Hybrid Threats and Grey Zone Conflict Symposium – Cyber Operations are Thriving in the Grey

by | Nov 1, 2024

Cyber operations

Editors note: The following post highlights a chapter that appears in Mitt Regan and Aurel Sari’s recently published book Hybrid Threats and Grey Zone Conflict: The Challenge to Liberal Democracies. For a general introduction to the series, see Prof Mitt Regan and Prof Aurel Sari’s introductory post.

Cyber operations have become an increasingly prevalent and sophisticated part of statecraft as hackers steal, spy, disrupt, destroy, destabilize, and manipulate for strategic, operational, and tactical gain. Most of them do so from below the threshold of war.

However, that messy middle between war and peace is not the only grey zone that hackers are exploiting. They are also straddling the line between  “crime and statecraft” and the distinction between “espionage and attacks”. Each of these three grey zones blurs not just academic or theoretical distinctions, but legal, institutional, and jurisdictional ones as well. Anyone grappling with the evolving challenges of hybrid threats and grey zone conflict must acknowledge and navigate all three.

Cyber operations are thriving in the grey zone; or rather, they are thriving in a series of grey zones. How and why is the focus of my recent chapter, “In Pursuit of Geopolitical Advantage: Hacking Below the Threshold of War,” in Hybrid Threats and Grey Zone Conflict: The Challenge to Liberal Democracies, edited by Professors Mitt Regan and Aurel Sari. I argue that hackers are widening the aperture of what is possible short of war. At the same time, they find themselves operationally constrained to a series of additional grey zones: some by design; and others born from technical circumstances.

The Messy Middle Between War and Peace

State competition below the threshold of war is not new. Yet cyber operations are an important, and relatively recent, feature of grey zone competition. The vast majority of cyber operations to date were conducted below the threshold of armed conflict, serving as a new venue for covert action, influence, and intelligence collection.

Hacking short of or in the absence of armed conflict brings with it several benefits. It allows States to play into the bureaucratic seams of their target countries and offers them an opportunity to compete for advantage in a manner that challenges historical defense approaches while also avoiding the potentially catastrophic consequences of war.

The extent to which cyber operations fall below the threshold, however, is shaped as much by the decisions undertaken by the targets as it is by the calibrated actions of hackers. This is not a particularly novel observation. Yet it is too often strikingly absent from discussions of why cyber operations have, to date, remained largely constrained to the grey zone rather than escalating into armed conflict.

The Messy Middle between Crime and Statecraft

While crime and statecraft are often treated as distinct conceptual categories, States can and do carry out criminal endeavors for geopolitical purposes. These may include undermining the global financial system, funding weapons programs, stealing intellectual property from industry competitors, or holding infrastructure or organizations for ransom. One of the most prolific and notable examples of this trend is North Korea’s operations targeting international financial institutions to circumvent global sanctions and fund its nuclear and missile programs. Another example is the explosion of ransomware-as-a-service given the strong overlap between ransomware groups in general and Russian ransomware groups, efforts not to hit Russian or Russian-aligned targets, and ransomware groups explicitly aligning with Russia in the wake of Russia’s invasion of Ukraine.

In addition, some hacking groups are simultaneously responsible for both criminal and geostrategically motivated operations. Here APT41—a hacking group also known as Double Dragon, Barium, Winnti, Wicked Panda, and Wicked Spider, to name a few—is an apt example. Although a prolific Chinese intelligence asset, APT41 also has a history of carrying out financially motivated crimes on the side. Indeed, APT41 is a threat actor with two different operational profiles and motivations, an arrangement that has (at the very least) the tacit consent of the State.

The Messy Middle Between Espionage and Attacks

While operational goals focusing on compromising the confidentiality of data (espionage) versus those seeking to degrade, deny, destroy, or disrupt (attacks) are conceptually distinct, delineating between them can be messy in practice.

Access serves multiple purposes. Espionage, operational preparation of the environment, and holding an adversary at risk all encourage sustained footholds (or persistence) in networks. Access is necessary for the exfiltration of secrets (spying). As I wrote previously, it is also necessary when establishing the groundwork for subsequent disruptive or destructive operations (operational preparation of the environment) or allowing for the possibility of carrying out a variety of operations in the near future (holding an adversary at risk).

Hackers can also leverage access achieved for one set of goals for new goals as their intentions and priorities change over time. Hackers’ preferences shape operational decisions, which are, in turn, aided by the flexibility of existing technical footholds.

In contrast, what Buchanan coined a “dilemma of interpretation” complicates the responses of those being hacked. The target of a malicious cyber operation can have difficulty distinguishing between access for espionage purposes and access that lays the groundwork for an attack, even when they are clearly distinct in the minds of the hacker. The conversation around SolarWinds, for example, included a dilemma of interpretation that occurred in real-time when the incident initiated a debate around the purported purpose of what is now well-understood as an espionage operation.

From Grey Zone to Grey Zones

Operations, cyber or otherwise, rarely fall into a grey zone by chance. They are calibrated to land there—to take full advantage of the ambiguities of the space—or they routinely land there due to the technical and operational realities of the domain itself. Cyber operations fall into that messy middle between “war and peace” and “crime and statecraft” by design. The messy overlap between cyber-enabled espionage and cyberattacks is as much by design as it is a byproduct of cyberspace itself.

Hacking may be a recent addition to a State’s toolkit, but it is one wielded in an age-old game: seeking geopolitical advantage. And these tools thrive in the grey.

***

Dr Melissa K. Griffith is a Lecturer in Technology and National Security at the Johns Hopkins School of Advanced International Studies (SAIS), affiliated faculty with the Alperovitch Institute, and a Non-Resident Research Fellow at the University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC).

 

 

 

 

 

Photo credit: Unsplash

 

 

 

 

Print Friendly, PDF & Email