Washington and London use cyber deterrence. When digital warfare changes scale

“We agree that strategic engagement in cyberspace is critical to defending our way of life (…). “We will do this by planning for sustainable joint cyberspace operations that enable collective defence and deterrence.” On 18 November, at Fort Meade, south of Baltimore, where the all-powerful National Security Agency (NSA) and—less well known—the US Cyber Command are headquartered, the U.S. and British spymasters of cyberspace used their latest annual forum to make their mark. They announced that they were pooling their forces in order to better “deter” anyone from attacking their vital interests. This term, borrowed from the grammar of nuclear weapons, immediately alerted and intrigued the small community of specialists in digital warfare, who wondered about its meaning and scope.

On the one hand, answer the experts interviewed, there is nothing new in the West. As early as 1993, in a famous article entitled “Cyberwar is coming“, published under the seal of the Rand Corporation, U.S. researchers John Arquilla and David Donfeld introduced the concept of cyber deterrence into the strategic debate. Thirty years later, many still question its relevance. Olivier Kempf, associate researcher at the FRS, explains: “The essence of cyberwar is to be invisible and underground, to remain precisely under the threshold of conflict. This is the opposite of nuclear weapons, whose use is claimed, traceable, whose destructive power causes amazement and fear, in full view of everyone.”

On the other hand, they argue, the use of this vocabulary reveals the crossing of a new “threshold” in cyberwar. For Alexandre Papaemmanuel, professor at Sciences-Po Paris, it is the consequence of a form of “rise to the extremes” in the digital field, the sign of a “maturity of the conflict in cyberspace.” When Joe Biden arrived at the White House, he set the tone. In reaction to the “SolarWinds” attack against sensitive U.S. sites in 2020, the Democratic president released an unprecedented envelope of 9 billion dollars to strengthen the country’s cyber capabilities. The promise of an all-out war in cyberspace against anyone who attacks Anglo-Saxon interests could have a double objective: to encourage attackers to attack less well-guarded fortresses; and to convince allies to close ranks in the face of the new designated global competitor, China. Some also see it as a way for Washington—via NATO—to push its technologies.

Therefore, deterring can simply mean “responding.” Here again, nothing new, analyses Thierry Berthier, academic, member of the chair of Cyberdefence and Cybersecurity of Saint-Cyr, Sogeti, Thales. “It is well known that the United States practices large-scale cultivation of malware in dedicated ‘farms’; this malicious software is intended to be infiltrated into networks.” However, the intensity could change. After the practice of official U.S. services to systematically “attribute” attacks—i.e. to designate culprits, including by publishing the names and photos of their authors or masterminds—the White House is now promising to accede to a recurring request: to authorise private victims to practice “hack-back“, i.e. to fight back digitally. Soon, as in the good old days of the Wild West, it will be an eye for an eye and a tooth for a tooth in cyberspace, as long as the enemy is the United States.

Western Europe is not left behind. For a long time now, the major capitals have not been doing cyberattackers any favours. In France, since the 2015 terrorist attacks, coupled with a wave of cyberattacks led by the jihadist movement, the war rages daily, and the State defends itself via its services, says Thierry Berthier. If the DGSE is the leader, the Armed Forces have recently unveiled their offensive doctrine. A “trustworthy police source” confirms this: “As soon as our positions create tension on the international scene, we see a clear increase in attacks against our interests. The difficulty is to respond intelligently. Against someone stronger than us, we have to know how to send a strong signal that does not trigger a new, even more paralysing attack…” Not to mention the difficulty of handling the digital response. However targeted it may be, specialists warn, the digital bomb can cause—with delayed effects—significant unsolicited collateral damage by spreading through unsuspected flaws or obsolescence in a network. This is in contrast to the nuclear weapon, which has become increasingly accurate.

Bernard Barbier, an alumnus of École Centrale and the former technical director of the DGSE, now head of the BBCyber company, was alarmed by the American-British announcement: “This joint force represents impressive human and technical resources (more than ten times the French resources). Does Europe want to create a joint cyber deterrence capability? If Europe does not react quickly, we will be even more totally dependent on the UK-US couple: Gafa plus NSA-GCHQ.” This position is isolated among experts, who recall: “Cyber weapons are eminently sovereign weapons, and everyone knows that it would be very difficult to collaborate on this subject with the Germans.” The French authorities have given guarantees to the great U.S. ally, for example by agreeing to attribute certain recent attacks or, as was the case during the last trip of Vice President Kamala Harris to Paris, by signing cooperation agreements. For the rest, the high level of competence of public experts allows them to remain ‘autonomous‘ and ‘prudent,’ they stress.