Using open-source literature, the Authors - James A. Lewis and Katrina Timlin - reviewed policies and organizations in 133 states to determine how they are organized to deal with cybersecurity, whether they have a military command or doctrine for cyber activities, and whether they have or plan to acquire offensive cyber capabilities.
There are clear limitations to open-source data. Many states are secretive about the nature of their planning and capabilities for cyberwarfare, although most are more open about their law enforcement and domestic security arrangements for cybersecurity. Despite this, the Authors identified 33 states (detailed in section I) that include cyberwarfare in their military planning and organization. These range from states with very advanced statements of doctrine and military organizations employing hundreds or thousands of individuals to more basic arrangements that incorporate cyberattack and cyberwarfare into existing capabilities for electronic warfare. Common elements in military doctrine include the use of cyber capabilities for reconnaissance, information operations, the disruption of critical networks and services, for “cyberattacks”, and as a complement to electronic warfare and information operations. Some states include specific plans for informational and political operations. Others link cyberwarfare capabilities with existing electronic warfare planning. The linkages between electronic warfare and cyberwarfare are likely to be an area of expanded attention as computer networks (or their access points) become increasingly mobile and wireless.
The Authors also discuss another 36 states (detailed in Section II) where there is no public discussion of a military role in cyberspace and where civilian agencies charged with internal security missions, computer security or law enforcement are responsible for cybersecurity. This is, in some ways, the “traditional” approach to cybersecurity that dates back to the 1990s—setting up a national Computer Emergency Response Team (CERT), assigning responsibility to science ministries and creating specialized units within the national police. It would not, however, be difficult for these states, if they wished, to translate their defensive and civilian capabilities into military cyber capabilities. Knowledge of cyberdefence can inform offensive operations and the skills needed to defend a network can also be used to attack.
Even with the limitations on available data, this preliminary assessment suggests that cyberwarfare has become an unavoidable element in any discussion of international security. Cyber capabilities are attractive as a cost-effective asymmetric weapon. Informational advantage and networks attack play a large role in modern strategy. Defending computer networks is a concern for many states. Most major military powers have developed cyberwarfare capabilities and doctrine and more states will acquire these capabilities in the future. Airplanes were once possessed by only a few states and had limited military value, but then grew into a key component of military power possessed by most states. Military cyber capabilities appear to be on the same path. This trend raises questions regarding norms for cyberwarfare, the obligations of states regarding the application of offensive cyber capabilities, and the applicability of existing laws of war and norms on use of force in cyberspace.
Download this really interesting paper: