harknett and Smeets' (2020) assessment of the strategic importance of cyber campaigns.¹⁰ In response to this shift in the strategic environment, the 2018 Defense Cyber Strategy (Dutch Ministry of Defence 2018, p. 6) underlines that

Proper defence and security alone are not, however, sufficient to prevent malicious parties from carrying out cyber attacks. An increasing number of allies are therefore taking a more active approach in the cyber domain (active defence). In the context of the first and third constitutional tasks (defending our territory and that of NATO allies, and assisting civil authorities), a more active contribution from Defence within the existing structures is required.

Similarly, the strategy stresses that “new defence assets will be deployed with which an active defence against cyber attacks can developed” (Dutch Ministry of Defence 2018, p. 7). Nevertheless, the strategy neither elaborates on what is meant by active defence nor how and when it is to be carried out. Considering the embrace of the new strategic cyber environment,¹¹ in which state conflict and competition is said to play out in the grey-zone, strongly enabled by digital technologies (National Coordinator for Security and Counterterrorism, 2020), the uncertainty about how the Dutch deploy active cyber defence is salient. Not least because the 2018 Defence Cyber Strategy concludes that “inaction is not an option” (Dutch Ministry of Defence 2018, p. 16). However, in October 2021, the Dutch Minister of Foreign Affairs Ben Knapen explained, in an answer to the Dutch Parliament, that the Dutch may use intelligence agencies or military services to counter ransomware attacks that threaten the country's national security. Knapen emphasised that the Dutch defence can carry out counter-attacks using the armed forces to avert enemy action or protect essential interests of the state, depending on the international legal basis and after a government decision (Knapen 2021).

The saliency of this development is accentuated when turning to the organisational aspect of the Dutch cyber capabilities and defence against hostile cyber activates short of war. When it comes to offensive cyber operations, the Netherlands operates with a clear organisational separation between the Military Security and Intelligence Service (MIVD) and the Defence Cyber Command (DCC).¹² The work of the DCC concentrates on establishing and deploying defensive, intelligence and offensive cyber capabilities, but the DCC only carries out military cyber operations with a political mandate and in the context of armed conflict and war.¹³ More than one interviewee emphasised, however, that the DCC lacks expertise and technical infrastructure when it comes to carrying out offensive military cyber activities. The MIVD, with its considerable cyber capacities, demonstrated in multiple cases,¹⁴ is, therefore, an indispensable partner for the DCC in offensive cyber operations. Yet, the DCC does not have the legal mandate to play an active role in disrupting continuous adversarial cyber behaviour short of war. As stressed by Sergie Boeke (2018, p. 28), a significant challenge then persists as intelligence operations and military operations each have different mandates, cultures and modus operandi.¹⁵

In 2019, the Netherlands revealed its first military cyber doctrine. The doctrine points to the need for increased coordination between the cyber command and the intelligence service. It emphasises that the difference between the use of cyber power in war and for espionage relates to the purpose and the desired effect. However, the doctrine makes it clear that deployment coexists and overlaps. Cyber capabilities are perceived as complementary and non-competing (Defence Cyber Command 2019, p. 14–15). More concretely, the doctrine talks about the potential need to conduct offensive counter cyber operations by being present in adversaries’ networks and system. It says that “offensive counter cyber operations are specifically targeted against adversaries’ offensive cyber capabilities or aimed at determining the origin of an operation that involves launching pre-emptive or preventive cyber counter-operations against the (attributed) source” and it continues “OCC operations, therefore, require thorough coordination between cyber mission teams, intelligence, counter intelligence, law enforcement bodies and other capabilities” (Defence Cyber Command 2019, p. 28). Yet, it is not described how they complement each other in practice or the collaboration between the DCC and MIVD when it comes to adversarial cyber conduct short of war.

In sum, the Netherlands acknowledges that continuous hostile cyber operations short of war form part of the contemporary strategic environment. The need to conduct counter cyber operations is emphasised, but no publicly available information explains the strategic logic, thresholds or triggering points in further detail. Despite the latest announcement concerning the possibility of the Defence Cyber Command to conduct ransomware-related counterattacks, it remains ambiguous when, how and to what extent the Dutch deploy counter cyber operations against cyber hostilities short of war. It is characteristic of the Dutch approach that a strong organisational separation is in place between the DCC and the MIVD on the one hand, while there is a strong emphasis on the need for functional cooperation between the cyber command and the intelligence service, on the other. How this plays out and to what effect when it comes to countering cyber operations short of war is kept out of the public eye.

France: “The cyber war has commenced, and France must be ready to fight it”

The French government’s 2008 White Paper on Defence and National Security made cyber security and defence a priority for national security (Commission du Livre blanc 2008). It focused primarily on cyberwar and cyber-attacks and mandated the development of cyber defence and the establishment of a cyberwar capability (Commission du Livre blanc 2008, p. 210). The following 2013 White Paper on Defence and National Security strengthened the overall focus on cyber security and defence (Commission du Livre blanc 2013). Despite a toned-down language on offensive cyber capabilities, compared to the 2008 version, the Minister of Defence, Jean-Yves Le Drian, affirmed the development of offensive cyber capabilities (Vitel and Bliddal 2015, p. 5–6). In December 2016, Le Drian gave a seminal speech to underline that cyber-attacks could constitute war, stressed the need to develop new military strategies and doctrines for cyberspace, and announced the establishment of the French cyber command¹⁶ (Le Drian 2016).

As envisioned in the speech, France has further sharpened its cyber posture in recent years (Delerue and Géry 2018, Laudrain 2019). Since 2017, a series of documents has clarified and developed French strategic and military interests and priorities in cyberspace as well as its organisational approach to cyber defence.¹⁷ The Ministère des Armées (2017) has a section dedicated to the digital space. It stresses that “the frequency, scale, and technological sophistication of attacks continue to increase in cyberspace, where states are engaged in constant confrontation” and it assesses that “such situations may at some point in the future be qualified as armed aggressions” (Ministère des Armées 2017, p. 46). Consequently, it recognises cyber security and digital sovereignty as central priorities.

In 2018, France released a Strategic Review of Cyber Defence. A landmark document which reviews the French position on cyber defence in book-length. It reaffirms and develops a fundamental pillar of French cyber defence, namely the clear separation between offensive and defensive operations. This includes the division between the areas of responsibility of ANSSI,¹⁸ tasked with the general defence of national networks and infrastructure, and of the Ministry of Armed Forces, tasked with defending the ministry's networks and conducting military cyber operations. The sharp division between defensive and offensive cyber is contrasted to the Anglo-Saxon countries, “whose cyber defence capabilities are concentrated within the intelligence community” (Secrétariat général de la défense et de la sécurité nationale 2018, p. 5). This strict defence–offence division includes a firm separation between the French cyber command and the Foreign Intelligence Service (DGSE).¹⁹

The French Minister of Defence, Florence Parly, confirmed the sharpened stance on military cyber issues when presenting the first French cyber doctrine (Ministère des Armées 2019a). When introducing the doctrine, Parly underlined that “the cyber war has commenced, and France must be ready to fight it” (Parly 2019a).²⁰ She emphasised that in response to cyber threats, France is not afraid to deploy its offensive cyber power. Moreover, at the official inauguration of the French cyber command's new headquarters in Rennes in October 2019, Parly promised that by 2025 France will have 4000 cyber warriors (Parly 2019b). According to Darwish and Romaniuk (2020, p. 66), the doctrine shifts the French cyber posture from one “of ‘active defense’ to one of ‘offensive cyber capabilities’”.

The military cyber doctrine consists of two documents: one on cyber defence (Ministère des Armées 2019a) and one on cyber offence (Ministère des Armées 2019b). The 2019 offensive military cyber doctrine publicly confirms a determined operational use of a strengthened French military cyber capability and makes it clear that “France can operate at both the defensive and offensive levels” (Delerue et al. 2019). The strategy underlines that “most contemporary power struggles, crises and conflicts are developing in the digital space” and it speaks of cyber “grey-zone, a fog, the effects of which are very real, sometimes devastating. Combat in cyberspace is asymmetric, hybrid in nature, sometimes invisible and seemingly painless” (Ministère des Armées 2019b, p.4). Yet, it describes this as a continuation and reaffirms the strict separation between defensive-offensive missions and capacities (Ministère des Armées 2019b).

The defensive doctrine focuses on ensuring the independence and continued function of France in the event of cyber crisis and conflict. Following the Strategic Review, it lists six missions for the cyber defence: prevent, anticipate, protect, detect, react, and attribute (Ministère des Armées 2019a, p. 4–5) and it places the stirring and coordinating role with the cyber command (Ministère des Armées 2019a, p. 7). The doctrine contains sketches for an adaptive permanent cyber security posture (Ministère des Armées 2019a, p. 9). According to Laudrain (2019), this means “orienting France's military cyber units to be prepared for what the summary describes as a ‘peace-crisis-war’ continuum” whereby the document “seems to acknowledge what has been described as a state of unpeace, a state of hostility that falls short of full conflict”.

In October 2021, the French took one more step towards acknowledging the strategic impact of malicious cyber activities below the threshold of war by releasing the armed forces “influence operation doctrine” (Ministère des Armées 2021). The doctrine stresses that intensified strategic competition and a rising number of cyber-attacks demand military strategic thinking along a continuum of competition-contestation-confrontation (Ministère des Armées 2021, p. 4). The doctrine sanctions military influence operations seeking to “detect, characterize, and counter” adversarial information operations and support the armed forces’ strategic communications (Ministère des Armées 2021, p. 9). It separates these functions into three pillars: intelligence, defence, and action. Both the defensive and the influence doctrines recognise the strategic importance of malicious cyber activities below the threshold of war and stress the need to counter these. Yet, the thresholds and triggering points for when, how and who engages in counter cyber operations along the new continuum of competition-contestation-confrontation are ambiguous.

The conduct of counter cyber operations is most likely not limited to the military framework. The Secrétariat général de la défense et de la sécurité nationale (2018) mentions intelligence as one of four operational cyber defence chains – the others being protection, military action, and judicial investigation – and it includes implementation of offensive cyber capabilities under the intelligence heading. This could leave room for the DGSE to conduct disruptive counter operations targeting adversarial cyber behaviour short of war. However, the Strategic Review of Cyber Defence does not elaborate on the general role of the French intelligence services in this area. Neither do the military cyber doctrines.

DGSE is the largest French intelligence service in terms of workforce and has generally maintained a relatively high degree of autonomy over COMCYBER. This is underscored by the highly secretive aura that surrounds DGSE (Chopin 2017, p. 546). The likely involvement of DGSE in counter cyber operations short of war is not publicly confirmed, but Stéphane Taillat (2019) argues that Parly indirectly stated that a significant portion of the French offensive cyber operations are conducted by DGSE. He finds that this ambiguity is “partly deliberate, but it also brings to light the resulting loopholes when attempting to draw organizational boundaries in a new context of operations” (Taillat 2019). According to Taillat (2019), the strict separation between defensive and offensive cyber operations is thus “more functional than spatial”.

France has significantly developed its cyber posture in recent years, primarily by being more explicit about its military cyber capabilities, including its willingness to use them. As Parly stressed, France is ready to fight the on-going cyberwar. At the same time, the strategic impact of cyber operations short of war has been highlighted. A new competition-contestation-confrontation continuum has been introduced and cyber grey-zone activity emphasised, but the strategic impact of hostile cyber operations short of war is predominantly wrapped in the language of armed conflict and military operations. Hence, the thresholds and triggering points for when and how France engages in countering hostile cyber operations short of war are not made clear. It is very likely that the DGSE is engaged in counter cyber operations to disrupt malevolent cyber activity, but when, how and to what extent is kept secret.

Norway: “uncovering and countering hybrid threats in the cyber domain”

A decade ago, a new long-term plan for the Norwegian Armed Forces emphasised that “attacks in the digital space, also called ‘cyberspace’, is one of the fastest growing threats of our time” (Forsvarsdepartementet 2012, p. 11). The plan's primary focus is preventive. It aims at strengthening resilience and robustness, but stresses that

military operations in the digital space have both protective, intelligence and offensive objectives. This has become an additional dimension in military operations and thus a new warfare area where both the ability of defensive and offensive operations can be crucial in future conflicts. (Forsvarsdepartementet 2012)

However, the relationship between protective, intelligence and offensive objectives is not specified further in the document.

In 2014, the Norwegian Ministry of Defence created a set of internal guidelines for information security and the conduct of cyber operations in the defence (Forsvarsdepartementet 2014). The guideline stresses that armed forces shall have the capacity for offensive cyber operations, which i.a. helps us to protect ourselves from outside attacks” (Forsvarsdepartementet 2014, p. 13) and it elaborates on the legal framework for conducting intelligence and offensive cyber operations. It mentions that a cyber attack can trigger the right to self-defence in accordance with international law, but underlines that the threshold is high. More importantly, it moves on to say that “if the attack is not severe enough to trigger the right of self-defense, the affected state will still be able to implement other countermeasures that do not involve the use of force” (Forsvarsdepartementet 2014, p. 14). Yet, it does not elaborate on the practical questions of when, how or what concerning these other countermeasures.

In 2016, Norway presented a new long-term plan for the defence (Forsvarsdepartementet 2016). It underlines the need to strengthen the ability to detect cyber attacks and implement further countermeasures (Forsvarsdepartementet 2016, p .19). Looking at counter measures, the 2016 long-term defence plan is silent in terms of offensive cyber capabilities. It only mentions that the intelligence service must be able to collect intelligence within the cyber domain (Forsvarsdepartementet 2016, p. 24). The importance of the intelligence and the military in securing cyberspace has been stressed in Norway for a decade, but it has been less outspoken than in the Netherlands and France, particularly when it comes to the development of offensive cyber capabilities.

Leading up to the presentation of the new long-term defence plan in 2020, the Norwegian Chief of Defence, in October 2019, presented his military advice and recommendations for the plan (Forsvaret 2019). The Chief of Defence emphasises the need to “further develop the ability to plan and execute cyber operations for effect, situational understanding and protection” (Forsvaret 2019, p. 30). The Chief of Defence did not specify whether this involves deploying counter cyber operations to defend against cyber hostilities short of war. However, the Norwegian Ministry of Defence (Forsvarsdepartementet 2019) has stated the following to the author

The Ministry of Defense will further develop and strengthen the ability to conduct military operations in the cyber domain, based on current responsibilities and organization. This comprises undertaking offensive and defensive actions at several levels, including uncovering and countering hybrid threats in the cyber domain.

The ministry underlines the ambition of uncovering and countering hybrid threats in the cyber domain, but provides no further description of what to counter, how, or when. A similar conclusion can be drawn from the recently released Norwegian long-term defence plan for 2021–2024. It states that (Forsvarsdepartementet 2020, p. 76)

Access to up-to-date and relevant information about threats and threat actors is absolutely central for being able to handle threats in the digital space. The government will therefore develop further the Intelligence Service's ability in peace, crisis and armed conflict to follow, attribute, warn and actively counter digital threats before incidents occur.

What is particularly interesting here is the long-term defence plan's pledge to counter digital threats before incidents occur actively. According to Friis (2020, p. 37), this wording comes close to the US descriptions of persistent engagement and defending forward, but it is kept at a level of vagueness that makes it difficult to assess the practical implications. In other words, no elaboration or explanation on potential thresholds or triggering points is given.

This begs for a closer look at the organisational aspect of Norwegian cyber capabilities. The Norwegian foreign intelligence service is responsible for the offensive part of the Norwegian cyber defence. Its mandate was recently described with in a new intelligence law. The Forsvarsdepartementet (2018) states that

the intelligence service has the national responsibility for planning and carrying out offensive cyber operations, including cyber attacks (Computer Network Attack), as well as coordinating between offensive and defensive cyber measures in the armed forces. The intelligence service is also responsible for conducting intelligence based attribution of foreign threat actors in case of severe cyber operations targeting Norway or Norwegian interests.

The foreign intelligence service is responsible for intelligence and offensive cyber operations. There is thus no separate cyber command in Norway. The Ministry of Defence stated to the author that they do not intend to change this, as it will be costly and reduce the existing synergy effect (Forsvarsdepartementet 2019). However, the ministry does not provide additional information on how the distinction between offensive, intelligence and defensive operations is operationalised in practice. The Norwegian long-term defence plan for 2021–2024 reiterates the need for pre-emptive action and stresses that (Forsvarsdepartementet 2020, p. 118)

The ability of the e-service [foreign intelligence service] in peace, crisis and in armed conflict to follow, attribute, warn and actively counter digital threats also before events occur, shall be further developed. The capability and competence in offensive cyber operations is to be further developed.

It is, thus, clear that the Norwegians will improve their ability to counter hostile cyber activities. Yet, it is unclear what exactly crisis means except it is a situation between peace and war. No thresholds, triggering points or possible countermeasures are explicated.

In sum, the Norwegian cyber defence posture has remained precautionary in the past decade. References to offensive cyber capabilities and their use have been limited. This speaks to the general absence of public debate about offensive cyber operations in Norway (Friis 2020, p. 35). In recent years, Norway has indicated that continuous cyber operations short of war are part of the current strategic reality, but without explicating if or how this affects the country's strategic position and decision-making. Norway has made it clear that it is willing to counter digital threats before events occur, but the language is kept vague and ambiguous. Hence, no publicly available information describes the strategic logic, thresholds or triggering points in detail. The competence lies solely with the foreign intelligence service, but the extent to which it deploys counter cyber operations against cyber hostilities short of war remains unknown.

Conclusion: towards filling the strategic vacuum

This article examined how three European NATO members – the Netherlands, France, and Norway – perceive and respond to continuous adversarial cyber operations short of war. The analysis demonstrated that the Dutch, French, and Norwegian decisions to develop offensive military cyber capabilities date 10–15 years back. In all three countries, the development of offensive cyber measures has been portrayed as a timely investment in necessary capabilities intended to deter and support military operations in armed conflict. The analysis also showed that the three countries – to different degrees and clarifications – have acknowledged that the adversarial nature of cyber operations short of war forms part of the current strategic reality. Yet, their cyber strategies and military doctrines continue to primarily centre on warfare and armed conflict.

Thus, the paper identifies a strategic vacuum as none of the three countries have formulated strategic frameworks that map onto the identified strategic reality. The recent publications of military cyber doctrines in France and the Netherlands provide initial strategic guidance for armed conflict, but it remains underspecified how the impact of continuous cyber conflict short of war affects the countries’ view on international political competition, their strategic positioning, and their military-intelligence relations. Questions concerning when, how, who and to what extent cyber countermeasures are deployed against hostile cyber operations short of war remain ambiguous and secretive. This lack of clarity, strategic guidance, and public debate puts societies at risk and undermines democratic governance.

The insistence on the importance of formulating strategy and publicly discussing how to deal with cyber conflict short of war does not deny that all three countries are already engaged in countering hostile cyber operations short of war in various ways. It is rather to argue that scholars should become more involved in research on European perspectives on cyber conflict short of war on the one hand, and European governments should strive to clarify the strategic consequences of continuous cyber conflict short of war, on the other. Both scholars and politicians need to engage with the security, political and democratic difficulties related to countering adversarial cyber hostilities short of war. This is not to say that European countries should blindly adopt the American strategy of persistent engagement and defending forward. They should, however, move beyond the current standstill and design strategic solutions to prevent, discourage, and respond to continuous cyber incidents short of war. In conclusion, the paper suggests three avenues for future scholarly and policy conversation on how European countries can accomplish this goal and fill this strategic vacuum. These suggestions are neither exhaustive, a panacea nor an argument for a one-size-fits-all European strategic approach. Based on the premise of a changing strategic environment in which cyber conflict short of war forms a fundamental part of strategic competition, they offer basic propositions for policy-makers and academics to engage.

First, European countries should define the problem to be solved, “as ambiguous terminology creates problems for distinguishing between different conceptions of strategy” (Hoffman 2019, p. 133). They would benefit from operationalising cyber conflict short of war, unpack its core dynamics, and determine its strategic impact. At a macro-level, this includes elucidating whether cyber conflict short of war is an expression of fundamental strategic competition? Whether it taps into the intensified global technological competition, which includes control of internet infrastructure, power over international ICT supply chains and markets, global data flows, and innovation in emerging technologies?²¹ To what extent, if at all, cyber conflict short of war weakens the position of European countries in international politics?

At a meso-level, European countries should develop strategically guided frameworks for counter linked and coordinated cyber operations that accumulated over time do significant harm to European societies. In relation to this, European countries should clarify interagency competencies and processes to handle tensions between military and intelligence agencies. The analysis showed that inter-agency relations vary across countries: from a French separation model over a Dutch cooperation model to a Norwegian unity model. It furthermore demonstrated that challenges remain in developing operational and legal frameworks for the deployment of cyber capabilities at the intersection of the already indistinct and blurring categories of offence and defence, with consequences for escalation management and strategic stability (Buchanan 2016). Moreover, when formulating strategies European countries ought to consider the risk of exacerbating the tension between the stabilising effects of intelligence collection on international relations and the destabilising modes of its collection (Goie et al. 2020). At a micro-level, as part of developing such frameworks and interagency processes, European countries should consider establishing procedures for classifying and operationalising various forms of malicious cyber activity and formulating thresholds and trigger points. At all three levels, these are continuous efforts that are contingent on various factors counting developments in global politics, digital technologies, and strategic culture.²²

Second, national strategy building does not take place in a vacuum. European countries are involved in international cooperation engaging cyber conflict short of war in NATO,²³ EU,²⁴ and among the intelligence services.²⁵ National strategy building should thus take place in conversation with allies and partners on how to strategise the involvement of military and intelligence entities in the increased cyber competition short of war. The significance of which was recently underlined by the 2021 NATO Brussels Summit Communique (2021, p. 10) stressing that “allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack”. The development of a new Strategic Concept for NATO – to be done in time for the Madrid summit in June 2022²⁶ – provides an excellent opportunity to formalise this conversation and increase NATO coordination on cyber strategy.

This broad conversation could focus on intelligence versus military norms and practices for cyberspace (see also Boeke and Broeders 2018, Smeets 2020, Jacobsen 2021). It might include discussions on establishing common and transparent vulnerability equities processes and decreasing the grey market trading by government agencies purchasing cyber weapon components (Christensen and Liebetrau 2019, Perlroth 2021), working on creating a global governance framework for cyber weapons (Stevens 2018b), and enhancing the protection of global supply chain integrity and the public core of the internet (Broeders 2017). Moving these discussions forward, European countries could boost norm-codification and progressive norm-making concerning cyber competition short of war with the shared goal of restoring confidence in a liberal rule-based order that can prove its relevance and avoid further poisoning of the global digital well.

Third, the present lack of transparent strategic approaches raises concerns about oversight and the democratic goal of fostering informed political and public debate. It is important to engage society in the deliberation on countering cyber conflict short of war, not least because citizens, private companies, and public authorities are often the victims of such cyber operations. Ensuring a continuous debate on the political and military framing of malign cyber operations and the opportunities to counter them is vital to democratic governance. The current situation thus demands greater transparency and debate about the deployment of cyber power – for all purposes including countering cyber hostilities short of war – across society from parliamentary scrutiny over oversight bodies to the media. The discussion on how to categorise, react, and respond to cyber hostilities short of war cannot entirely be left to military or intelligence authorities and experts. While the exact capabilities and tasks of intelligence and military cyber units are much likely to remain secret and classified, the increased acknowledgement of their existence needs to be supplemented with a targeted effort to increase transparency as well as public and political debate about their role in defence and foreign policy.

Acknowledgements

This paper has been presented at the 2020 Hague Program for Cyber Norms Conference, 2020 Closing the Gap conference organised by the EU Cyber Direct and the Center for Advanced Security Theory research seminar at the University of Copenhagen. I would like to thank Jeppe Teglskov Jacobsen, Linda Monsees, Andrew Dwyer, Lilly P. Muller, Clare Stevens, Joe Burton and Aude Géry for their comments on previous drafts of this paper.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

The author received funding from the Independent Research Fund Denmark to conduct this research. Danish Council for Independent Research [International Postdoc Grant/0166-00041B]; Samfund og Erhverv, Det Frie Forskningsråd [0166-41000B].

Notes

1 According to Jason Healey (2019), the vision statement is “perhaps the single most important articulation of cyber policy in two decades”. Similarly, Robert Chesney and Max W. Smeets (2020, p. 6) describes the U.S strategic shift as the biggest since the 1990s.

2 In general, both the policy and the academic development of cyber security have been strongly tied to the US (Warner 2012, Healey 2013, Cavelty and Egloff 2019).

3 Many European countries are ramping up on cyber forces, establishing cyber commands and releasing military cyber doctrines, including, but not limited to, Germany, Poland, Estonia, France, the UK, The Netherlands, Italy and Denmark. (Smeets 2019, Klimburg 2020).

4 The few exceptions to the US-focused studies exist primarily in blog format, as think-tank reports and in national outlets. See, e.g. Joe Devanny and Tim Stevens (2021), Devanny, Joe and Dwyer, Andrew and Ertan, Amy and Stevens, Tim (2021) and J.C. Klinkenberg and J.B. Dieker (2021).

5 However, they do not discard that cyber means can be enablers of war.

6 See, e.g. the policy roundtable on cyber conflict as intelligence contest in Texas National Security Review (2002).

7 Rewriting of Rita Abrahamsen (2017).

8 The sources were chosen based on their relevance (e.g. key strategies), scope (e.g. blogposts on the French military cyber doctrine), and availability (e.g. English, French, Norwegian and Dutch language online sources).

9 The conversations with national representatives (MoD personal (in all three countries), intelligence personnel/cyber operations officers (in the Netherlands only) and researchers from the three countries took place in the Fall of 2019. Furthermore, several background conversations with researchers and policy professionals were conducted in 2019–2020. The data were collected with a promise of anonymity. By the request of the interviewees, the article does not include names, ranks or direct quotes.

10 In addition, official documents from the National Coordinator for Security and Counterterrorism – such as the 2018 Cyber Security Agenda and the 2020 Cyber Security Assessment for the Netherlands – bundles cyber risks from crime, espionage, sabotage and disinformation and relate them to national security.

11 Which is also evident in the 2019 annual report from the Military Security and Intelligence Service (The Dutch Military Security and Intelligence Service 2020). In its introduction, it recognises grey-zone conflict and competition, including digital threats, as a major concern.

12 MIVD and DCC operate under different political and legal mandates. The DCC, located under the commander-in-chief of the Dutch Armed Forces since 2018, became operational by the end of 2015 (Ducheine and Pijpers 2020).

13 See Ducheine et al. (2020) for further elaboration on legal mandate and political decision making when it comes to the deployment of military cyber operations in the Netherlands.

14 The Dutch intelligence services is known for having disrupted the Russian hacker-groups Cozy Bear and Fance Bear (Hogeveen 2018) as well as the Russian military intelligence service Gru (Crerar et al. 2018). Some of this work is undertaken in collaboration with the civilian General Intelligence and Security Service (AIVD) in the Joint SIGINT Cyber Unit (JSCU).

15 The MIVD is mandated by the Intelligence and Security Services Act (Wet op de Inlichtingen en Veiligheidsdiensten, WIV). It allows the MIVD to conduct intelligence operations in foreign system and networks.

16 As stressed by Delerue et al. (2019), “before the creation of the commander of cyber defense, the ‘officier général cyberdéfense’ was involved in military operations – reflecting that France already had an operational vision of cyber space – but with fewer prerogatives”.

17 For an overview of previous French cyber security and defence efforts see Darwish and Romaniuk (2020).

18 The Military planning law of 2013 authorises ANSSI to conduct, under certain conditions, disruptive cyber operations. Thanks to Aude Géry for pointing this out.

19 There are cases where the DGSE can assist ANSSI and COMCYBER (Secrétariat général de la défense et de la sécurité nationale 2018, p. 47 and 51).

20 The author's translation.

21 For an overview of technology competition and implications for Europe see Breitenbauch and Liebetrau (2021).

22 See, e.g. the work of Colin Gray (1999) for on strategic culture for how viewpoints and traditions within armed forces impact strategic orientation.

23 NATO has declared cyberspace to be a military domain and continue to develop its integration of member state cyber effects into NATO operations. However, as pointed out by Jacobsen (2021, p. 719), “a more active NATO in the current strategic environment increases the risk that the existing intelligence norm will be undermined and replaced by a more militarized norm”. Moreover, as stressed by Smeets (2020), the US ambition of persistent engagement and defend forward might create division internally among NATO members.

24 EU has put in place a broad range of regulatory and policy instruments relating to cyber security. Among these are its sanctions tool the “cyber diplomacy toolbox” and an “EU Toolbox for 5G security”. In December 2020, a new EU cybersecurity strategy suggested the creation of a European Cyber Shield.

25 This includes e.g. the five eyes, nine eyes and thirteen eyes intelligence cooperation.

26 The NATO leaders agreed on this at the 2021 Brussels Summit.