The impossible task of counting up the world's cyber armies

​Military cyber-warfare capabilities have been developed in the shadows. To prevent a dangerous arms race, it's time to shine a light on them.
Written by Steve Ranger, Global News Director
Digital is spreading into all elements of warfare.
Image: iStock
Calculating the scale of the world's cyber-warfare forces is a tricky business. Even for Western governments which are relatively open about the scale of their armed forces, cyber warfare is one area where most clam up.

That's partly because they are reluctant to tip off potential adversaries about their capabilities, but the bigger issue is that it's intelligence agencies like the NSA and GCHQ that have been pioneering the use of the internet for surveillance and have the highest-level skills. As spies like to operate in the shadows, that means that a veil of secrecy is thrown over most details of military cyber operations, even though the scale of the investment and operations continues to grow.

A new document, the US Department of Defence Cyber Strategy, does throw some light on US military thinking and capabilities, and it may be the start of greater openness about cyber-warfare capabilities across the world.

The new policy sets out when the US will use its cyber-warfare capabilities to prevent an attack on the country, stating: "The US military may conduct cyber operations to counter an imminent or on-going attack against the US homeland or US interests in cyberspace. The purpose of such a defensive measure is to blunt an attack and prevent the destruction of property or the loss of life."

But it also leaves the door open for the use of offensive capabilities too, noting that it may be appropriate for the US military "to conduct cyber operations to disrupt an adversary's military related networks or infrastructure so that the US military can protect US interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on US terms, or to disrupt an adversary's military systems to prevent the use of force against US interests".

To deliver on the strategy, the US is building a 'cyber mission force' which will include nearly 6,200 military, civilian, and contractor support personnel from across the military departments and defense components.

It will be made up of 133 teams: 68 teams of 'cyber protection forces' will defend key military networks and systems, while 13 'national mission teams' aim to defend broader US interests against cyberattacks of significant consequence. A further 27 'combat mission teams' and their associated support staff will support commanders by generating "integrated cyberspace effects" in support of their military operations. Another 25 support teams will help with analysis and planning for national mission and combat mission teams.

No other country has been so forthcoming about its cyber capabilities - the UK for example has said little more than it tends to invest £500m to create a "cyber strike capability" without providing much more detail.

But, significantly, the strategy, as well as detailing some of the cyberwarfare capabilities of the US, for the first time explicitly identifies four states as "potential adversaries".

"Russia and China have developed advanced cyber capabilities and strategies. Russian actors are stealthy in their cyber tradecraft and their intentions are sometimes difficult to discern. China steals intellectual property from global businesses to benefit Chinese companies and undercut US competitiveness. While Iran and North Korea have less developed cyber capabilities, they have displayed an overt level of hostile intent towards the United States and US interests in cyberspace."

Measuring online armies

The US government has already said Russia's Ministry of Defense is creating its own cyber command, which will be responsible for conducting offensive cyber activities, including propaganda operations and inserting malware into enemy command and control systems. Meanwhile Russia's armed forces are also establishing a specialized branch for computer network operations: the US director of National Intelligence James Clapper recently said the cyber threat from Russia is "more severe" that previously assessed, and Russian hackers recently breached networks at the White House.

But coming up with estimates of the scale of the cyber armies maintained by these countries is much harder.

One problem is a difference in approach. For example, what might be considered in the West to be separate concepts - like cyberwarfare and information warfare (disinformation and propaganda) - are more blended elsewhere. This makes it hard to nail down numbers focusing just on cyber capabilities.

It's also not clear what type of IT expertise - defensive or offensive cyber operations, or just standard IT security - are being included in such numbers. As such, it is hard to be sure what is being measured by these figures.

For example, North Korea's cyber army has been estimated at between 3,000 and 6,000 strong, whereas one estimate puts China's own forces at 100,000 - which certainly makes the 6,200 at US Cyber Command look rather modest.

"In the West it's very hard to find out because it's all so sensitive, and elsewhere in the world - and it's a legitimate question - 'where are the boundaries?', 'where does cyber start and influence end?', and vica versa," said Ewan Lawson, senior research fellow in military influence at the Royal United Services Institute.

Another problem is that, particularly in the cyber world, there is a lot of blurring between what is done by the state and what is done by those not directly connected to the government but with tacit state backing, he said.

"A lot of that activity is being done through third-party hacktivists. Drawing a causal linkage from the state to those groups in a guaranteed attribution fashion is often very difficult to do but actually if you look at the sorts of tools they are using, the chances are those have been provided by a state."

Lawson said that in terms of scale, the US and Chinese have the largest teams, but when it comes to technical capability, the US and Russia are top. "I don't think it's the case that anyone has stolen a march as such amongst the big three, below that it's a much more complex picture." For example, he noted the Baltic states "for fairly obvious reasons" are probably among the world leaders in cyber defence.

Jen Weedon, manager of threat intelligence at security company FireEye, which tracks the cyber capabilities of states and groups apparently aligned with them, said that the attacks on its customers came from the same states. There are some differences in the agenda pursued by the hackers: for example, Chinese hackers are "both stealing information for economic gain as well as political information", whereas when it comes to Russian hackers "we don't see them stealing information to build up their domestic economy, we see it much more aligned with very traditional geo-political interests".

The company has identified groups associated with the Chinese and Russian governments. The Russian groups, she said, tend to display "more discipline and creativity with their operational security" which makes them harder to detect, adding, "a lot of that is defined by the long history of how Russian intelligence agencies have developed. As a discipline, Russian intelligence has always been very sophisticated and stealthy, and that just carries over to their cyber operations as well."

One other factor to consider when calculating the scale and relative power of these different forces is that the number of staff they have is secondary to the weapons they can wield. On the digital battlefield it is these weapons, and not simply the number of troops, that make the difference.

Most cyber attacks exploit holes in software, but once these holes are known they are rapidly patched by vendors. So a stockpile of 'zero day exploits' - holes in software that nobody else know about - are a key component in any country serious about developing and using cyberweapons.

These stockpiles are expensive to build and maintain, but one hacker with a major zero day exploit can be a far more dangerous than dozens of others with more well know and therefore more easily protected against attacks.

Future of cyberwarfare

But whatever the details of the forces around the world, these online armies are getting bigger as many nations race to build up both their defensive and offensive capabilities. They are also working out what is - and is not - appropriate.

"One of the things that will fall out of this as the months and years go on is some better concepts of what deterrence looks like in cyberspace. Traditional deterrence theory requires you to be able to demonstrate the capability to do something," said Lawson from the Royal United Services Institute.

Part of the problem with digital weapons is that concept of deterrence. It's very hard to deter a rival state if you can't prove you can actually do any damage with the weapons you have, so it's possible that the ongoing game of cat-and-mouse, such as chasing hackers out of secure systems, is an elaborate way for nations to prove their capabilities.

By showing they have the skills and the technologies to break into sensitive systems, state forces are demonstrating their abilities in the same way that they would have by parading tanks past the Kremlin in years gone past.

Moves by the US and others to identify who they think are attempting to breach their networks, including the publication of documents like the Department of Defense Cyber Strategy, plus the work of security companies to identify the groups involved, is gradually lifting the veil of secrecy from the world of cyberwarfare and espionage.

This is a good thing: most nations are already involved in a behind-the-scenes cyber arms-race and making it more public may encourage more communication and understanding that could stop incidents spiralling out of control.

In the West more openness about cyber capabilities will allow for a broader public debate about the use of digital weapons. Currently deploying a computer worm or virus similar to Stuxnet would be deniable in a way that a missile strike is not - which is exactly why such digital weapons are attractive. In contrast, more openness would remove that virtual shield for governments.

As cyberwarfare becomes a more mainstream part of military thinking - and comes out of the shadows where it is now, as part of sabotage or covert operation - it could become easier to create a framework for how to respond to it, argues Tim Maurer, research fellow at the New America thinktank.

"I think the fact that there are more states coming forward and are open about it is actually a potentially positive sign," he said."Now that you have states that are blamed for it and take credit for [cyberattacks], it's a change to three or four years ago when states would already do this for offensive purposes but not claim responsibility. That has a huge escalatory potential as well as the risk of misattribution."

Futher reading on cyber security

Editorial standards