Advanced search
Publication Cover
Policy Design and Practice Volume 6, 2023 - Issue 2: Special Issue on Governing Cyber Crises: Policy Lessons from a Comparative Analysis; Guest Editors: François Delerue and Monica Kaminska
Submit an article Journal homepage
3,503
Views
0
CrossRef citations to date
0
Altmetric
Research Articles

Organizing cyber capability across military and intelligence entities: collaboration, separation, or centralization

Tobias LiebetrauCERI, Sciences Po, Paris, FranceCorrespondence[email protected]
ORCID Iconhttps://orcid.org/0000-0001-6996-9328
ORCID Icon
Pages 131-145 | Received 07 May 2022, Accepted 14 Sep 2022, Published online: 29 Sep 2022

Abstract

This paper explores how the Netherlands, France, and Norway organize their cyber capabilities at the intersection of intelligence services and military entities and provides recommendations for policy and research development in the field. Drawing out key organizational differences and ambiguities, the analysis identifies three models of organizing military and intelligence relations: A Dutch collaboration model, a French separation model, and a Norwegian centralization model. Despite their divergence in organizing cyber capabilities, the three countries converge on the assumption that both responding to cyber conflict short of war and developing military cyber power are dependent on the skills, information, and infrastructure of intelligence services. This calls for cooperation and coordination across military and intelligence entities. However, it remains unclear whether decision makers have systematically assessed the implications of the organizational structure for the ways in which the two dimensions relate to and shape one another at strategic, tactical, and operational levels. The paper concludes that there is a need for increased political attention and a deliberate approach to how the organizational model allows for the operational cyber capacity to travel from, translate into, and shape intelligence and military entities and to which political implications at both national and international levels.

Recent cyber incidents such as the SolarWinds,Footnote1 the Microsoft ExchangeFootnote2, and the Colonial PipelineFootnote3 hacks demonstrate how malicious cyber operations continue to question the demarcation lines between war and peace, military and civilian, and internal and external security. Existing scholarship has documented how European countries (Liebetrau Citation2022) and NATO (Jacobsen Citation2021) struggle to address such cyber aggressions below the threshold of war. This article advances this debate by undertaking a comparative analysis of how the Netherlands, France, and Norway organize their cyber capabilities at the intersection of intelligence services and military entities. The paper thereby sheds light on a pressing cybersecurity policy and governance issue that has received scarce political and academic attention. It offers scrutiny of the challenges and opportunities faced by European countries when organizing their cyber capabilities and provides recommendations for policy development in the field.

Burton and Christou (Citation2021, 1727) observe how more and more international actors develop and use “offensive cyber tools for a broad range of strategic purposes, including espionage, subversion, coercion, war-fighting and hybrid warfare campaigns”. Accordingly, cybersecurity research is increasingly guided by the “empirical reality of persistent cyber operations across the conflict spectrum” (Cavelty and Wenger Citation2020, 16). Yet, the scholarly and political debate about the organization of cyber capabilities “has been dominated by U.S. voices and U.S. issues” (Devanny and Stevens Citation2021). The academic literature has paid scarce attention to how European countries organize cyber capabilities at the intersection of military cyber commands and intelligence services. It is, however, crucial to examine and assess the organization of cyber capabilities if we are to better understand the practical, political, and democratic implications of engaging with the current challenges that persistent cyber operations short of war as well as military cyber operations in armed conflict amount to.

This paper relies primarily on written public sources, such as official government statements and publications, media reports, and academic literature. These documents are supported by interviews with military personnel, civil servants, and scholars in the three countries. The article demonstrates how military-intelligence relations vary across the countries and identifies three organizing models: a Dutch collaboration model, a French separation model, and a Norwegian centralization model. It also shows that the three countries seem to converge on the fact that both the countering of cyber conflict short of war and the development of military cyber capabilities are dependent on the skills, information, and infrastructure of intelligence services. However, it is unclear whether decision makers have systematically assessed how the organizational model allows for the operational capacity to travel from, translate into, and shape intelligence and military entities and to which strategic and governance implications. This creates risks that operational capability and activity may be mismatched with broader strategic or governance goals, that the military and intelligence entities operate with different purposes and goals, that political decision-making is hampered, and that democratic oversight is hindered.

Given the secrecy and confidentiality that shroud the topic and the lack of existing studies, the conclusions of this piece are to be considered tentative. Drawing out these three models of organizing cyber capabilities and their dominant characteristics, should be considered a starting point for further explorations and discussions of how European countries can and ought to organize their cyber capabilities across intelligence and military entities. The observed divergence in organizing cyber capabilities is likely to be explained by multiple factors, including strategic posture, military culture, economic and human resources, and political will and attention. While future research could examine these and other explanatory factors, it is paramount that researchers and policy makers devote greater attention to the organizing of cyber capabilities, including the operational and strategic implications of the organizational divergence across NATO and EU members. This applies to coping with the challenges of persistent cyber conflict short of war as well as the application of cyber operations in armed conflict.

The paper proceeds by locating the study in relation to relevant debates in cybersecurity scholarship. It then examines the organization of cyber capabilities across military and intelligence entities in the Netherlands, France, and Norway. The final section concludes and offers recommendations for future academic and policy debate and design.

Organizing cyber capability between military and intelligence

While much of the US-driven academic debate has focused on if and how cyber operations reach the threshold of war, this paper focuses on the organizing of offensive capabilities between military and intelligence in Europe. In doing so, it speaks to four strands of cybersecurity literature touching upon military and intelligence entities.Footnote4 First, scholars have pointed out that the central (state) actors conducting cyber operations are intelligence agencies, and deceptive cyber operations, therefore, form part of an intelligence contest (Gartzke and Lindsay Citation2015; Rovner Citation2020). A related, yet alternative, argument is brought forward by supporters of cyber persistence theory. They suggest that “strategy must be unshackled from the presumption that it deals only with the realm of coercion, militarised crisis, and war in cyberspace” (Harknett and Smeets Citation2022, 2). They argue that “strategic outcomes in, through and from cyberspace are possible short of war” (Michael and Harknett Citation2020, 1).

Second, scholars have shown that boundary drawing between intelligence and military cyber operations is extremely challenging for at least three reasons. First, cyber operations are often custom-made combinations of intelligence, intrusion, and attack (Smeets Citation2018). It is seldom distinct where one stage ends, and another begins. Second, there is much ambiguity related to attribution, intention, and effect of cyber operations (Buchanan Citation2016). This includes political and legal questions of when exactly an offensive cyber operation can be regarded as a use of force. Third, we have witnessed an expansion of intelligence activities beyond traditional espionage, with tasks and responsibilities ranging from protecting government networks to executing offensive cyber operations abroad (Gioe, Goodman, and Stevens Citation2020).

Third, a literature on cybersecurity governance has examined how different models of public–private partnerships shape cyber crisis management (Boeke Citation2018a), how states navigate between functional and national security imperatives to design governance arrangements (Weiss and Jankauskas Citation2019), what governance requirements transboundary cyber crisis entail (Backman Citation2021), and how a Central Cyber Authority (CCA) can help structure national cyber defense (Matania, Yoffe, and Goldstein Citation2017). This strand of literature is focused on cyber defense arrangements and does not speak directly to the organizing of offensive cyber capabilities across military and intelligence entities.

Fourth, in the US context, we have seen continuous debate about the dual-hat arrangement concerning the NSA and the US Cyber Command (Chesney Citation2020; Demchak Citation2021), and Lindsay (Citation2021) has recently examined and criticized the organization of the US Cyber Command. Cybersecurity scholarship has also investigated the organization of both military cyber entities (Pernik Citation2020, Smeets Citation2019) and offensive cyber capabilities (Smeets 2018). This scholarship is, however, guided by crafting conceptual frameworks (Smeets 2018, Citation2019) or mapping the development of cyber commands (Pernik Citation2020). Systematic attention has been less devoted to comparative empirical studies of the specific organization of cyber capabilities across military and intelligence agencies in European countries. This article provides a first step in closing that gap by offering a dedicated perspective on the organization of offensive cyber capabilities across three European countries.

This article refers to offensive cyber capabilities as custom-made combinations of human and non-human elements that allow cyber operations to achieve impact across the spectrum of intelligence and attack. The development and deployment of these cyber capabilities weave together strategic guidance, legal mandate, doctrinal procedures, human skills, technological capacity, and organizational arrangement (see also Slayton Citation2017, Smeets Citation2022). This broad perception of offensive capabilities is deliberately chosen to allow for the empirics to speak rather than an overly restrictive pregiven conceptualization. Following the same line of thinking, this article offers a comparative exploratory qualitative analysis (Yin Citation2014) of how the development and deployment of cyber capabilities are structured across military cyber commands and foreign intelligence services in the Netherlands, France, and Norway. The exploratory nature of the study ensures an empirical sensitivity in line with understanding cybersecurity as a situated and contextual object of study, rather than being predetermined by the existing theories and categories (Liebetrau and Christensen Citation2021).

The selection of the three countries rests on a combination of pragmatic reasoning in terms minimizing the language barrier and achieving access to interviewees, and the fact that the countries represent a large-, a medium-, and a small-sized European country with ambitious cybersecurity policies and long-term publicly declared ambitions of developing offensive cyber capabilities. As paradigmatic cases they were not chosen because of e.g. extremity, deviancy, or similarity, but because they highlight more general characteristics of the organization of cyber capabilities in Europe (Flybjerg Citation2006). Characteristics that are not meant to be fully comparable or generalizable, but rather to be discussed, explored, and questioned in future empirically driven research on the development and deployment of cyber capabilities in Europe. Consequently, the paper neither provides an exhaustive conceptualization of the organization of cyber capabilities, nor a set of fully fledged policy prescriptions of the requirements for intelligence services or military cyber commands to conduct specific cyber operations. Instead, it aims for the empirical analysis to provoke and open up academic and policy discussions on the practical, political, and democratic implications of the organizational aspect of developing and deploying cyber capabilities, while keeping in mind its entanglements.

The Netherlands: organizational collaboration

In the past decade, the defense cybersecurity strategies of the Netherlands have displayed the nation’s ambition to develop offensive cyber capabilities (Bunk and Smeets Citation2021; Claver Citation2018). In 2014, the Netherlands established a Defence Cyber Command (DCC), with the aim to strengthen the country’s defense and offense in the cyber domain. The DCC, located under the commander-in-chief of the Dutch Armed Forces since 2018, became operational by the end of 2015 (Ducheine, Arnold, and Peter Citation2020). The DCC concentrates on establishing and deploying defensive, intelligence, and offensive cyber capabilities. In this context, the DCCFootnote5

sees offensive cyber capabilities as digital resources the purpose of which is to influence or pre-empt the actions of an opponent by infiltrating computers, computer networks and weapons and sensor systems so as to influence information and systems. The Netherlands Defence organisation deploys offensive digital resources exclusively against military targets

The mission of the DCC is to carry out offensive cyber operations in the context of armed conflict and war and act as a potential deterrent measure in time of peace (Ministry of Defense Citation2015, Citation2018). The DCC does not have mandate to play an active role in disrupting continuous adversarial cyber behavior short of war. The operational capability of the DCC is, however, hampered by its limited mandate that restricts the DCC’s possibility to gather intelligence and conduct reconnaissance when not in war. This not only makes it difficult to select and impact targets, but it also makes it hard to attract and maintain the necessary human skills (Smeets Citation2021). According to interviewees, the DCC lacks the necessary human expertise and technical infrastructure to carry out offensive cyber activities on its own. Hence, the DCC is primarily able to act as “coordinator and operational hub” when it comes to the deployment of Dutch offensive cyber operations in armed conflict (Claver Citation2018, 169). At the time of writing, there is no public information that the DCC has conducted offensive cyber operations.

On the contrary, the Military Security and Intelligence Service (MIVD) has demonstrated significant operational cyber capacity in several cases.Footnote6 Some of its work is undertaken in collaboration with the General Intelligence and Security Service (AIVD) in the Joint SIGINT Cyber Unit (JSCU).Footnote7 As a collaboration between the MIVD and the AIVD, the JSCU forms a cornerstone of the Dutch cybersecurity. The primary tasks of the unit are the collection of signal intelligence and the delivery of intelligence through cyber operations. The MIVD and JSCU are therefore crucial partners for the DCC. It is not publicly disclosed how the human and technical infrastructure resources are pooled in the event of a cyber-attack on the Netherlands surmounting to armed conflict.

The collaboration between the DCC and MIVD/JSCU raises strategic and legal issues as the MIVD and JSCU operate under different political and legal mandates. As part of the intelligence community, the MIVD is placed under the Secretary-General of the Ministry of Defense.Footnote8 In addition, the MIVD does not conduct military operations. Instead, its operations are based on a specific intelligence services legislation.Footnote9 The legal framework does allow MIVD to conduct counter-operations. As stressed by Claver (Citation2018, 168), “all three organizations are very different in procedures, operating style, tasks, and outlook”. According to Sergie Boeke (2018, 28), it hampers the effectiveness and execution of Dutch cyber power that intelligence and military operations operate on different mandates, cultures, and methods of working. Moreover, it spurs the risk that the operational capability and activity of intelligence and military entities are mismatched with the broader strategic or governance goals.

The Netherlands presented a military cyber doctrine in 2019. The doctrine calls for increased coordination and collaboration between the Cyber Command and the intelligence services. It stresses that the difference between the conduct of cyber operations in war and for espionage relates to the purpose and the desired effect and underlines that those cyber capabilities are complementary and non-competing (Defence Cyber Command Citation2019, 14–15). Along the same line, the Ministry of Defense emphasizes, in its ‘Defence Vision 2035: Fighting for a safer future’, the need for organizational decompartmentalization when countering hybrid threats in the information environment (Ministry of Defense Citation2020, 17) and promises to devote attention to the hybrid strategic competition between war and peace (Ministry of Defense Citation2020, 23). However, the documents do neither elaborate on the organizational collaboration between the Cyber Command and the intelligence services nor how cyber operations are meant to complement to each other at the strategic, tactical, or operational levels.

The analysis of the Dutch organization of cyber capabilities shows organizational separation between the DCC – which can deploy cyber capabilities in the event of armed conflict and war – and the intelligence services that can deploy cyber capabilities for intelligence and active defense purposes. While the Dutch model strongly notes the need for collaboration between the DCC and the intelligence services, it remains ambiguous how they complement each other in practice and how organizational collaboration is supposed to fulfill goals of increased effectiveness, synergy, and flexibility. This raises concern that the operational cyber capability of the Netherlands is hampered by the current organizational structure and legal mandate.

France: organizational separation

A key pillar in the organization of French cyber capabilities is a governance model that separates offensive missions and capabilities from defensive missions and capabilities (Desforges Citation2022; Liebetrau Citation2022). This was recently recalled, and contrasted with the Anglo-Saxon model, in the landmark 2018 Cyber ​​Defense Strategic Review, drawn up under the authority of the General Secretariat for Defense and National Security (SGDSN). As part of this clarification, the strategic review formalizes four operational cyber chains and consolidates their governance. These are protection, military action, intelligence, and judicial investigation (Secrétariat général de la défense et de la sécurité nationale Citation2018, 5–6). In the following, the three first of these are deployed as starting points for examining the organization of French cyber capabilities.

The cornerstone of French cyber defense is The National Cybersecurity Agency (ANSSI). It is placed under the SGDSN and is responsible for the protection chain. The responsibilities of the agency include coordinating of the national cyber defense strategy, protecting state information networks,Footnote10 regulating critical infrastructure and the private sector, certifying products, and hosting the national Computing Emergency Response Team. The ANSSI is organizationally separated from the intelligence and military branch of French cybersecurity.

It has been more than a decade since France made cyberwar a national security priority and mandated the development of defensive and offensive cyber capabilities (Commission du Livre blanc sur la défense et la sécurité nationale Citation2008). The depiction of cyberspace as a warfighting domain contributed to developing the role of the French Ministry of the Armed Forces in cybersecurity matters. With the 2013 military programming law, the French defense saw the establishment of the first real operational cyber defense chain (Géry Citation2020). In 2017 it became the cyber defense command (COMCYBER) and was placed directly under the chief of staff of the armed force. The COMCYBER is responsible for the military action chain. This includes protecting the information systems of the defense and for developing, coordinating, and deploying military cyber operations.

The deployment of cyber capabilities has a long history with the French foreign intelligence service The General Directorate for External Security (DGSE) (Guédard Citation2020). The DGSE is the largest French intelligence service in terms of workforce. In recent years, the DGSE has become more open about its work, but it remains a very secretive service (Chopin Citation2017: 546). The intelligence chain of the strategic review stresses the possibility for the implementation of offensive cyber capabilities (Secrétariat général de la défense et de la sécurité nationale Citation2018, 5–6). DGSE is the most important service in this regard. Yet, the review does not elaborate on when, how, or in collaboration with whom. According to Stéphane Taillat (Citation2019), a significant part of offensive cyber operations is the responsibility of the DGSE and lies outside of the French military cyber strategy.

The organizational separation contains multiple ambiguities. First, the ANSSI can respond to a computer attack affecting the national security of France by carrying out the technical operations necessary to characterize the attack and neutralize its effects by accessing the information systems that are at the origin of the attack (Géry Citation2020). Depending on how this is done and interpreted, it can qualify as an offensive cyber operation.

Second, the SGDSN has declared that ANSSI will “continue to develop operational synergies with its national institutional partners”. The agency will therefore establish a branch in Rennes with the goal of “bringing it closer to the major institutional players associated with the Ministry of Defense, starting with COMCYBER” (Secrétariat général de la défense et de la sécurité nationale Citation2019, 29). This is in line with the strategic review’s recommendation (that has been picked up) to establish three coordinating bodies for cyber defense: le Comité directeur de la cyberdéfense, le Comité de pilotage de la cyberdéfense, le Center de coordination (C4) (Secrétariat général de la défense et de la sécurité nationale Citation2018, 137). Asked by the newspaper Libération about the prospect for future operational cooperation, the head of ANSSI, Guillaume Poupard, has said that “by 2025, I think we will have the obligation to have common platforms [bringing together defenders and attackers] to react effectively to the worst threats” (Amaelle Citation2020). While the collaboration between ANSSI, COMCYBER, and the French intelligence services is hence likely to increase, neither the desired outcome of the collaboration nor its strategic and practical dimensions are explicated.

Third, zooming in on the relationship between the COMCYBER and the intelligence services, it has been stressed that the intelligence services provide essential support to military operations by offering both technical and operational elements necessary to acquire knowledge of the adversary and operational environment (Florant Citation2021, 19). The French Military Cyber Strategy – that so far consists of three separate documents: the Ministerial Policy for Defensive Cyber Warfare, the Public Elements for the Military Cyber Warfare Doctrine, and the Public Elements for Cyber Influence Warfare Doctrine (Ministère des Arméeses Citation2019a, Citation2019b, Citation2021) – does, however, not elaborate on the collaboration between the COMCYEBR and the intelligence services. Taillat (Citation2019) finds the ambiguity to be “partly deliberate”, but stresses how it “brings to light the resulting loopholes when attempting to draw organizational boundaries in a new context of operations”.

Another potential military-intelligence loophole concerns the design and development of cyber capabilities. The COMCYBER rely on the Information Management Division of the Directorate General of ArmamentFootnote11 (DGA-MI) for the development and design of cyber capabilities (Ministère des Arméeses Citation2019b, 11). This collaboration is mentioned in research (Guédard Citation2020, Florant Citation2021) and journalism (Amaelle Citation2020) reviewing the development of French cyber capabilities. Despite the military operations need for technical and operational support from intelligence services, it is unclear what – if any – role the intelligence services play in this area.

While the principle of separation is strong on paper, the French organization of cyber capabilities is more complex. Arguably, the strict French division between defensive and offensive measures is being challenged by increased coordination and collaboration across defense, intelligence, and military institutions. This development finds support in the ‘Strategic Vision of the Chief of Defense Staff’ from October 2021. It states that the post-cold war peace-crisis-war continuum no longer applies. It has been replaced by the competition-dispute-confrontation triptych (Burkhard Citation2021, 8). In this new normal, the French Armed Forces must “win the war before the war” (Burkhard Citation2021, 13). Yet, there is very little public information on how the collaboration plays out between the ANSSI, COMCYBER, and the intelligence services. Consequently, also in the French case, it is ambiguous how the entities complement each other in practice, and how the desired organizational collaboration will achieve impact.

Norway: organizational centralization

The organization of Norwegian cyber capabilities rests on a centralized model. It distinguishes itself by not having a dedicated cyber command. Instead, the Norwegian military and civilian foreign intelligence service (E-tjenesten) is responsible for intelligence operations, offensive cyber operations, and for coordinating between offensive and defensive cyber operations. The 2018 intelligence law says that the service has “the national responsibility for planning and carrying out offensive cyber operations, including cyber attacks (Computer Network Attack), as well as coordinating between offensive and defensive cyber measures in the armed forces” (Forsvarsdepartementet Citation2018, 12).

The Norwegian Ministry of Defense (Forsvarsdepartementet Citation2019a, 19) describes it in the following way:

The responsibility for network intelligence operations and offensive cyberoperations are with the Intelligence Service. In military operations the Intelligence Service coordinates the activity with the Armed Forces’ operational headquarters (FOH). The Cyber Defense is responsible for conducting defensive cyber operations, and the Intelligence Service coordinates between offensive and defensive cyber operations.

The Ministry of Defense (ibid) stresses that it will “further develop the Intelligence Service’s ability to counter threats before incidents occur” and emphasize that “that cooperation and coordination between the above-mentioned actors in military cyber operations [the intelligence service and the FOH] will be strengthened, based on a military cyber operations center in the Intelligence Service”. However, the Ministry does not elaborate on how the coordination between the intelligence service and the operational headquarters plays out or what it exactly entails.

The Norwegian long-term defense plan for 2021–2024 notes that access to up-to-date and relevant information about threats and threat actors is absolutely central to being able to handle threats in the digital space (Forsvarsdepartementet Citation2020, 76). This underlines the importance of intelligence. The plan stresses that “the ability of the e-service [foreign intelligence service] in peace, crisis and in armed conflict to follow, attribute, warn and actively counter digital threats also before events occur, shall be further developed. The capability and competence in offensive cyber operations is to be further developed” (Forsvarsdepartementet Citation2020, 118). It is hence clear that the competence to deploy cyber capabilities for both intelligence and military ends lies solely with the foreign intelligence service.

But why this Norwegian particularity? Why does Norway not have a standalone cyber command? One part of the answer can be traced to the 2014 internal guideline for information security and the conduct of cyber operations in the defense (Forsvarsdepartementet Citation2014). Following the 2012 long-term plan for the Norwegian Armed Forces, the guideline notes that the Norwegian armed forces must have the capacity for offensive cyber operations (Forsvarsdepartementet Citation2014, 13). It describes both intelligence and military cyber operations as offensive actions, notes that they are usually carried out in the network of the opponent, and stresses that their execution falls under the responsibility of the chief of the intelligence service (Forsvarsdepartementet Citation2014, 6 and 17). Norway has kept with this model in order to foster synergies and reduce the costs of developing and deploying cyber capabilities.

In 2018, the Norwegian Ministry of Defense (Forsvarsdepartementet Citation2018, 8) explained, in an investment plan accepted by the government, that

it is, according to the Ministry of Defense, neither necessary nor desirable to create a cyber command outside the Intelligence Service. This would, inter alia, lead to the creation of a duplication of capabilities, resulting in an unclear distinction between offensive cyber operations inside and outside military operations. A cyber command function outside the Intelligence Service will, for Norway, be an unfortunate and costly solution.

An additional argument for the centralized model was given by the Ministry of Defense in written communication with the author. The Ministry states that “the ability to carry out offensive cyber operations depends on a very good understanding of the target. It is achieved through communication intelligence and interaction with several other intelligence capabilities…” (Forsvarsdepartementet Citation2019b). Yet, the Ministry does neither elaborate further on the relationship between intelligence and military operations nor what the internal organizational diagram looks like.

However, under the Joint Cyber Coordination Center (FCKS), the intelligence service collaborates and coordinates with the National Security Authority (NSM), the Policy Security Service (PST), and The National Criminal Investigation Service (Kripos) when it comes to countering and dealing with severe cyber operations (Forsvarsdepartementet Citation2020, 76–77). Yet, as emphasized by the Norwegian Foreign Policy Institute (NUPI), “…given the high degree of secrecy around these issues, we do not know the division of labor between PST [Police Security Service], NSM [National Security Authority] and the Intelligence Service here, but it can be demanding to maintain concrete and formal distinctions between acquisition, impact operations, and security measures in the digital space”.

The Norwegian organization of cyber capabilities is founded on a centralized model that dissolves the organizational distinction between military and intelligence entities. This seems to overcome some of the challenges to organizational collaboration pointed out above, but the extent to which this is the case is hard to say, as it is unclear how intelligence and military operations complement each other in practice. There is hence a risk that many of the challenges to collaboration are internalized.

Conclusion: future paths for policy and research

This article has demonstrated significant divergence in organizing cyber capabilities across military and intelligence in the Netherlands, France, and Norway. Drawing out key organizational differences and ambiguities, the analysis identified three models of organizing military and intelligence relations: A Dutch collaboration model, a French separation model, and a Norwegian centralization model. Despite the divergence in organizing cyber capabilities, the three countries converge on the assumption that both responding to cyber conflict short of war and developing military cyber power are dependent on the skills, information, and infrastructure of intelligence services. This calls for cooperation and coordination across military and intelligence entities. It is, however, unclear whether decision-makers have systematically assessed the implications of the organizational structure for the ways in which the two dimensions relate to and shape one another at strategic, tactical, and operational levels. There is hence a need for increased attention and a focused approach to how the country-specific organizational model allows for operational capacity to travel from, translate into, and shape intelligence and military entities and to which implications. These elements hold the promise to decrease the risks that operational capability and activity are mismatched with broader strategic or governance goals, that the military and intelligence entities operate with different purposes and goals, and that political decision-making is hampered, and democratic oversight is disadvantaged.

The observed divergence in organizing cyber capabilities raises several questions for policy makers, practitioners, and scholars to consider. First, there is a need for political and public debate about the organization of cyber capabilities across military and intelligence entities and its relation to combating cyber hostilities short of war. Increased focus on the organizational aspects can help states to clarify and communicate their priorities and decisions when it comes to answering the questions of how, when, and who engages in cyber conflict short of war. This should be done with great sensitivity to tangential elements of developing and deploying cyber capabilities – such as strategic guidance, legal mandate, doctrinal procedures, human skills, technological capacity – as well as the specificity of national contexts. Nurturing such debate is crucial to achieve the best decisions about how to organize and develop cyber capabilities, how to use it, and how to secure transparency and accountability.

Second, neither consistency in organizational collaboration, separation, nor centralization will automatically translate into efficient operational cyber capabilities to be deployed in intelligence contest, strategic competition, or military confrontation. Organizing cyber capabilities across military and intelligence entities is only one of many related components in long-term defense planning. Decision makers should thus give thought to how the organizing impacts the broader strategic, tactical, and operational prioritization between intelligence and military objectives. When is maneuvering in cyberspace for intelligence purposes vis-a-vis military cyberspace operations mutually exclusive, reinforcing, and supporting? What are the limitations, opportunities, and tensions? How to make sure that increased collaboration and sharing of (human, technical, and economic) resources across military and intelligence entities create the desired effectiveness, synergy, and flexibility? How to make sure that priorities and decisions share the same goals?

Third, it is paramount to strengthen the awareness of how organizational divergences might hamper collaboration at the level of intelligence sharing, EU cybersecurity governance, and NATO cyber operations. This is not least important in the context of a new EU Strategic Compass that aims at expanding the union’s “capacity to tackle cyber threats, disinformation and foreign interference” (European Union External Action Service Citation2022, 7), and a new Strategic Concept for NATO stating that “cyberspace is contested at all times. Malign actors seek to degrade our critical infrastructure, interfere with our government services, extract intelligence, steal intellectual property and impede our military activities” (NATO Citation2022 Strategic Concept, 5). While there seems to be agreement on the cyber threat landscape, the model of future engagement and collaboration between NATO and the EU is in need of additional clarification.

Fourth, the findings shed additional light on our understanding of how the blurring of boundaries between war and peace, military and civilian, and internal and external security, identified in security studies in the past decades, looks in the cyber domain (Christensen and Liebetrau Citation2019). While we have seen a proliferation of military cyber commands among NATO members in the past decade (Pernik Citation2020; Smeets Citation2019), the military involvement in cyber affairs is often justified with reference to the permanence of cyberwar on the political side. This has arguably led to ‘overly militarized approaches to cyber security’ (Burton and Christou Citation2021, 1732). Giving more thought to the organizing of offensive cyber capabilities - and its entanglements - would equip scholars and decision makers to better engage the discussion of when and whether a warfare, competition, or intelligence framework is the most suitable for cyberspace.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Notes

1 A Russian-led supply chain attack compromising the widely used SolarWinds software. It provided the Russian intelligence service with the ability to infect SolarWind users. The attack meant ‘that Russian intelligence had potential access to as many as 18,000 SolarWinds customers. They ultimately broke into fewer than 100 choice networks—including those of Fortune 500 companies like Microsoft and the US Justice Department, State Department, and NASA’ (Newman Citation2021). According to Microsoft President Brad Smith, ‘the largest and most sophisticated attack the world has ever seen’ (Villarreal Citation2021).

2 A Chinese-led hacking spree exploiting vulnerabilities in Microsoft’s Exchange Server to gain access to more than 30.000 victims in the US alone (Conger and Frenkel Citation2021).

3 A ransomware attack allegedly carried out by Russian criminals. The attack made Colonial Pipeline – a company

Controlling almost half of the gasoline, jet fuel and diesel flowing along the East Coast of the US – turn off the spigot (David and Perlroth Citation2021).

4 I recognize the scholarly literature on international law and the use of cyber force, but it falls outside the scope of this article to deal with it in length (see e.g. Delerue (Citation2020); Haataja (Citation2019); Roscini (Citation2014) and Schmitt (Citation2017))

5 See the website of the Dutch Ministry of Defence: https://english.defensie.nl/topics/cyber-security/cyber-command

6 ‘The Dutch intelligence services is known for having disrupted the Russian hacker groups Cozy Bear and Fance Bear (Hogeveen Citation2018) as well as the Russian military intelligence service Gru (Crerar, Henley, and Wintour Citation2018). Some of this work is undertaken in collaboration with the civilian General Intelligence and Security Service (AIVD) in the Joint SIGINT Cyber Unit (JSCU).’ (Liebetrau Citation2022, 16).

7 The Joint Sigint and Cyber ​​Unit (JSCU). JSCU is a collaboration between the two Dutch intelligence and security services – the MIVD and the General Intelligence and Security Service (AIVD). The JSCU forms the cornerstone of the Dutch defense against advanced state-sponsored cyberattacks (advanced persistent threats) targeting ministries, infrastructure providers, and companies. The primary tasks of the unit are the collection of signal intelligence and the delivery of intelligence through cyber operations.

8 The highest-ranking civil servant in the Dutch Ministry of Defence. For the JSCU it is shared with the corresponding official of the Ministry of Justice and Security.

9 These operations are based on 2017 Intelligence and Security Services Act and are not conducted as military operations.

10 Except for the French Ministry of Defense.

11 The French defence procurement and technology agency (DGA) is responsible for project management, development, and purchase of weapon systems for the French military.

References

  • Backman, Sara. 2021. “Conceptualizing Cyber Crises.” Journal of Contingencies and Crisis Management 29 (4): 429–438. doi:10.1111/1468-5973.12347.
  • Boeke, Sergei. 2018a. “National Cyber Crisis Management: Different European Approaches.” Governance 31 (3): 449–464. doi:10.1111/gove.12309.
  • Boeke, Sergei. 2018b. “Hackers, Wiz Kids, en Offensieve Cyberoperaties.” Atlantisch Perspectief 42 (5): 27–30.
  • Buchanan, Ben. 2016. The Cybersecurity Dilemma: hacking, Trust, and Fear between Nations. New York: Oxford University Press.
  • Bunk, Joost, and Max Smeets. 2021. “Dutch Cyber Security Strategy.” In Routledge Companion to Global Cyber-Security Strategy, edited by Scott N. Romaniuk and Mary Manjikian, 132–142. London: Routledge.
  • Burton, Joe, and George Christou. 2021. “Bridging the Gap between Cyberwar and Cyberpeace.” International Affairs 97 (6): 1727–1747. doi:10.1093/ia/iiab172.
  • Burkhard, Thierry. 2021. Strategic Vision of the Chief of Defense Staff.
  • Cavelty, D. Myriam Dunn, and Andreas Wenger. 2020. “Cyber Security Meets Security Politics: Complex Technology, Fragmented Politics, and Networked Science.” Contemporary Security Policy 41 (1): 5–32. doi:10.1080/13523260.2019.1678855.
  • Chesney, Robert. 2020. “Ending the “Dual-Hat” Arrangement for NSA and Cyber Command?” Lawfare, December 20.
  • Chopin, Olivier. 2017. “Intelligence Reform and the Transformation of the State: The End of a French Exception.” Journal of Strategic Studies 40 (4): 532–553. doi:10.1080/01402390.2017.1326100.
  • Christensen, K. Kristoffer, and Tobias Liebetrau. 2019. “A New Role for ‘the Public’? Exploring Cyber Security Controversies in the Case of WannaCry.” Intelligence and National Security 34 (3): 395–408. doi:10.1080/02684527.2019.1553704.
  • Claver, Alexander. 2018. “Governance of Cyber Warfare in The Netherlands: an Exploratory Investi- Gation.” The International Journal of Intelligence, Security, and Public Affairs 20 (2): 155–180. doi:10.1080/23800992.2018.1484235.
  • Commission du Livre blanc sur la défense et la sécurité nationale 2008. Livre Blanc sur la Défense et Sécurité nationale 2008.
  • Conger, Kate, and Sheera Frenkel. 2021. “Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China.” New York Times, March 6 and August 26.
  • Crerar, Pippa, Jon Henley, and Patrick Wintour. 2018. “Russia Accused of Cyber-Attack on Chemical Weapons Watchdog.” The Guardian, October 4.
  • Defence Cyber Command 2019. The Netherlands Armed Forces Doctrine for Military Cyberspace Operations.
  • Delerue, F. 2020. Cyber Operations and International Law. Cambridge: Cambridge Unitersity Press.
  • Demchak, C. Chris. 2021. “Five Reasons Not to Split Cyber Command from the NSA Any Time Soon – If Ever.” War on the Rocks, March 5.
  • Desforges, Alix. 2022. “Separation of Offensive and Defensive Functions: The Originality of the French Cyberdefense Model Called into Question?” In Conflicts, Crimes and Regulations in Cyberspace. Volume 2, edited by Sébastien-Yves Laurent, 63–88. London and Hoboken: ISTE and Wiley.
  • Devanny, Joe, and Tim Stevens. 2021. “What Will Britain’s New Cyber Force Actually do?” War on the Rocks, May 26.
  • Ducheine, P. A. L., K. L. Arnold, and Pijpers Peter. 2020. “Decision-Making and Parliamentary Control for International Military Cyber Operations by The Netherlands Armed Forces.” In Amsterdam Law School Research Paper No. 2020-07, 1–22. Amsterdam: Amsterdam Center for International Law.
  • European Union External Action Service 2022. A Strategic Compass for Security and Defence: For a European Union That Protects Its Citizens, Values and Interest and Contributes to International Peace and Security. Bruxelles.
  • Michael, Fischerkeller. P, and Richard. J. Harknett. 2020. Cyber Persistence Theory, Intelligence Contests and Strategic Competition. Institute for Defense Analyses, Alexandria, Virginia.
  • Florant, Jean-Baptiste. 2021. “Cyberarmes: La Lutte Informatique Offensive Dans la Manaeuvre Future.” Focus Stratégique n° 100, Ifri.
  • Forsvarsdepartementet 2014. Forsvarsdepartementets retningslinjer for informasjonssikkerhet og cyberoperasjoner.
  • Forsvarsdepartementet 2018. Høringsnotat. Forslag til ny lov om Etterretningstjenesten.
  • Forsvarsdepartementet 2019a. Prop. 1S (2019–2020).
  • Forsvarsdepartementet 2019b. cyberoperasjoner [cyber operations]. Letter to the author.
  • Forsvarsdepartementet 2020. Prop. 14 S (2020–2021). Evne til forsvar – vilje til beredskap. Langtidsplan for forsvarssektoren
  • Flybjerg, Bent. 2006. “Five Misunderstandings about Case-Study Research.” Qualitative Inquiry 12 (2): 219–245.
  • Gartzke, Erik, and Jon. R. Lindsay. 2015. “Weaving Tangled Webs: offense, Defense, and Deception in Cyberspace.” Security Studies 24 (2): 316–348. doi:10.1080/09636412.2015.1038188.
  • Géry, Aude. 2020. “The French Cyber Defence Strategy.” Penseemiliterre, March 27.
  • Gioe, David. V., Michael. S. Goodman, and Time Stevens. 2020. “Intelligence in the Cyber Era: evolution or Revolution?” Political Science Quarterly 135 (2): 191–224. doi:10.1002/polq.13031.
  • Amaelle, Guiton. 2020. “Cyber à la Française: l’attaque et la Défense, de la” Séparation à” L’interaction.” Liberation, January 30.
  • Guédard, Le Martial. 2020. Gestion de crise et chaînes cyber: organisation européenne et française, Institut des hautes études du ministère de l‘Intérieur. https://www.ihemi.fr/articles/organisation-france-europe-cybersecurite-cyberdefense-V2
  • Haataja, S. 2019. Cyber Attacks and International Law on the Use of Force – The Turn to Information Ethics. London: Routledge.
  • Harknett, Richard. J, and Max Smeets. 2022. “Cyber Campaigns and Strategic Outcomes.” Journal of Strategic Studies 45 (4): 534–567. doi:10.1080/01402390.2020.1732354.
  • Hogeveen, Bart. 2018. A Rare Insight into Cyber Espionage: Dutch Intelligence and Two Russian Bears. Australian Strategic Policy Institute.
  • Jacobsen, Jeppe. T. 2021. “Cyber Offense in NATO: challenges and Opportunities.” International Affairs 97 (3): 703–720. doi:10.1093/ia/iiab010.
  • Liebetrau, Tobias. 2022. “Cyber Conflict Short of War: A European Strategic Vacuum.” European Security 1–20. online first. doi:10.1080/09662839.2022.2031991.
  • Liebetrau, Tobias, and Kristoffer Christensen. 2021. “The Ontological Politics of Cyber Security: Emerging Agencies, Actors, Sites, and Spaces.” European Journal of International Security 6 (1): 25–43. doi:10.1017/eis.2020.10.
  • Lindsay, Jon. R. 2021. “Cyber Conflict vs. Cyber Command: hidden Dangers in the American Military Solution to a Large-Scale Intelligence Problem.” Intelligence and National Security 36 (2): 260–278. doi:10.1080/02684527.2020.1840746.
  • Matania, Eviatar, Lior Yoffe, and Tal Goldstein. 2017. “Structuring the National Cyber Defence: in Evolution towards a Central Cyber Authority.” Journal of Cyber Policy 2 (1): 16–25. doi:10.1080/23738871.2017.1299193.
  • Ministère des Armées 2019a. Politique ministérielle de lutte informatique défensive.
  • Ministère des Armées 2019b. Éléments publics de doctrine militaire de lutte informatique offensive.
  • Ministère des Armées 2021. Éléments publics de doctrine militaire de lutte informatique d’influence.
  • Ministry of Defense 2015. Defense cyber strategy.
  • Ministry of Defense 2018. Defense cyber strategy.
  • Ministry of Defense 2020. Defence Vision 2035: Fighting for a secure future.
  • NATO 2022. NATO 2022 Strategic Concept. Madrid.
  • Newman, H. Lily. 2021. “A Year After the SolarWinds Hack, Supply Chain Threats Still Loom.” Wired, December 8.
  • Pernik, Piret. 2020. “National Cyber Commands.” In Routledge Companion to Global Cyber-Security Strategy, edited by Scott N. Romaniuk and Mary Manjikian, 186–198. London: Routledge.
  • Roscini, M. 2014. Cyber Operations and the Use of Force in International Law. Oxford: Oxford University Press.
  • Rovner, Joshua. 2020. “What is an Intelligence Contest?” Texas National Security Review 3 (4): 114–120.
  • David, Sanger. E, and Nicole Perlroth. 2021. “Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity.” New York Times, May 14 and June 8.
  • Secrétariat général de la défense et de la sécurité nationale 2018. Revue stratégique de cyberdéfense.
  • Secrétariat général de la défense et de la sécurité nationale 2019. Manifeste: Pour l’ANSSI des dix prochaines années - pour l’écosystème de la cybersécurité.
  • Schmitt, M. 2017. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. 2nd ed. Cambridge: Cambridge University Press.
  • Slayton, Rebecca. 2017. “What is the Cyber Offense-Defense Balance? Conceptions, Causes and Assessment.” International Security 41 (3): 72–109. doi:10.1162/ISEC_a_00267.
  • Smeets, Max. 2018. “A Matter of Time: on the Transitory Nature of Cyberweapons.” Journal of Strategic Studies 41 (1-2): 6–32. doi:10.1080/01402390.2017.1288107.
  • Smeets, Max. 2018. “Integrating Offensive Cyber Capabilities: meaning, Dilemmas, and Assessment.” Defence Studies 18 (4): 395–410. doi:10.1080/14702436.2018.1508349.
  • Smeets, Max. 2019. “NATO Members’ Organizational Path towards Conducting Offensive Cyber Operations: A Framework for Analysis.” Paper presented at the 11th International Conference on Cyber Conflict. Silent Battle, NATO CCD COE Publications, Tallinn.
  • Smeets, Max. 2021. The Challenges of Military Adaption to the Cyber Domain: A Case Study of the Netherlands Paper presented at the 2021 Conference on Cyber Norms: Governing through crisis. Conflict, crises, and the politics of cyberspace.
  • Smeets, Max. 2022. “Cyber Arms Transfer: Meaning, Limits, and Implications.” Security Studies 31 (1): 65–91. doi:10.1080/09636412.2022.2041081.
  • Taillat, Stéphane. 2019. “Signaling, Victory, and Strategy in France’s Military Cyber Doctrine.” War on the Rocks, May 8.
  • Villarreal, Aleandra. 2021. “Russian SolarWinds Hackers Launch Email Attack on Government Agencies.” The Guardian, May 28.
  • Weiss, Moritz, and Vytautas Jankauskas. 2019. “Securing Cyberspace: How States Design Governance Arrangements.” Governance 32 (2): 259–275. doi:10.1111/gove.12368.
  • Yin, Robert. K. 2014. Case Study Research: Design and Methods. Los Angeles, CA: Sage.
Download PDF

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.