On the Promises and Consequences of the Intelligence Contest in Cyberspace

There has been growing pushback from experts and scholars to the concept of ‘cyber war’, with some suggesting that a more sober way of assessing cyber operations is to see them as part of a wider ‘intelligence contest’ – a term proposed by some scholars to describe strategic competition in cyberspace as a duel between actors to gather data, undermine adversary institutions and sabotage capabilities. It is worth noting this definition of ‘intelligence’ is contentious in some quarters, with others preferring the more limited description of intelligence as relating to the collection and analysis of information.

In terms of cyber war hyperbole, unhelpful headlines such as Newsweek’s ‘The Rising Risk of a Cyber Pearl Harbour’ in 2021 usually grab the everyday reader’s attention but limit our understanding of the far more important dimension of these cyber incidents: how states and non-state actors use cyberspace below the threshold of war to further their strategic objectives.

Even when scrolling down The New York Times’s tag on ‘cyberwarfare’, most of the reporting concentrates on espionage and activities such as information operations and subversion – which in practice, is a more accurate reflection of what goes on in cyberspace.

However, the jury is still out on alternative concepts to ‘cyber war’ that can appropriately capture the effects of cyber operations below the threshold of armed conflict and how they might transform intelligence activities. The book Deter, Disrupt or Deceive: Assessing Cyber Conflict as an Intelligence Contest offers some options – although it does not seek to be conclusive.

To what extent is it worth considering that states are actually involved in a continuous ‘intelligence contest’ in cyberspace?

It’s a Trap! Reassessing the Vocabulary

As the ongoing war in Ukraine has illustrated, the obsession with the concept of ‘cyber war’ is not just about the latest news headlines; rather, it has resulted in deep miscalculations about the role of cyber operations in conflict and crisis scenarios.

The first miscalculation from the hyperbole around ‘cyber war’ is the heightened expectations of what cyber operations can and should deliver. Having been known for numerous disruptive cyber incidents, Russia’s cyber operations at the outbreak of the war in Ukraine were commonly depicted as contrary to expectations. There was no widespread or particularly significant impact from Russian destructive cyber operations, no cyber takedown of Ukrainian critical national infrastructure.

This exemplifies how ‘cyber war’ can also fail to grasp how effects are shaped by a culture of strategic doctrine – as is particularly the case with Russia’s conceptualisation of cyber operations.

However, the focus on decisive and short-term effects of cyber operations, especially in conflict situations, has also led to a paradoxical dismissal of the cumulative effects that operations have as part of a wider contest between state and non-state actors. Russian cyber activity during the war has still revealed a largely unprecedented deployment of capabilities, with at least nine new wiper malware families, two ransomware attacks and the targeting of 100 organisations in Ukraine. According to companies such as ESET, Microsoft, Mandiant and other large threat intelligence companies, Russia has used a record amount of data-destroying malware on Ukraine, showcasing an accelerated pace of deployment of cyber capabilities in conflict scenarios. This in turn has also contributed to the reuse of many of these capabilities in at least other 25 countries, which showcases the cascading effects of sub-threshold capabilities. Despite these numbers – and within this particular context – cyber operations have not been the decisive or primary tool in the conflict. They have, however, contributed to the broader friction of war – be it in the operation of infrastructure, communication or leveraging the information space to push their narratives about the war.

On Intelligence Contests

American University Professor Joshua Rovner suggests that activities in cyberspace are more about intelligence than the use of force. He argues that strategic behaviour in cyberspace will rarely surpass the threshold of armed conflict, but states will continuously engage in an ‘intelligence contest’ through sabotage and covert action. Rovner defines the intelligence contest as:

• A race among adversaries to collect more and better information.
• A race to exploit information to improve one’s relative position.
• A reciprocal effort to covertly undermine adversary morale, institutions and alliances.
• A contest to disable adversary capabilities through sabotage.
• A campaign to preposition assets for intelligence collection in the event of a conflict.

What the concept seeks to illustrate is that the dynamics of contestation among states in cyberspace extend far beyond the tactics of cyber operations and the battlefield itself, and play into strategic competition among state and non-state actors. As noted by the UK’s National Cyber Force (NCF), while cyber operations are not expected to be strategically decisive, they are effective when ‘combined and co-ordinated with the activities of partners to achieve a shared goal’.

This applies as much to cyber security as it does to offensive cyber. One example of the former is that in May 2023, Ukraine, Ireland, Iceland and Japan announced that they would officially join NATO’s Cooperative Cyber Defence Center of Excellence. While the deal opens the door for greater exchange between NATO and non-NATO countries, the occasion sends a relevant message of expanding technical and strategic alignment between countries in the face of growing geopolitical contestation in the Indo-Pacific and amid the ongoing war in Ukraine.

Offensive cyber capabilities should be seen as part of a much wider policy toolkit to respond to hostile activities in cyberspace. Likewise, offensive cyber capabilities can be used to respond to other threats such as terrorism, disinformation or child sexual exploitation. In short, a cyber incident does not necessarily merit a cyber response.

As of 2021, approximately 45 countries have launched military cyber organisations (that is, cyber commands) and nearly 35 of those possess an offensive mandate. While capacities and capabilities vary, both Western and non-Western countries recognise the importance of having an institution to engage in this contested environment – but it does not mean that all do so.

Strategies vary as to how countries engage in this contest. The US Cyber Command, which defends the Department of Defense’s information systems, supports joint force commanders with cyberspace operations, and defends the US from significant cyberattacks, has developed complementary concepts of ‘defend forward’ and ‘persistent engagement’. Meanwhile, the UK’s NCF has published a document outlining operating principles for its own approach to offensive cyber which is in line with a broader vision outlined in the 2023 Integrated Review Refresh to deter, defend and compete across all domains. Central to the NCF’s approach is the doctrine of ‘cognitive effect’.

So, should we then consider ‘intelligence contest’ as the most accurate means of defining the nature of cyber operations?

Critics of the concept have argued that the scale and scope of operations in cyberspace fundamentally change the nature of intelligence (especially covert action), resulting in a ‘difference in kind and not merely degree’. As some have argued, the 2016 Russian interference during the US elections shows that smaller activities can result in aggregated strategic effects – eroding trust and confidence in society. So, what are the consequences of framing cyber operations as an intelligence contest?

Responsible Cyber Operations – Long Road Ahead

One risk when intelligence becomes the main qualifier to describe the nature of cyber operations is that it could alter public perceptions on what activities their government is conducting in cyberspace. Public understanding may also differ depending upon the oversight mechanisms in place within a particular national context. The outcome of framing cyber operations around intelligence activities could be for better or worse, depending upon the national context.

For example, the UK has a detailed regulatory framework when it comes to intelligence activity. In addition, the NCF’s recent guide outlines the importance of robust oversight and accountability as a core element for responsible operational planning – a key part of our latest project at RUSI.

In some cases, less capable states contract cyber mercenaries for easier access to opportunities in developing and deploying capabilities. While commercial hacking tools have legitimate applications in support of national security and law enforcement objectives, they are also subject to misuse and abuse. As of 2023, 74 countries have reportedly used spyware and between 2015 and 2017, and EU member states have allowed surveillance technology to be exported more than 317 times. It is not always the case that states will contract well-known spyware vendors either – there is a complex market of companies promoting open-source intelligence tools that can be coupled with other sophisticated add-ons and services. In this regard, the intelligence contest concept does not help with addressing these kinds of dynamics. Instead of clarifying what kinds of intelligence activities are permissible, it overemphasises state-to-state spying rather than domestic activities – usually more appealing to less developed economies that can buy off-the-shelf products to meet their internal needs. What is then the applicability of the intelligence contest? To whom does this concept apply?

It is important to understand the motivations of countries beyond the usual cyber powers in developing and deploying cyber capabilities. As illustrated by Saudi Arabia, Mexico, India and many other Western and non-Western countries, it might be more profitable for countries to develop their own cyber capabilities to conduct surveillance of citizens within their own national territory and abroad than to primarily do it among states. As states across the development spectrum enhance their capabilities, cyber might play a significantly different role depending on the respective country’s primary threat concern – which in turn will also affect how they engage in strategic competition.

Countries might also be influenced by the NCF’s guide on cyber operations, as it provides some initial thoughts for establishing processes and guidance relating to cyber operations. However, there is a risk that some countries will see cyber operations as intelligence activity only, to be conducted against a foreign or external threat. A different and more worrying scenario takes place when countries seek to aggressively use capabilities against internal threats, with little oversight, as has been the case with commercial hacking tools.

A Contest for a Few?

A crucial and yet overlooked question within this debate is: ‘who can engage in this intelligence contest?’ While many countries have developed cyber commands and have sought to enhance their capabilities, the intelligence contest still arguably remains a game to be played by a small group of countries.

It might be too much to assume that countries beyond the pool of cyber powers can effectively achieve significant cumulative effects through cyberspace in conjunction with other diplomatic and/or commercial strategies, despite their eagerness to outsource capabilities.

In addition, the 45 countries that have established military cyber organisations (and others) will continue to search for other levers to develop their own capacities, away from cyber. It is also questionable how applicable and operationalisable the intelligence contest in cyberspace is for developing countries.

Overall, how the term ‘intelligence contest’ increases the understanding of cyber operations remains unclear. There are geographical, capability and conceptual challenges as well as consequences of the framing that require further assessment. Regardless, it is better than using the term ‘cyber war’ to define state activity in cyberspace – although whether that is enough is yet to be seen.

The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.