ABSTRACT

The paper discusses the pragmatics and complexities of civil-military cooperation in the information age. The strategic dimensions of data management and security pertaining to national critical infrastructures include: intergovernmental, multilevel, polycentric governance dimensions of the information domain and warfare, shifting power-dynamics, overmatch and the disproportionality of sophistication between militaries and civilian infrastructure opener-operators given the realities of network size, data speed, volume and sensitivities. Advocates for a shared understanding of the domain, which is only achievable through equitable public-private partnerships, targeted investment with industry.

FORWARD

In 2019, Clairvoyance Cyber Corp published that Ukraine will provide a laboratory for the evolution of Russia's hybrid warfare strategy as Moscow adjusts its tactics and expands the scope of such actions around the world. The competition over Ukraine will factor heavily into the broader Russia-West standoff, which is only likely to intensify in the coming years. [1]Emergencies will require all of nation approaches thus redefining Joint Interagency Multinational and Public (JIMP) engagement to include critical infrastructure owners, corporations, non-government organizations and civil society.

CHALLENGE

Today’s environment is complex and unpredictable governments and organizations must not only be resilient in order to withstand shocks like natural disasters, failure of critical infrastructure and military attacks, but be able predict and interdict threats proactively. Strategic deterrence will also need a credible offensive capability and in which to project power and influence globally.

The renewed great power contest to control and influence the information space will be as significant as the Manhattan Project and the Space Race.

The responsibility protecting and defending citizens, rests to a large part, with the Government as the national guarantor of Peace, Order and Good Government (POGG). No other entity, in theory, has the mandate to address the risks to national security and prosperity.[2] However, governmnets have very limited means to achieve this objective unilaterally. Central government will need to be seen as providing, or coordinating, a public service through through programs, advocacy and direct investment. Foremost, security achievements will be assessed in terms of: threat reduction, business enablement and as economic drivers. Defence of the country from foreign military aggression in cyberspace in all phases of competition, conflict and war falls squarely with the military. NATO Treaty Article 3 which required members to maintain and develop an effective capacity to resist cyber attacks against their own nation’s critical infrastructure, industry and society. Yet, the military has very little situational understanding of global critical infrastructures.

National Security and resilience must be seen from a whole-of-society approach, combining the civilian, economic, commercial and military factors. It emphasizes the importance of planned data collection, secure data sharing and effective data management before and during the crisis.

There are three significant matters to consider:

1. National Critical Infrastructure is predominantly owned and operated by the private sector. This is particularly true for cyber space and the information domain where corporations are global cyber powers. Their budgets and client base may exceed the GNP and number of citizens of most countries.

2. Critical infrastructures are highly complex systems-of-systems communicating petabytes per second of data. Cyberspace is the nervous system that connects all global critical infrastructures at the speed-of-light. Risk is conducted through sophisticated interdependencies between systems and sectors. The principal challenges for Civil-Military Co-operation (CIMIC) at a strategic level involve data volume, speed, scale and complexity. These will not be solved through table top exercises, meetings or software. These are practical barriers to simply integrating CI data into NATO Operations Logistics Chain or visualizing using scalable data models or interactive dashboards and predictive analytics. Much like visualizing a 4K television signal with a 1950’s AM radio set.

3. NATO will need to comply with the common architectures for data management and data security already in use by CI sectors. Telecoms, finance and energy CI have a shared Common operating Picture (COP) of National and Global Information Infrastructures (NII/GII). Integrating with bulk CI data streams, even it technically possible, is not practical. It is best to view the data where it resides through dashboards that already exist in within these industries. Furthermore, the wholesale export of sensitive and private data from platform providers to the military is prohibited by the laws of most western nations.

Protecting critical infrastructures is complex in the digital age. It is not something one can do unilaterally, nor can it be solved through workshops. The solution requires a deep understanding of the technical and non-technical issues with a degree of sophistication and finesse.

In this paper, I will discuss the principal strategic issues that must be first overcome for National Critical Information Infrastructures and NATO interoperate.

INTRODUCTION

Changing demographics, resource competition, environmental stresses, globalization, economics, governance, urbanization, geopolitics, and the unprecedented advancement in science and technology, are significant trends shaping the future cyber security environment. By 2040, NATO will likely find themselves involved in a hybrid, irregular, and asymmetric conflict in mega-smart-city of the future inhabited by millions of digitally empowered citizens, governed by corporations, transnational crime or extremist factions. In this scenario, leading with soft power, cyber and influence may be the preferred options.

Today’s economies, industries, and critical infrastructure are all critically dependant on the availability of systems using the information environment. Defense capabilities are equally reliant upon the information domain. The very nature of cyberspace makes it difficult for a single organization to confront on its own. The circumstance of disruptive technology, globalization, multi-level Internet governance and polycentrism[3] break traditional domains-of-control, and entangle private, public, domestic and international levels-of-authority.

Globalization will multiply and strengthen the links among people, organizations, and nations. Fueled by advances in technology, transportation and telecommunications, will continue to connect the world in all domains. Economies, markets, societies, and cultures will continuously integrate and converge. Critical infrastructure supply chains will be shared planet-wide and national security will be global.

The future will see the continued diffusion of power and influence from nation-states to non-traditional actors, particularly in cyberspace, and the disintermediation of governments in this battlespace. The private sector, who owns much of the cyber terrain, technology and talent, will remain the proxy target of nation-states and decisively engaged on the front lines. For centuries, territory has been by marked by borders, governed by sovereign states and the rule-of-law. Yet, cyberspace is global, and borderless. It is operated by industry and defined by its digital natives.

Private sector actors are also increasingly “digital gatekeepers” who control the flow of information across the network. - Global Commission on Internet Governance 2016

“In North America, the Internet is, to a large extent, an unregulated phenomenon, but supported by a regulated infrastructure.”[4] Meanwhile, Cyberspace has undergone dramatic global disruptive changes in the past few years, particularly in highly-contested areas of the network. The “Internet and digital technologies [have] change[d] deeply the economics of regulation and more generally the economics of institutional frameworks.”[5]

A national information infrastructure is not the same as an military network in scale, speed or sophistication. This makes direct interfaces incompatible. Facebook alone has 3 billion active users. The data flows between platforms and providers is measured in petabytes per second. Just the sub-system managing the inventory of a major Telco is the largest graph data base in the nation. Malicious traffic flows are a terabyte per second. A quarter trillion dollars in electronic funds transverse the networks in Canada every day. The USA is ten times more. Some estimates put the economic contribution of the Internet as high as $4.2 trillion in 2016. The Internet of Things (IoT) could result in upwards of $11.1 trillion in economic growth and efficiency gains by 2025. Upwards of one billion new users and 20 billion devices are forecast to be online within five years. To realize its full potential, the Internet of the future will need to be open, secure, trustworthy and accessible to all. The worst-case scenario is one in which the Internet breaks on our watch.”[6]

There are a couple of characteristics of cyberspace that many of us take for granted, but need to think through critically. First, is that cyberspace is a synthetic domain, but with a very real physical and human (social) presence. There is nothing that exists in cyberspace that does not leave a trace, which is quantifiable, capturable, and ultimately, subject to analysis. Second, that data resides, transits, or is created by physical devices that have, both a temporal, and a geographic component. Those three things can be correlated and together create a bordered, territorial Internet, even without the imposition or the changes in the governance environment to make it so. The border between human and machine ambient intelligence is eroding. Hence, the Internet-of-Everything. Disruptive technologies, sociological, and geopolitical trends are on a converging - the effect of which will be far greater than the sum of their parts.

“The Internet is the first thing that humanity has built that humanity doesn’t understand.”[7]

INTERGOVERNMENTAL, MULTILEVEL, POLYCENTRIC GOVERNANCE DIMENSIONS OF CYBERSPACE

In the next 10-15 years, technology will shape society, security, and the economy in ways that pose opportunities and challenges for the cyber security of government, the private sector, and Canadians. There will be intergovernmental, multilevel, polycentric governance dimensions of cyberspace, which are on the critical path of military’s mission success or failure. The diffusion of power, disruptive technology, sophisticated and increasingly belligerent adversaries will generate emergent effects at speed-of-cyber. Solutions will require central orchestration since the issues cut broadly across domains, mandates and missions.

The dynamics that shape challenges and relationships between states, and among non-state actors, is not merely evolving but mutating. Public policy needs to consider the complexities that cyber introduces into the equation. “Vying national approaches to enhancing cybersecurity can impede multilateral cooperation to secure critical infrastructure”[8]

Cyber is a domain where the interests, values, norms and strategy of the Western liberal democratic vision of open networks and Internet freedom, is countered by alternative models posed by states seeking to restrict and control the Internet along nationalistic boundaries. These “multipolar politics and the prevailing status quo of strategic ambiguity hinder international cyber regulation.”[9]

Governance poses significant challenges in a rapidly globalizing world. In the emerging future, governments must grapple with a new world order in which power diffuses among corporations, empowered individuals, civil society, criminal organizations, and peer and near-peer nation-states. The power-shift will be particularly acute in the cyber domain[10] and will precipitate a re-adjustment of Westphalia models towards a new construct. Private sector partnerships will become vital for military, particularly with the defence industrial base. The Internet-of-Things will elevate cyber to talisman status across all military domains.

There has also been a growing divide between national regulators, international standards bodies, the International Telecommunication Union (ITU) and the owner-operators of cyberspace. Discussions of Internet governance at the ITU have been attentive “to the question of domain names and complex power relationships in a decentralised network structure”[11] as a technical means to regain sovereignty. We now need to consider emergence of models such as polycentrism that “promote self-organization and networking regulations at multiple levels. This bottom-up form of governance is in contrast to the increasingly state-centric approach to both Internet governance and cybersecurity prevailing in forums like the ITU.”[12]

This, decentralization “guarantees its reliability, its efficiency and its ability to develop. [The Internet enables] worldwide connectivity that overwhelms existing regulations based on territorial jurisdiction and Government’s legitimacy. Digital networks allow bypassing nation-state based regulatory frameworks.”[13] This means that “any legislation can be [circumvented] through the Internet because no governmental agency would be able to efficiently supervise the exchanges of information among Internet users under their jurisdiction and between them and foreign third parties to guarantee the enforcement of existing laws.”[14] “The principle of State regulation … is no longer relevant because the problems they addressed change with the new technologies [that being] intellectual property rights… and convergence.”[15] Technological converge in the Internet-of-Everything collapses multiple regulatory silos.

The very definition of cyberspace is evolving faster than out ability to govern it. Open media, big-data, ubiquitous mobile communications and the IoT are at the centre of national identity and governance. Yet, in many countries around the world, open access to the Internet is Balkanized, blocked, censored, shaped, controlled and denied.

CYBER POWER

The centre-of-authority for cyberspace has migrated. It is less about imperial power and more about multinational corporations, non-government organizations, philanthropy, and social agency. “This trend toward Internet sovereignty is complicating efforts at enhancing cybersecurity and clarifying governance.”[16] However, telecoms regulation at home remains a blunt instrument; far more concerned with tariffs and media content rather than security, while ignoring complex global issues.

[In the absence of] concrete actions from actors across the ecosystem, we could end up in a world where states assert their sovereign control over the network, where private platforms control who benefits from the Internet, or where online criminals dominate the scene. - Global Commission on Internet Governance 2016

Governments are not the only actor, or even the most significant players in cyberspace. “Analyzing the debate between Internet sovereignty and Internet freedom through the lens of polycentric regulation, provides new insights about how to reconceptualize both cybersecurity and the future of Internet governance.”[17]

Western societies rely on infrastructure that is privately owned. Western governments therefore have no choice but to call on the infrastructure's management to perform actions necessary for national goals. Multinational companies will face conflicting demands from governments, likely made more severe by governments' increasing efforts at extra-territorial reach.[18]

Cyberspace still has some territorial embodiment, which falls within national jurisdictions, and that is called the telecommunications industry. The problem is that the Internet has been treated as an overlay network to telecommunications. Just over a decade ago there was a typological separation between service providers who rented capabilities from telecoms, and the telecoms themselves. Currently that distinction does not exist, and it is at the telecoms level where national jurisdiction, physical aspects of the Internet, as well as the virtual management components of the Internet, all converge into one.

The Realpolitik of cyber power is not just about regulatory governance framework. In the evolution of state and civilian cyber power the “oscillation in the balance of power may be peaking, but never before could a dozen people in their pyjamas meaningfully annul the monopoly on the use of force.”[19] There are cyber capabilities now wielded by the private sector for which there is no analog by nations. “The evolving cyber threat to the private sector, coupled with a lagging regulatory environment, has made the uptake of best practices haphazard. [Furthermore,] governance gaps hamper efforts to collaboratively manage cyber-attacks.”[20]

“States increasingly define cyber-territory by where their subjects go, whether by destination control in the Chinese style or by data control in the EU style.” [21]

Cyberspace’s informal and diffuse form of governance propelled its phenomenal growth and established its guiding norms of openness, freedom of choice and collegiality.[22] The current operators and users of cyberspace are not about to relinquish control to nation states any time soon.

CYBER DEFENCE

Theoretical work on nation state stability dependencies highlight factors of legitimacy, authority, institutional knowledge, bureaucratic control, and confidence; all of which are enabled by cyber capabilities; and establish the criteria upon which societies may be destabilized and crippled by a coordinated cyber campaign to reduce institutional entropy. This poses particular concern in the instance of widening of the public sector and engagement with the private sector as many government services are contracted out. Critical infrastructure such as telecommunication, transportation, energy, banking, finance, water supply, agriculture, emergency, government, health services, which are critical to the security, economic prosperity, and social well-being of the public highlight the potential targets for devastating cyber security events that could threaten our way of life.[23]

The New Era of Digital Globalization Global flows of trade and finance are flattening, while data flows are soaring. The openness and global connectivity that drives digital innovation and the free flow of information is threatened by the growing interest in exerting control over the use of the Internet or securing a greater market share in the digital economy. - Global Commission on Internet Governance 2016

A comprehensive, two-year, empirical study on critical information interdependencies across Canadian infrastructure sectors was conducted by Bell Canada and RAND corporation for public safety. A companion study quantitatively measured the state of cyber security in all Canada’s CIs. The primary takeaway was that there was profound dissidence between perceived and actual risks. The findings remain valid for consideration into future cyber security strategies.

This rapid evolution of the Internet has presented a variety of 2nd and 3rd order consequences.[24] It is in these multi-order consequences where military will need to study risk-contagion traverses critical infrastructure sectors, domains and networks of importance to the country and through contested space. A cornerstone of the global economy, cyberspace is an incubator “for new forms of entrepreneurship, advances in technology, the spread of free speech, and new social networks”[25] that drive economies and express principles. Securing critical cyber-infrastructure is pivotal. Key sectors of economies – banking, energy, finance, transportation, and communication, the Defence Industrial Bases of nations rely on cyberspace, industrial control systems and information technology.[26] Cyber creates a frictionless slope from competition to conflict.

“Volatility, uncertainty, complexity and ambiguity characterize the strategic environment.” – U.S. Army War College

Russia and China will continue to engage NATO in cyber and cognitive domains at the threshold of armed conflict, to counter to NATO’s overmatch in kinetic power. We have seen purposeful interference in national critical infrastructure by pacing threats.

In defence of cyber power, governments, would be expected to be responsible for protecting public and private assets on the territory of the state from external aggression, but in practice are not unilaterally capable of providing the required protection to citizens.

There exists natural conservatism in military thinking that will have trouble dealing with rapid transformative change from the cyber domain as it spills over into all military infrastructure and operations from outside spheres of control and influence.

Cyberwarfare will erase the distinction between home front and battlefront for NATO. Both will be increasingly exposed to risks from the cyber domain in a way that will challenge our conceptions of domestic safety and international security. The rapid and growing rates of technological convergence and diffusion will empower criminal and state actors with capabilities to achieve military outcomes previously only possible by advanced nation states. Consequently, there is urgent need for NATO to operate, defend and project power in the cyber domain.[27]

The tensions over information sovereignty have begun to challenge foundational tenets of policy. Nations and corporations are now playing in the same global competitive business markets and a shared risk environment.

The dynamics that shape challenges and relationships between states, and among non-state actors, is not merely evolving but mutating. Public policy needs to consider the complexities that cyber introduces into the equation. “Vying national approaches to enhancing cybersecurity can impede multilateral cooperation to secure critical infrastructure”[28]

A cornerstone of the global economy, cyberspace is an incubator “for new forms of entrepreneurship, advances in technology, the spread of free speech, and new social networks”[29] that drive economies and express principles. Securing critical cyber-infrastructure is pivotal.[30] Cyber creates a frictionless slope from competition to conflict.

Thus, the national cyber defence is challenged by the essentially borderless nature of the Internet. Governments have been hard-pressed to be at the forefront of this aspect of national defence by putting in place systems of mutual defence across all sectors of the economy. [31] Attempts at regulation in a complex system like cyberspace, is as challenging as regulating the weather.

CONCLUSION

Great power contests have spilled out into cyber and cognitive domains while deliberately interfering in critical infrastructures like telecommunication networks, health sector’s response to the global pandemic an nuclear power safety.

National Critical Infrastructures are owned and operated by industry, who already maintain a shared operating environment and a Common Operating Picture (COP). These infrastructures are highly-sophisticated ecosystems which require complex systems theory to understand, hyper-scale clouds, artificial intelligence and big data analytics to oversee. Tapping into bulk data streams with an app to quench a thirst for insight would like drinking water from a fire hose with a paper dixy cup.

Systems have already been designed and built that provide a comprehensive picture of the national information environment and a means for sharing this picture with the military and government. The system was never deployed for purely non-technical reasons.

When it comes to critical infrastructure protection and CIMIC, we have been admiring the problem for quite some time and avoiding real-world complexities. The next-evolution of the information domain is not without its risks, opportunities and moral hazards but the solution requires a genuine and equitable public-private partnership. For NATO to win on the modern battlefield, they must collaborate intentionally with industry to protect national critical infrastructure. This will mean investigating previous solutions and substantial investment understanding data management and security within CIs. This could take the form of a NATO-lead and funded research initiative.

KEY REFERENCES

The public-private sector CI interoperability challenge has been studied at quite some depth:

1. See Chapter: Beyond Perimeter Defense: Defense-in-Depth Leveraging Upstream Security, NATO Science for Peace and Security Advanced Research on the Best Practices in Computer Network Defense Geneva, Switzerland April 2014

2. State-of-Readiness (Cyber Security) of Canada’s Critical Infrastructures. Bell Canada April-March 2007

3. Cyber Interdependencies of Canada’s Critical Infrastructures. Bell Canada, Apr-Mar 2007

ABOUT THE AUTHOR

Dave is a Computer Engineer and thirty-year veteran of intelligence services and the military. He managed complex security programs for Bell Canada, research and development for Bell University Labs. He is currently Chief Intelligence Officer at Sapper Labs, Chair of the Cyber Council for the Canadian Association of Defence and Security Industries, Lecturer with Professional Development Institute at the University of Ottawa. Dave was co-chair of Canadian Interdepartmental Committee on Information Warfare.

[1] Ukraine Provides a Test Case of Russia's Hybrid Warfare Strategy By Eugene Chausovsky, Senior Eurasia Analyst, Stratfor [2] In 2008, the Industry provided a structured response to Public Safety Canada’s: Working Towards a National strategy and Action Plan for Critical Infrastructure. [3] Polycentrism is the principle of organization of a region around several political, social, financial centres or cyber domains. [4] Ibid. Conflict and good Governance in cyberspace Klaus W. Grewlich [5] Multilevel Governance of the Digital Space. - Eric Brousseau, University of Paris X, Institut Universitaire de France, EconomiX, 27/07/05 [6] Global Commission on Internet Governance 2016 [7] Google Chairman Eric Schmidt [8] Arie J. Schaap, Cyber Warfare Operations: Development and Use Under International Law, 64 A.F. L. Rev. 121, 141 (2009) [9] Rex B. Hughes, NATO and Cyber Defence: Mission Accomplished? https://www.atlcom.nl/site/english/nieuws/wp-content/Hughes.pdf [10] Cyberspace is owned, operated and controlled by the private sector. [11] Conflict and good Governance in Cyberspace Multi-level and Multi-actor Constitutionalisation, Klaus W. Grewlich [12] Toward Cyber Peace: Managing Cyber Attacks Through Polycentric Governance, American University Law Review, Scott Shackelford, August 20, 2012 [13] Ibid. Multilevel Governance of the Digital Space. - Eric Brousseau [14] Ibid. Eric Brousseau [15] Ibid. Multilevel Governance of the Digital Space. - Eric Brousseau [16] Robert K. Knake, Council on Foreign Relations, Internet Governance in an Age of Cyber Insecurity 3 (2010) [17] – Ibid. Toward Cyber Peace. Scott Shackelford [18] CSIS 2018 Security Outlook, Chapter 5 – State power and cyber power [19] Chapter 5 – State power and cyber power, 2018 Security Outlook Potential Risks and Threats – Canadian Security Intelligence Service [20] Foundations of Polycentric Governance in Cyberspace, Cyber Attacks in International Law, Business, and Relations: In search of cyber peace. Scott J. Shackelford, Cambridge University Press [21] Ibid. State Power [22] Ibid Canada and Cyberspace [23]Ibid [24]Cybersafe by Gen Robert Mazzolin [25] Department of Defense Strategy for Operating in Cyberspace, supra, p. 1. [26] Id. [27] From Bullets to Bytes, Industy’s Role in Preparing Canada for the future of Cyber Defence, CADSI [28] Arie J. Schaap, Cyber Warfare Operations: Development and Use Under International Law, 64 A.F. L. Rev. 121, 141 (2009) [29] Department of Defense Strategy for Operating in Cyberspace, supra, p. 1. [30] Ibid. [31] “Don’t Call Us” Governments, Cyber Security, and Implications for the Private Sector Tom Quiggin, Centre for International and Defence Policy, Queens University, 2015, ISBN 978-1-55339-356-6