Pakistan And National Cyber Command: A Strategic Competitive Enabler (Part I) – OpEd

This is a series of three articles in which we aim to communicate our opinion on why it is a dire need for Pakistan to establish a national cyber command and what strategic challenges such a command will need to tackle to be effective. This first article aims to explain how cyberspace has become a new strategic competitive space. The second article will explain the several challenges posed by cyber offensive operations executed by nation-state adversaries or rogue regimes against Pakistan. The final piece will provide a comprehensive road map of how such a command may be established by identifying some of the national-level components that should be treated as prerequisites to establishing Pakistan’s national cyber command. These components that we speak of are currently, unfortunately, non-existent in Pakistan.

Cyberspace: The Environment of Continuous Strategic Competition

Before we speak of the structure of cyberspace and the nature of competition in cyberspace, we want to answer a fundamental question: What is a core characteristic of the cyber domain that makes it unique compared to the physical domain? We want our audience to be grounded on the fact that the cyber domain is global and interconnected – constant contact, dynamic in nature but distinct from other structures such as hierarchy and anarchy. Cyber is often misidentified and wrongly classified as a military domain. It is, in fact, an interconnected domain where the military has to operate alongside a multitude of stakeholders.

This calls for the understanding that a military environment is quite different in characteristics from an interconnected environment. In 2021, Pakistan published a National Cyber Security Policy that barely touches the topic of ‘interconnectedness.’ Whereas its comprehension, and the realization of its implications should be the basis for all policy and strategy initiatives in the cyber domain. Most of the literature that we have reviewed related to cyber is anchored in segmentation rather than being based on interconnectedness. We tend always to compartmentalize conflicts, hostilities, and control outcomes to ensure order and avoid chaos.

Segmentation is the traditional way of strategizing when operating in terrestrial space (Air, Land, and Sea) and is derived from respect for the principles of non-intervention and territorial integrity. Segmentation is not the defining structure of cyberspace as its derivative cyberspace operations encourage opportunism for states to maneuver across into an adversary’s terrain at will, changing outcomes drastically. Most policymakers, academics, and national strategists have not yet been able to think through the actual implications of operating in such an interconnected space on a global scale.

The next question we want to answer is: What is the implication of interconnectedness when its effects are translated into the structure of this space? To be ‘interconnected’ establishes the exact conditions of ‘constant contact’ and ‘persistence of the offense’ as coined by Richard Harknett et al. This condition of constant contact would not only be limited to contact with the adversary or a rogue regime, but because this domain is global and interconnected, one would also be in contact with allies, militaries, the private sector, and individuals simultaneously. This contact is not probable, periodical, or optional but rather, it is a constant reality that must be reckoned with. It is constant because no capability, offensive or defensive, remains indefinitely, no gain or advantage is permanent, and no well-defended cyber environment is permanently attainable.

This holds true because cyberspace is a continuously evolving terrain. It is a dynamic terrain with its digital map constantly, and concurrently, being created and updated. Every new asset deployed, whether software, hardware, or information technology-based systems, and each upgrade/update of existing information technology systems generates additional offense avenues and defense conditioning needs. The defense needs to be dynamic to stay relevant with the latest version of threats, which will evolve as soon as the terrain is updated. Hence, war itself, in cyberspace, is constant, whereas the definition of the battlespace evolves at an incalculable rate. The interconnected nature of cyberspace ultimately drives this phenomenon. Pakistan must assume that its sources of national power – economic, political, military – are vulnerable from a national security perspective and will be undermined in and through cyberspace.

Through the ‘Balance of Power’ theory, Hans Morgenthau implies that if states do not balance power, they cannot survive. Because Pakistan’s elements of national power are at risk, the ‘constant contact’ structure of cyberspace becomes a strategic environment. Strategic environments are structures that shape fundamental dynamics and guide the development of security strategies. The only option of survival for a state in such an environment is to match the evolving structure with a proactive security strategy. One that can continuously maintain a condition of compatibility between cyber defensive needs and cyber offensive opportunities in tandem.

The strategic security idea that Pakistan needs to adopt is one of ‘initiative persistence,’ which implies that if Pakistan does not pursue the initiative of contact in this space, it will be punished by adversaries with hostile actions that will undermine faith and confidence in Pakistan’s institutions and weaken its political, economic, military, and security interests without ever violating its physical borders. Whereas, if Pakistan manages to gain the initiative, it stands a chance of being rewarded by reaping gains that would lead to a cumulative positive impact on a strategic level. Initiating this strategic competition grants us a competitive edge.

We want to answer the final question: What is the nature of strategic competition in this environment? This is most critical for Pakistan to acknowledge. The very nature of cyberspace is that it is strategic below the threshold of armed conflict because offensive activities persist due to the fact that opportunity costs are low, barriers to entry are negligible, and vulnerabilities continually emerge as new digital terrain and technologies develop. Adversaries can exploit this at scale without concern over destabilizing the environment. States tend to think along the narrow continuum of cooperation, competition, and conflict in the physical domain. They conclude that conflict is where significant strategic actions occur, where a potential change in relative power lies, and that where power is at risk, we enter into conflict. This makes conflict strategic in nature.

We want to argue that for cyberspace, the competition space is also strategic, and there are cumulative gains to be made so that it allows Pakistan to shift relative power by a significant margin, and helps in the development and projection of national power. Cyberspace, therefore, opens up this new seam in power competition where a state can make strategic gains by waging cyber campaigns to realize economic, military, and diplomatic advantages. Heretofore, this was only possible through traditional means of conflict. There is now a potential to change relative power by taking competitive actions that are short of armed conflict in and through cyberspace. Let us explain how states employ cyber offensive operations to redistribute power in the international system.

In the context of the specific effects they are designed to inflict, cyber offensive operations can be generalized into two categories: Operations with effects that may be considered above the threshold of use of force and operations with effects that may be considered below the threshold. This subtle distinction of operations conducted in cyberspace has now become one of the most important research areas for academics, cyber strategists, and national cyber policy officials throughout the modern world.

The scramble by scholars who emphatically and urgently emphasize the need to understand this phenomenon is fueled by the fact that the latter category of operations, those considered below the threshold of use of force, has rendered traditional strategies, doctrines, and national policy notions; obsolete. A prime example is the concept of deterrence and its inapplicability to cyberspace. Our current thinking is permeated with a deterrence-centric perspective; the notion that security exists primarily not in our hands but in the heads of our enemies. It may be argued that deterrence can dissuade adversaries or rogue regimes from executing cyber operations with effects above the threshold, which may invoke the use of military force by the victim state in response. However, it is factual that deterrence is ineffective for cyber operations with effects below the threshold.

The structural features of cyberspace lead to the conclusion that cyberspace is not a deterrent space, and we need to orient ourselves away from this framework. It may become a challenge for a country like Pakistan with nuclear deterrence so deeply embedded in its roots; with successful outcomes in the past. When discussing nuclear deterrence, we must understand that it is not the scale of nuclear destruction but that scale being undeniable makes it an effective deterrent. Nevertheless, it should be noted that traditional/nuclear deterrence was the solution to a unique strategic environment and may not be the answer to every security challenge.

As far as the security challenge of the cyber environment is concerned, the term ‘below the threshold of use of force’ can be misleading. The implications of these operations are of critical importance to developing any national cyber strategy for Pakistan. The application of these operations go beyond an intelligence contest and can now be defined rather as strategic competition. This stems from the stark reality that these operations have the ability to degrade the elements of national power of a victim state through intelligence, surveillance, reconnaissance, and offensive cyber activities without ever breaching the threshold of armed conflict. It then becomes extremely complicated for the defending state to justify retaliation or present a case for retribution in the international community.

Consider a similar concept in the conventional warfare domain as an example; the Indian ‘Cold Start Doctrine.’ This doctrine was designed solely to punish Pakistan in a limited manner without triggering nuclear retaliation, thus operating below the threshold of armed nuclear conflict and making strategic gains concurrently. It should also be noted that in the case of cyber, to take retaliatory action, a state must first detect these cyber operations and attribute them to an adversary or a rogue regime, which is a challenge in itself.

It is also essential to understand that conducting cyber operations below the threshold, and not above, is a strategic decision made by the adversaries of Pakistan. States now avoid breaching the threshold not due to deterrence, but instead, they have realized that they do not need to breach the threshold in peacetime to advance their strategic objectives against Pakistan. They understand that they can cause a redistribution of power in the international system, in and through cyberspace, without risking any escalations that may arise from breaching the threshold.

In essence, what we conclude is that Pakistan may never witness a cyber pearl harbor in peacetime because states now have the ability to degrade its elements of national power without inflicting one. The alternative strategic path these adversarial states have actively chosen to pursue is one that is of continuous competition, at an unprecedented scale, below the threshold of armed conflict, in cyberspace. This has given birth to the new Cyber – Continuous Strategic Competition – Space and Pakistan must compete in it to survive the effects of this competition. It has become a critical requirement for Pakistan to establish a National Cyber Command to facilitate this competition as an independent strategic factor. Existing traditional response structures and policy frameworks are, and will remain, incompatible with the unique, dynamic, and constant strategic competition in cyberspace.