Hybrid Threats

Hybrid Threats

Coping with new challenges

By Klaus-Dieter Fritsche, state secretary at the German Federal Chancellery, German commissioner for the Federal Intelligence Services

With the end of confrontation between East and West came a long period when it seemed that peace and security in Europe could be taken for granted. American political scientist Francis Fukuyama even claimed in his book, The End of History and the Last Man, that the end of the Cold War marked the end of the era of great conflicts.

But events took a different turn, and over the past few years the world has become more chaotic. A tectonic shift in classical geopolitics is tearing apart the stability, continuity and security of states and entire regions. For the West, long-standing certainties about security policy have been replaced by a multitude of challenges in Afghanistan, Syria, Iraq and Libya, and by Russia’s more assertive foreign policy, the war in the east of Ukraine, China’s new self-confidence and the refugee crisis.

Additionally, the West faces a new security challenge. In a 1993 study, John Arquilla and David Ronfeldt predicted the coming of cyber war, which is now a reality. The term, however, is somewhat vague and often used in a context that goes well beyond its original meaning. It initially referred to military operations involving information technology. Today, the term encompasses all attacks on cyber security, such as cyber espionage or cyber crime.

But in both its original meaning and its broader definition, cyber war exemplifies the phenomenon of “hybrid threats,” another term that, along with cyber war, has become part of our everyday language. These threats pose new challenges that reside at the meta-level and encompass hidden aggressions by state and nonstate actors against private individuals, companies, authorities and governments. The attacks are hard to identify and difficult to trace. They originate in the anonymity of the web and are carried out through traditional or electronic media or involve military or intelligence services acting incognito. The antagonists make it difficult for defenders to detect and repel attacks while adhering to international conventions.

Attacks on cyber security, targeted disinformation, spin and propaganda are now a reality. Preventing the misuse of digital technologies is a primary challenge of the 21st century. Cyber attacks on critical infrastructure such as energy supply, telecommunications, airports, roads and railroads, financial institutions, political parties or government agencies can destabilize countries, influence elections or overthrow governments. Disruptions, manipulations, sabotage and targeted attacks on electronic networks are the side effects of the information society.

Another common term, in the context of cyber security, is cyber espionage, which threatens the privacy of individuals, companies and state agencies. German companies lose an estimated 50 billion euros annually to cyber espionage. The massive cyber attack on the internal network of the German Bundestag, uncovered in May 2015, demonstrated most dramatically the vulnerability of state agencies.

The enormous impact of complex cyber attacks on states became evident in Estonia in 2007. An unprecedented attack on the Baltic state paralyzed banks, government agencies, police and government for days. The attack occurred while the Estonian government was locked in a dispute with Russia over the relocation of a Soviet-era military memorial within the city of Tallinn, leading to speculation that Russia was responsible, though the Estonian Computer Emergency Response Team could never positively identify the attackers. So it is no coincidence that NATO established its Cooperative Cyber Defence Centre of Excellence in Estonia. Based in an old garrison in Tallinn, the center is the knowledge hub — the “brain” — in the fight against cyber espionage and digital terrorism in Europe. This is where, once a year, NATO members hold a real-time network defense exercise with expert teams that practice ways to support a state hit by massive cyber attacks.

In Brussels, the European Union runs the Intelligence and Situation Centre, an analysis hub for its members’ intelligence services. In 2016, the center activated its unit for hybrid threats, the Hybrid Fusion Cell. It issues early-warning reports and cooperates with agencies such as the Cybercrime Center and the Counter Terrorism Center at Europol’s headquarters, and with Frontex (the European Border and Coast Guard Agency) and the EU’s Computer Emergency Response Team.

Hybrid attacks overstep the limits of what is perceived as “legitimate means of foreign policy.” They remain below the threshold of conventional war but nevertheless represent serious attacks on societies. Democracies based on the rule of law find it difficult to adopt effective countermeasures because there is no “equality of arms.” Western democracies comply with laws and play by the rules; hybrid attackers avoid them intentionally. In any case, countermeasures by states or EU institutions require resolve and cohesion.

But even at the domestic level, confronting cyber attacks is an extremely complex challenge. In democracies, state agencies operate within clearly defined areas of jurisdiction and competence. But the phenomenon of hybrid threats cannot be subdivided into domains that neatly coincide with the state agencies’ areas of competence. It is a gray zone in which law enforcement, intelligence and information technology security agencies need to cooperate.

Each agency assesses an incident from its own angle and acts on the basis of its jurisdiction and competence. Because of Germany’s federal structure, jurisdiction is divided between the federal government and its states. Not only is the Federal Office for the Protection of the Constitution in charge of counterespionage, but so are the 16 State Offices for the Protection of the Constitution. Law enforcement is not only the responsibility of the Federal Criminal Police Office, but also of the 16 State Offices of Criminal Investigation. This uniquely German approach adds to the challenges of countering cyber attacks because greater coordination is required to fight a phenomenon that knows no boundaries.

To cope with such challenges, Germany opted for the whole-of-government approach. In 2011, the federal government published its first cyber security strategy. As a result, the National Cyber Defence Centre was founded. Here, all the agencies involved in cyber defense exchange information and compile joint situation assessments. The second edition of the cyber security strategy was presented in 2016 and represents an interagency approach to all federal cyber activities. It identifies approximately 60 strategic goals and steps to improve cyber security in Germany.

For the first time, an attempt is being made to present Germany’s security architecture as a whole. The framework for a sustainable and effective cyber security architecture is defined at the strategic level. The focus is on transparency among federal agencies concerned with countering cyber threats and on identifying fields of cooperation. Modern cyber security architecture is based on an understanding that the task involves a full-time effort. More than anything, it requires efficient coordination to make sure each agency knows exactly what is expected of it and to guarantee the smooth exchange of information.

Apart from the typical hacker attacks, the hybrid threats also include propaganda and disinformation. The intentional spreading of false information is used to influence the political discourse in other states, to build an atmosphere of insecurity and to destabilize societies. Since the Russian occupation of Crimea, attempts to influence public opinion have increased drastically. They are on the radio, on TV, and on social media networks, online newspapers and video platforms. For large parts of the population, the internet has replaced conventional media. This explains why the internet is the favored propaganda platform.

The aim of such campaigns is to create mistrust among Western states and within NATO. Every day a vast amount of unverified news is propagated on the internet, in particular via social networks such as Facebook. Moreover, it can be difficult to immediately tell the difference between meaningless chatter, substantially correct information and fake news. The rapid speed at which information is disseminated and the fact that people are inclined to believe what they read or hear present enormous dangers. Targeting specific audiences can manipulate public opinion or mobilize crowds, as was the case with a phony rape report in Germany. Certain media claimed that immigrants in Germany raped a German-Russian girl named Lisa. Many accepted this deliberate misrepresentation of facts as the truth, and demonstrations followed. In the end, the federal government had to step in to denounce the report.

A first attempt to counter such targeted disinformation was made two years ago with the establishment of the East StratCom Task Force, part of the EU’s External Service Strategic Communications Division. The task force’s working group on strategic communication in Eastern Partnership countries includes the states between the EU’s eastern border and Russia’s western border. Its task is to counter Russian disinformation in countries such as Ukraine, Georgia and Moldova, and to help shape public opinion. The task force publishes the weekly Disinformation Review, providing an overview of disinformation in the Russian media. The task force focuses on disinformation meant to cause unrest in the EU and cast doubt on mainstream politics, particularly in states with a significant Russian influence. They identify suspicious news for EU operations against disinformation, and report fake news to legitimate media outlets.

Germany is setting up a network against hybrid threats that involves the Federal Chancellery, the Commissioner for Culture and the Media, as well as the Federal Press Office. The aim is to improve strategic communication, which plays a decisive role in countering hybrid threats. It is only through strategic communication that public awareness of hybrid threats, and society’s resilience against such manipulation, can be improved.

However, building resilience against hybrid threats cannot be left to state agencies and institutions alone. A whole-of-society approach that includes civil society and the private sector is needed. The resilience of a society against hybrid threats largely depends on non-state actors. How companies protect their data and how private individuals handle information is not for the state to decide. That decision rests with the individual or the company. On a private level, this website offers plenty of information on making sure that all your electricals are in order so they don’t hamper your lines of communication and keep your network resilient to threats.