Last June 14th, the Ministers of Defence of NATO countries recognised cyberspace as the fifth warfare domain
, after land, sea, air, and space. A formal official statement then followed at the 27th NATO summit of the heads of state and heads of government held in Warsaw at the beginning of July (for further details, please also see June 2016 “Cyber Strategy & Policy Brief”
Nevertheless, it is long since almost all the main countries have created dedicated structures to tackle cyber threat
, both at a governmental level and in the field of intelligence and military operations.
Although it is quite difficult as of now to understand how many and what countries have created a specific command for military operations in and through the cyberspace, around 60 countries have already developed cyber defence units
. And the figure goes up to 100 countries, including those about to develop them.
In this field, although military operations in and through the cyberspace by now play an essential role especially in facilitating the Armed Forces’ conventional attacks, the rules of engagement remain secret in most of the cases
and represent one of the less discussed subjects in the field of cyber security (and not only).
This is mainly due to the fact that – generally speaking – the rules of engagement aim to identify and define the events and limits within which the Armed Forces can start and/or continue fighting against opposing forces
, setting the standards for authorized and non-authorized behaviors to adopt or not to adopt in the presence of particular hostile activities or actions.
As already said, this implies a great need for secrecy on contents
. Rules of engagement for cyber space obviously make no exception.
Notwithstanding, rules of engagement are often contained in documents that are as brief as complex.
In the field of military operations in and through the cyberspace, they include legal, strategic, operative and tactical elements, all of which are based on a deep knowledge and examination of:
- Strategic and operative aspects of the specific domain of warfare – cyberspace, in this case;
- The specific geopolitical context ongoing while they are drafted;
- Political and strategic goals to be achieved by carrying out a cyber attack;
- Teal response capability of those attacked, cyber warfare capabilities included;
- Any other states and/or third parties that might decide to intervene and/or support the enemy operations, operations in and through the cyberspace included;
- Any reactions from the international community to a counterattack carried out in response to a cyber attack suffered;
- A country’s own defence capabilities and especially attack capability in and through the cyberspace.
As per the implementation phase, on the other hand, a country’s technical and IT units/agencies play a role of primary importance. Such units must be able to identify in a reasonably short timeframe the source and author of the attack. This, both in case rules of engagement are to be applied as a defence tool but also should a response be needed against a cyber attack.
Here comes the first issue. It is quite easy to reach a very good level of anonymity in cyberspace and it is easy as well to complicate any attempt to attribute responsibility for a cyber attack to its material author or to those who actually ordered the attack.
Further critical elements arise also from the legal point of view. Any response to a cyber attack from a country must mandatorily abide by all the principles of international law, currently applied in case of wars fought in “conventional” warfare domains, i.e. land, sea, air, and space.
The principles of necessity, proportionality and distinction are only some of the legal restrictions posed by international law already in force and obviously also applicable to the use states make of IT tools for military purposes. Nevertheless, in practice, it is not always that easy to take into account and comply with such principles.
Finally, a last critical element: cyber attacks are really fast in their final stages, i.e. when they are launched against a target and start having effects. Their being so immediate, in fact, presently makes it impossible to follow the OODA (Observe, Orient, Decide, Act) loop, leaving it up to computers and precisely to prearranged engagement rules – already “set” for any different kind of situation – to decide what to do, both in case a defence or a reaction is needed.
It must be easy to guess that, also in light of the two above-mentioned critical elements, arranging rules of engagement for cyberspace presently looks like a particularly complex activity, the outcome of a mix of military, legal, technical and technological competences that are not so easy to be understood and implemented.
Nonetheless, the more and more widespread use of cyberspace as a support tool to military operations and the constant growth in number and quality of cyber attacks – more and more focused on hitting national critical infrastructures – make this need highly topical and absolutely not deferrable, now more than ever.