Flashpoints

COVID-19 and Future of Cyber Conflict

Recent Features

Flashpoints | Security

COVID-19 and Future of Cyber Conflict

Smaller states must prepare for a more contested cyberspace environment in the wake of the COVID-19 pandemic.

COVID-19 and Future of Cyber Conflict
Credit: Pixabay

In June 2020, Australian Prime Minister Scott Morrison announced that government agencies and businesses were facing a cyberattack campaign from a “sophisticated state-based actor.” Evidently, COVID-19 could not convince geopolitical rivals to put aside their differences and act in solidarity against an elusive common foe. Those caught in the middle of geopolitical tensions, especially smaller states, must prepare for a more contested cyberspace.

Pandemic Entrenches Geopolitical Tensions

COVID-19 has highlighted the interconnectedness of states and societies around the world. Ideally, the pandemic should have roused states from their deep geopolitical bitterness and nationalistic insularity. In reality, the pandemic has fanned the flames of distrust and suspicions that underlie geopolitical rivalries.

Some rival states persist in conducting influence operations and hostile acts against each other, despite the struggle to contain the impact of the pandemic. Such states perceive each other as more significant threats than COVID-19. For example, the United States believes that China is exploiting opportunities from COVID-19 to undermine U.S. economic interests and intimidate regional states that claim the waters of the South China Sea. Conversely, China believes the United States is using COVID-19 as an instrument in its global campaign to rally other states against China’s rise. 

In flexing their muscles, rival states apply grey zone methods – such as economic coercion, low-intensity violence, and cyber operations – against each other. As these methods are below the threshold of conventional armed conflict, they are difficult to defend against even without the distractions of COVID-19. The fog of war that accompanies these methods creates more options for conflict than peace. The continual use of these methods could entrench rival states in a condition of perpetual hostility. 

Cyber Operations in the Grey Zone

Cyber operations are significant both as a method and force multiplier to intimidate or influence the targeted state into acquiescence. These operations comprise cyberattacks that hack the digital infrastructure and networks and cognitive attacks that weaponize information to hack the hearts and minds of people in the targeted state. Recent incidents show that cyber operations could supplement broader campaigns to impose indirect pressure on government leaders and agencies of the targeted state.

When Australia announced that it was facing a cyberattack campaign, it also unveiled that the attacks occurred over several months and are increasing. Cybersecurity experts believe that China is responsible for the attacks. Tensions between the two states rose after Australia echoed the U.S. call for an investigation into the origins of COVID-19. At the strategic level, cyberattacks multiply the pressures that China has imposed on Australia through tariffs and travel advisories claiming Asians face racial discrimination in Australia.

At the disputed Himalayan border, fighting between Chinese and Indian soldiers broke out after China increased its military presence in the area. China was reacting to India’s building of more infrastructure in the disputed region. China’s military escalation happened as India was struggling with its worsening COVID-19 situation. Following the incident, Chinese online media, such as the the Global Times, portrayed India as the hostile actor — such an effort can be viewed as an attempt to erode Indian morale. Chinese hackers have also reportedly increased cyberattacks against Indian government agencies and businesses to extract sensitive information.

In Iran, several unexplained explosions took place at sensitive locations, including the Natanz nuclear facility. In 2010, this facility sustained severe damage after Stuxnet attacked its industrial control systems. The computer worm is believed to be the creation of Israeli and the U.S. intelligence agencies. It therefore would be unsurprising if another cyberattack (a Stuxnet 2) caused the recent explosions. Undoubtedly, these explosions could add to the anxieties in Iran arising from U.S. sanctions and the worsening COVID-19 situation.

Preparing for More Contested Cyberspace

Looking ahead, cyber operations could rise in frequency and intensity. As COVID-19 and its socioeconomic impact are expected to linger for years, states may have to cut security spending. They may redirect more national resources to address emerging social problems, and revive and digitalize their economies. Hostile actors – rival states – could blindside a targeted state by exploiting the impact of COVID-19 to further their foreign policy objectives. Rival states may increase the exploitation of cyberspace given the expanded attack surface resulting from greater digitalization of economies and societies.

In particular, smaller states that are caught in the middle of geopolitical tensions could find themselves facing more threats via cyberspace. They may want to stay neutral and protect their autonomy. However, options for military and non-military deterrence are limited due to the relatively small size of their armed forces, economy, and resources. As support for multilateralism declines, smaller states could find the international community less dependable for protection. Bigger and rival states may increasingly apply grey zone methods to circumvent international norms and institutions.

Smaller states should strengthen their cyber defense postures. Besides increasing cyber resilience, they must continue engaging in multilateral diplomatic efforts to amplify their collective voice against bullying by bigger and rival states. Smaller states must also realize that multilateralism has its limitations in curbing malicious behavior in cyberspace. Smaller states should consider two other defense approaches based on national priorities, resources, and geostrategic constraints. These approaches address cognitive attacks and inter-state power asymmetry specifically.

In countering cognitive attacks, smaller states must make the best use of their limited resources by sharpening their strategies against weaponized information. It is insufficient to fight “fake news” with only more information and teaching people media literacy skills. First, smaller states must understand how “fake news” competes for audience attention online. Memes, for example, may work better than other content to captivate or distract the target audience. Second, smaller states must examine how “fake news” is targeting the beliefs, emotions, and values that are dearest to their societies. Emotions, for example, impair rational arguments and influence decision-making. These steps are essential to developing and circulating effective counternarratives.

Non-kinetic grey zone methods should be considered by smaller states to reduce the power asymmetry with bigger and rival states. First, smaller states could increase influence operations overseas, both offline and online as another countervailing measure against cognitive attacks. This step is not about spreading “fake news” but promoting narratives – those which are favorable for smaller states – to people and officials overseas. Second, smaller states could build up offensive cyber capabilities to target the computers of hostile non-state actors that bigger and rival states sponsor. Hostile actors that conduct egregious cyberattacks on smaller states should suffer some costs for their aggression, but not to the point of escalation. This step would be similar to Singapore’s earlier “poison shrimp” deterrence doctrine.

In conclusion, cyber operations could be on the rise in the post-COVID-19 reality. Smaller states, in particular, must do more to defend themselves amid entrenched geopolitical tensions. To that end, non-kinetic grey zone methods should also be considered despite appearing antithetical to democratic ideals. Cyberspace by nature is anarchic and should be viewed through a realist lens. Defense against threats from cyberspace requires both multilateralism (diplomacy) and deterrence.

Perhaps the suggested approaches could help smaller states defend their autonomy better. Contrary to the Melian Dialogue, the “strong” (bigger and rival states) cannot always do what they want, and the “weak” (smaller states) do not always have to suffer what they must.

Muhammad Faizal Abdul Rahman is a Research Fellow with the Centre of Excellence for National Security (CENS), a unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.